What's up, guys? Hello, and welcome back
to Byte-Sized Security. My name is Jimmy, and today I'm gonna continue where I left
off and do another hacking video. Namely, we're gonna continue on our journey towards this
HackTheBox list. Namely, today we're going to do Escape. So, last week we did Pandora. And we
skipped Cereal. We're gonna get back to that one, but today we're doing Escape. And this is supposed
to be a medium box, another Active Directory box. I know you like those...I certainly do. And
I think we're gonna have some fun. So, let's get straight into it. Before I begin, the broken
record again, I wanna say thank you again because we have reached the first milestone...which is
five hundred subscribers. Thank you, guys. Thank you very much for the support. Very proud, very
happy...Let's just keep going. Let's keep the momentum going. I know I'm onto something here.
The videos are nice. I'm having a lot of fun. You guys are...as you keep telling me, finding
value in my videos. And so that, of course, gives me...the motivation to keep going. And then,
as well, teaching is the best way of learning. So I'm also learning a lot by doing it. So, yeah,
thank you, guys. And if you continue enjoying this, make sure to continue liking, subscribing,
sharing even, the videos that you see. And yeah, please come along on the journey...we're having
fun...Anyway, let's get straight into Escape. So, as usual, I've got the VPN running. As you can
see here. And I wanna show you something cool today. So, I've been working on another alias. As
you know, I like to automate these things a bit, like the things that I do in the beginning
quite repetitively. And this is pretty cool. So, in the beginning, I would always create all the
folders and create the notes and everything. Well, now I only do the following. Sorry, I will only
do "prep notes," and today we're doing Escape. So I'm gonna write Escape...and boom. Now you
have the folders here. All is created...here. All is created. And then in here as well, I will
have Escape created...with all the folders inside of enum as well. There's external and internal.
And this way, we can just start enumerating right away. So what I'm gonna do, as usual, is record on
the IP. And then I'm gonna do a scan on the IP as well. And this will take ages. So what I'm gonna
do is I'm gonna pause the video here and come right back when we're done...So now what I've done
is I've already run the ports...And we are ready to go. The IP, I will just paste here because I
haven't yet. Like this, and then we can continue. So, we have created a scan. Let me just move
that into place...Escape...enum, external, like so...Okay. Nothing bad. Okay. And then let's go
into...Escape in external...and clean...initial. Call it RustScan, as usual, you know the drill.
I'll see if I can automate this part as well, in a short like that. And then I will open the
folder...like this...this I can close...Yes...Open this. Enum, external. Paste that into here.
Alright. Now let's go into...what is this...Okay. It was basically because the command that was
creating...The escape node was running a pseudo, and Obsidian didn't like that. But now it's
created, so that's fine. So what do we do? We opened the notes and copied this into RustScan,
and so now what we can do is go into the scans and start doing the tedious part. Let's...first
take a quick TCP scan...Paste it here...Okay. That's a lot of output...We'll look at that in
a minute. Okay. Let's now do what we always do. Create a couple of notes...The reason why I try
to be so efficient with things and automate as much as possible is also I wanna create videos
that aren't an hour and ninety minutes and an hour and fifty minutes long when they could be
just one hour long. You know, I'm trying to cut what I can cut without cutting away too much
of the useful content for you guys. But anyway, let's continue...Let's one two three five one
three five. Sorry. That's msrpc...And then the next one. That is SMB...So netbios...And...net
Bios...SSN...And that's MS-SQL. Alright. We've got a database...Probably you're gonna have to
do some fun stuff. There are a few cool ways of getting domain access through MS-SQL. Let's hope
we get to exploit one of these...Hold out...We've got a holdout...Wait a minute. Okay. And here you
can see we have the domain. SQL at dot HackTheBox. So let's write that down. Let's open the hosts
file. Again, this is an alias. And you can see I have something there. Just ignore that because
this has to do with the HackTheBox Academy. I've been working a lot on that. And so I still have
the host file...Edited for it, but that is not important now...do we have anything else...We've
got a domain controller. Is this...the correct name? Yeah. Let's just continue...Then we've
got another LDAP...And...what is that? SSL scan? Okay. Haven't seen that. So we are dealing
with certificates. Interesting...That is indeed very interesting. I'll show you why...in a
second...Like so. Then another other. I could group these together...but...I might do that in
the next one. And for this one, I'll just leave it like this...Of that. And then four four five.
That is samba...And here because it's Microsoft, you won't have a lot of information...A lot of
new ports just added...Wow. Okay...Kerberos...Four six...four. Okay. Password...like this...RPC.
