HackTheBox - Mist

00:00 - Introduction
01:10 - Start of nmap which contains pluck version
05:50 - Looking into CVE-2024-9405 which is a File Disclosure vulnerability
08:00 - Discovering a backup password, cracking it, then uploading a malicious plugin
13:00 - RCE Obtained, defender is blocking reverse shell, obfuscating the command to bypass
17:30 - Creating a malicious LNK file, then when someone clicks on it we get a shell as Brandon.Keywarp
31:00 - Setting up the Bloodhound Community Edition and fixing bug which isn't showing us any images
34:40 - Using Bloodhoudn to show we can enroll in various certificate templates
37:00 - Discovering Defender Exclusions as a low privilege user by reading the event log for event id 5007
43:10 - Using Certify to request a certificate and then Rubeus to use the pass the ticket attack to get our users NTLM Hash
56:45 - Explaining our NTLM Relay attack that we are about to do
1:02:30 - Installing a version of impacket that allows for shadow_creds within ldap and then setting up the ntlmrelayx to forward connections to the DC's ldap
01:07:10 - Using PetitPotam with Brandon's hash to get the MS01$ to authenticate to us, and showing why we need to start the Webclient Service
1:15:00 - Setting shadow_creds for MS01$ then using s4u to impersonate the administrator user, so we can access the filesystem. Dumping local hashes with secretsdump
1:27:50 - Discovering a Keypass database in Sharon's directory, cracking it
1:36:18 - Going back to Bloodhound and seeing OP_SHARON.MULLARD can read GMSA Passwords, using nxc to dump SVC_CA$
1:38:56 - Looking at what SVC_CA$ can do, identifying a chain abusing ESC13 twice to jump through groups to get to the Backup Service
1:44:39 - Using PyWhisker to set the shadow credentials on svc_cabackup then using PKINITTools to get the NTHASH of SVC_CABACKUP
1:54:40 - Using Certipy to create a certificate within ManagerAuthentication to place ourself in the Certificate Managers Group
1:57:00 - Using Certipy to create a certificate within the BackupSvcAuthentication to place ourselves in the ServiceAccounts Group
1:59:55 - Using Impacket to dump the registry of the domain controller to grab the DC01$ Password
2:07:50 - Having troubles with impacket writing to our SMB Server, writing it to the SYSVOL then copying it to the webserver
2:14:50 - Grabbing the DC01$ password with secretsdump from the SAM dump and then using this to run dcsync to get the MIST.HTB\Administrator account