HackTheBox - Sekhmet

00:00 - Intro
01:11 - Start of nmap
04:00 - Running ffuf to discover the portal virtual host
06:40 - Logging in with admin:admin and discovering a new cookie
09:15 - Looking at the Node-Serialize exploit
10:20 - Attempting to do the exploit and discovering modsecurity blocks us, then putting some unicode in the payload to evade it
16:20 - Whoops forgot to end the payload with (), so thats why we didn't get our shell
17:11 - EDIT Looking at how modsecurity is configured
19:33 - Showing the NGINX Error Log with modsecurity blocking, taking the unique ID going to the modsecurity log to get more information
25:00 - Looking at the JSDECODE transform for modsecurity to fix the rule
30:30 - Switching ModSecurity to Detection Only mode or Permissive so we don't block but get logs
31:42 - END OF EDIT, putting an SSH Key on the box
34:15 - Attempting to unzip the backup.zip, discovering a password but is using ZipCrypto, doing a plaintext crac with bkcrack to extract it
40:00 - Dumping the sssd.ldb database used to join the linux server to the domain. Getting a credential
44:20 - Using kinit to get a kerberos ticket, then ksu to switch to root
47:00 - Having trouble with tunneling, looking at iptables to see it blocks non-root users from accessing 192.168.0.0
52:30 - Looking at the shares to discover a powershell program to reset mobile phone numbers
1:02:30 - Modifying a phone number via ldap and seeing a script will execute what we put in the field
1:11:40 - Attempting to steal a NTLMv2 Hash, having trouble because NTLM is disabled
1:14:15 - Forwarding port 445 from the webserver to us, so we can use its DNS Name, but need to enable GatewayPorts in SSHD's config to listen on a non-loopback port
1:20:05 - Building a list of users with ldapsearch, then password spraying the password we cracked to get access to bob.wood
1:27:00 - Downloading dpapi keys and chrome/edge files then using pypykatz to decrypt saved passwords
1:36:11 - Got all the files on our box, using pypykatz to decrypt saved passwords
1:45:00 - Showing the intended way of bypassing applocker which would allow us to run programs to automatically decrypt everything

Support the originator by clicking the read the rest link below.