HackTheBox - Infiltrator

00:00 - Introduction 01:00 - Start of nmap 04:10 - Using grep against a HTML Page to extract usernames, then username anarchy to build a userlist and kerbrute to find valid users 07:50 - Kerbrute automatically will ASREP Roast but outputs in the stronger hash that hashcat doesn't crack. Using downgrade to get the weaker hash 11:10 - Using NXC with our creds to dump a list of users and see a password in the description 13:34 - Using Rusthound stead of the python version of Bloodhound because it gets certificate information too 17:30 - Showing a couple paths in Bloodhound 22:00 - Explaining and performing the attack (dacledit, shadow credential, force password change, bloodyad) 32:50 - Discovering Output Messenger running, using chisel to forward ports 38:15 - Having trouble with the Linux client of Output Messenger, cannot download a file 44:30 - Switching to Windows, using a regular portforward on chisel so our windows box can hit infiltrator 52:30 - Using ilSpy n the dotnet binary and decrypting a static string which is another password 01:00:00 - Discovering the API Key in the notes, and exploring the API to dump chatroom messages 01:12:30 - Setting an event on Olivia's Output Messenger Calendar to send a shell 01:22:48 - Discovering a PCAP in Olivias downloaded files, using wireshark to extract objects which has a picture of a bitlocker key 01:32:40 - Accessing the box over RDP, decrypting the bitlocker drive, and then downloading the backup which is NTDS.DIT 01:40:40 - Using NTDISSECTOR to parse the NTDS.DIT which extracts a lot more data than secretsdump, discovering another password in a description 01:45:45 - Doing AD ESC4 and then AD ESC 1 to get root