HackTheBox - Freelancer

Video Description

00:00 - Introduction 01:10 - Start of nmap 04:45 - Discovering the website is Django, Wappalyzer tells us but also talking about how we could manually identify with the help 08:00 - Creating an account, discovering we need to activate it, using Forgot Password to activate it 09:50 - There is a QR Code that lets users login by scanning it, looking at the URL it appears there could be an IDOR 11:28 - Discovering ID 2 is an admin, crafting a QR Code with the admin ID in it and gaining access to the Django Admin 14:30 - Enumerating the MSSQL Database, discovering we can impersonate SA and then enable XP_CMDSHELL 24:30 - Trying to get a Reverse Shell, AV is blocking it, do some light obfuscation to bypass it 31:40 - Shell returned as the webapp user, can't get WinPEAS Running due to AV 40:40 - Discovering a password left behind by the SQL Express Install, password spray to get access to mikasaAckerman 45:10 - Showing the NxcDb, which logs all the successful logins with nxc 50:00 - Discovering a Memory Dump, downloading it to our box then using MemProcFs 55:20 - Installing PyPyKatz which will have it automatically use pypykatz (mimikatz) to dump lsa 1:02:40 - More password sprays to get access to Lorra199, then using WinRM and discovering we can enumerate the Active Directory Recycle Bin 1:05:30 - Restoring Liza Kazanof from the recycle bin, then resetting the password due to it being expired. 1:11:15 - Liza has the SeBackup privilege, using DiskShadow and Robocopy to download ntds.dit to dump the domain 1:23:20 - The issue we had with DiskShadow is because of how the script file was encoded, major pita 1:29:30 - Running SecretsDump to get the administrator hash and login to the box 1:30:45 - BEYOND ROOT: Abusing GenericWrite to the Domain as Lorra199 to get a shell 1:32:40 - Going back to the memprocfs and showing we could have just ran secretsdump on the registry hives to get Lorra199's password. Administrator hash is invalid due to the password being changed since the dump was created 1:35:10 - First time setting up the Bloodhound Community Edition (new version that is supported) 1:41:00 - Fighting with Bloodhound.py since the main branch is installed 1:47:00 - Throwing in the towel fighting with my python environment, building a docker container to run bloodhound.py for us to ensure we are running the latest version 1:51:48 - Importing the latest bloodhound data and getting the attack path that shows genericwrite 1:54:20 - Adding a computer, giving it delegation, then dumping the AD Database with secretsdump