Still loading...Okay. So these are the MSRPC ones...Let's do DNS...And then a PC dump, not
for now. WinRM. Interesting. We said in the last one...or did I? Basically, what I'll do from
now on...is I will write down...here like this that I have with RM because that is important
information later if we want to remote into the machine. It's just nice to see right away. Oh
yes. We had WinRM. And I'm gonna do the same with, for example, RDP...should I have RDP or any
type of other way with WMI, for example, means of remoting into the machine...MS...RPC.
Let's see if the other MSRPCs are finished. Yes. They are...let's just add...like this...Grouping
them together...No...This one I've already got. Okay. So that's it. So what do we have? We've
got...like that. And then what else do we have? Kerberos...Kerberos and then...here we
have nothing left...Do we have the full TCP...Yes. We do...Let's put dots...Here.
But then we also have...This I'll add later, the UDP scan...which is also important, so let's
not skip that in our methodology...Like so. Okay. And now let's collapse everything...and go through
it all...Let's start with DNS...and then we'll go through the LDAP scan and only after will go
to SMB because, if you guys, if you guys have noticed...in the other machines, SMB was usually
our way in. I don't want it to go too quickly. I really want to because whenever I go into SMB
and I find the path in, I stick to it. But I also wanna enumerate...LDAP this time and DNS as well,
just to show you how. So let's start with DNS. So for DNS, there's a few things I do. DNS is the
protocol that kind of serves as the...phone book of the internet. Right? It translates...a IP
address into a human-readable...URL. So like, blah blah blah, blah dot com. That's what
the DNS does. And so you can query...the DNS protocol...and...so, for example, I'll just
show you. So I wrote...the domain...into the domain into our host file. So what we can do is
do dig and then equal...dot HackTheBox. And then we can either use dig or we can use nslookup,
but I will use think, and then we can do any to show all of the different...records of the DNS
protocol. There's a word I'm looking for, but I can't really...think of it right now. If I look
it up, I'll hate myself for forgetting about it, but that's okay...There you go. And there you have
all the records. So a gives you an IP address...NS gives you the name server. So here we've got the
domain controller. Let me put that into my host file as well...And then we've got Hostmaster.
Let's...also put that...it's still open...like this...And then it...quadruple a...gives you an
IPV...six address...And then other than that, there's not really anything left.
If there was like, for example, MX, you would know that a mail server...like
this, but there isn't any, or you can also do axFR...I believe it is. That's for zone transfer.
Let's also...keep that. So here inside of DNS, let's go dig...And then...take a screenshot of
that...Like that...here like so...Exactly...And so let's see what auto recon would have run, would
have ran for...DNS. So it would have checked the zone transfer, like I just did now. So a x f r,
that's a zone transfer. And then it did reverse lookup...and just a normal Nmap scan. But I would
have hoped for it to also do an Annie scan. Oh, this is the wrong screenshot...Let me do that
again...So let me do...take any and...take...like this...The screenshot app is very bad, but I'll
have to deal with it. I'll install another one later. Okay. So that's it for DNS. Nothing really
there except the domain controller...address. Let's go check out what...this as LDAP was with
the certificates...So what do we have here...We've got the domain name...Yes. Okay. So we're dealing
with TLS. Quick refresher...you've got the HTTP protocol. So the hypertext trans, hypertext
transfer protocol, and then you've got...SSL. And basically...SSL was the security. There's the
more secure way of communicating on the internet, and then you had TLS, which was, I don't remember
the acronyms...SSL, TLS...secure sockets layer, and transport layer security. I should have known
this. But essentially, TCP...functions in a very simple way. It's basically a three-way handshake.
You've got, say, the client sending a request, the server saying synchronize, and then the
server responds with synchronize acknowledge, synAC. And then sends that back to the client,
and the client then goes, act, acknowledge, and that's a three-way handshake, and when that's
done, you have a connection. When you are talking about SSL or TLS, which later...took over
instead of SSL. After the three-way handshake, you have another set of handshakes where the
client goes. Clients Hello. And then...the server goes...server Hello...And then wait.
TLS...handshake, let me make sure I say correctly. And then there is the version. The
version is communicated. And then after that, you've got the exchange of the key. So
you've got client hello, server hello, certificate is is created and exchanged. And then
they exchange a cipher, and then both acknowledge the connection, and that is how the connection is
then done in an encrypted manner. The reason why I'm explaining this is because all of this works
through certificates. certificates...essentially are...digital...documents, basically. It's
a...it's what allows for systems to...do authentication...encryption, message signing,
stuff like that. Cryptographic...communications, basically. And the reason why I'm explaining
this is because we've got we're dealing with a certificate...here in LDAP. We don't
have a port eighty, but we have TLS, so essentially that's HTTPS. So let's try...and
go...to this address...Actually, I don't like doing that in Brave Browser...I'd rather go into
Firefox...Like so. Let's turn off burp...Oh, I know why. The port is missing...three two
six nine...Let's create, let's delete my entire cache...It's clear everything...like that, and
open it again...HTS...Three two six nine. Was that correct...Yes. Okay. There you go. So...I
could now go on to the website, click advanced, but what I'm gonna do is I'm gonna, look at the
certificate. Let's go back before I forget too many things and take some notes. So inside of DNS,
we took some notes, inside of LDAP. Let's...check out the certificate...And by the way, auto recon
did all of this, but I just want to look at the certificate here. And here again, it gives me the
DNS name for the domain controller. we've got a common name. So this is the certificate authority.
