HackTheBox - Blazorized

00:00 - Introduction
01:30 - Start of nmap
03:30 - Examining the website looking for interesting functionality
07:50 - The check updates page loads a unique DLL and puts a JWT in the request
12:30 - Opening Blazorized.Helpers.Dll with ilSpy to discover a hardcoded JWT
15:27 - Using Burp to add the header to all of our requests and installing the Blazor Traffic Processor Plugin
19:00 - Examining the traffic, discovering the server instructs our client to get a JWT from localstorage
22:00 - Discovering MSSQL Injection in the Super Admin Panel, getting RCE
29:30 - Reverse shell returned
31:56 - Running SharpHound, then standing up a WebDAV server on nginx so we can use files back to our host over HTTP PUT Requests
39:00 - Starting Bloodhound discovering we can SetSPN on another user
45:20 - Setting the SPN on a user via Powerview, which lets us kerberoast to get a hash and cracking it
50:20 - Using PowerView Find-InterestingDomainAcl to show unique things our user can do and discovering we can set loginscripts
58:50 - Using AccessChk to find a writable directory in the SYSVOL Directory
01:03:50 - Using Powerview to set the Login Script to our file and getting a shell
01:10:00 - Using mimikatz to dcsync and get the administrator password

Support the originator by clicking the read the rest link below.