HackTheBox - Rebound

00:00 - Introduction
01:07 - Start of nmap then checking SMB Shares
04:05 - Using NetExec to do a RID Brute Force and increase the maximum to 10000
07:00 - Using vim g!/{string}/d to delete all lines that do not contain something to build wordlists
10:40 - Using ASREP Roasting to perform a Kerberoast attack without authentication
17:40 - Using NetExec to run Bloodhound as ldap_monitor
25:30 - Discovering Oorend can add themself to the ServiceMgmt group, which can take over the WinRM Account
28:30 - Spraying the password of the ldap_monitor account to discover it shares oorend's password
34:20 - Showing BloodyAD to add Oorend to ServiceMGMT then abusing the GenericAll to Service Users, so we can reset WinRM_SVC's password
40:30 - Showing a more opsec friendly way to take over WINRM_SVC by abusing shadow credentials so we don't change the accounts password
50:00 - As WINRM_SVC we cannot run some commands like qwinsta or tasklist. Using RunasCS, to switch our login to a non-remote login which will let us run these commands
54:10 - Performing a Cross Session attack with Remote Potato to steal the NTLMv2 Hash of another user logged into the same box we are
59:20 - Using NetExec to read GMSA Passwords as TBRADY
1:04:00 - Using findDelagation.py to show constrained delegation from the GMSA delegator account
1:11:20 - Using RBCD.py to setup the Resource-Based Constrained Delegation so we can get a forwardable ticket to abuse delegators delegation and impersonate users
1:18:20 - Using our ticket that impersonates DC01 and performing secretsdump and then getting Adminsitrator's hash so we can login

Support the originator by clicking the read the rest link below.