HackTheBox - Certified

00:00 - Introduction
01:08 - Start of nmap discovering only Active Directory (AD) Related ports
04:15 - Running Certipy both with and without the vulnerable flag
07:00 - Outputting Certipy to JSON and then writing a JQ Query that will show us non-default users that can enroll certificates
09:00 - Explaining the JQ Query that will take the list, filter out specific words, then show us items that still have an item
13:30 - Running Bloodhound.py to get some bloodhound data
16:00 - Looking at what Judith can do in Bloodhound, showing discovering by clicking outbound permissions
17:30 - Certipty gave us a high value target, can also use bloodhound to show us a path to the high value target which involves WriteOwner, GenericWrite, and GenericAll
19:00 - Abusing WriteOwner with owneredit, allowing us to add members with dacledit, and then taking ownership and then adding ourself to the group
23:30 - Using Certipy to abuse GenericAll/GenericWrite to create a shadow credential and grab the NTLM Hash
30:08 - Going over ESC9
31:20 - Using Certipy to exploit ESC9, updating UPN, requesting cert, updating UPN, and then using the certificate
34:25 - Grabbing the NTLM Hash of administrator with certipy, then logging in with WinRM
35:45 - Showing the certificate we generated
40:40 - Running SharpHound with a low privilege user to show it grabs more than the Python Bloodhound Module
43:35 - Building a Cypher Query to match all users that have CanPSRemote to computers
46:45 - Building a Cypher Query to show the shortest path from owned to the certificate template we want
51:00 - Changing our Cypher Query to show a specific user to the template

Support the originator by clicking the read the rest link below.