This is the the...the most important...authority that creates and handles all of the certificates
within a domain. And, if we're dealing with certificates, maybe we'll we'll have to deal with
the certificate authority later. We're definitely gonna write this down...Let's go like this and
copy this certificates...If you wanna learn more about certificates, I would recommend on the
academy, there is an entire module that deals with active directory certificate services,
and it's it's it's difficult. It's hard, but the more advanced you get, Eventually you're
gonna have to do the advanced stuff. And it's it's very interesting. And the research in it
is quite interesting as well. I'll link some presentations...down below, that you can look up.
There's an amazing talk...on on YouTube...about by Specto ops, which is a security company. I I
forget the names of the two researchers that did an entire presentation about certifications but as
a certificates...but it's amazing. So all of that will be in the description. But anyway, here you
can take a look at the certificates...And what do we have here...Nothing too interesting right
away. Anyway, let's move on...I'll just take a screenshot of this...And then see what auto
recon did...three. There you go. SSL scan. I'll also...Oh, let's do that here...Scan like this.
And here again...we have both certificates. So auto recon is actually quite good at this...I'll
remember that. Anyway, what else did we say we're gonna look into...we've got a winner. We already
did. Okay. Let's go look at SMB...Net Bios, SMB. Okay. So here, as usual, we'll do Inom
for...LinuxNG...We'll do...RPC, RPC...clients. Yeah. Sure. Okay. Let's do that. Okay. So we'll
start with...enumerating...shares...So we'll do SMB client...dash n for null session dash lists,
four times backslash, take the IP...and paste it there like this...And we can enumerate the
shares...Here...S and B commands...Like that. before I continue with that, I'm going to
clean results...scans...one three nine. Oh, actually...HTV perm. To give myself permissions.
The alias for that is the following...That will give me permissions within the directory so I can
manipulate stuff. And then I'm going to clean the Inom for Linux output...in your Linux...And I'm
going to call it enum4linux-clean...Oh...like so, and then I'm going to delete...the old one
like this...And then this I can close...There you go. And then I'll take this...and paste
it here. And it doesn't look like we have much. We have a bit of OS information...The
domain name again...Nothing really. Okay. RPC client. Let's see if we can...remote into
that...U...Let's go anon, and then our...IP like this. No password, access denied...I have
not seen...this...error...let's try that without the anon...Oh, okay. Was the anon's fault...any
dummy users...see if we can...Okay. RPC client is not really the best tool. I mean, it is nice.
But for our use case now, given that we can do anonymous log on, I prefer...to use a net
exec...Net...exact...But first, let's continue with SMB client. So SMB client...dash n...And
then we won't list anymore. We'll do...we'll put a IP...And then first, we'll go into the
yeah, admins folder. We can forget it. See, we can forget it. Let's do...Okay. Let's just
be thorough...Access denied...Access denied...a PC...Okay. Denied...Net log on...Okay.
Also nothing...Public...Okay. We've got a document here. Let's immediately...get
that...Yes. Okay. We've downloaded that, and then let's go on to Cisco...and nothing.
Perfect. This is why I want it to be thorough so it can have this nice screenshot...of
everything...And let's put that there...Of course. Let's struggle with this screenshot one
more time...And...that's...to...we're just gonna have to split the screenshots up because this is
starting to be a bit annoying. I don't think it just doesn't like me making two big screenshots,
but there is software that doesn't matter about size. I'm gonna download that right after
this video for sure because this has been a bit annoying. But anyway, this is the nice
screenshot I want it anyway. And then let's write some texts...and say...we have found...an
interesting...filed within...the public...share in SMB...what else can we do? Let's do a net exec
just to...finish up SMB...the IP...that you...and here is where you should put anon. Because
sometimes...if you do an on an old session, and you have no username. I can show you. Maybe...I
can show you like this. So here, I've had this a few times now. It won't work. It won't give me the
it won't allow me to do an all session. But if I just put anon...then it will...Yeah. Holy shit,
that worked. it doesn't always, it isn't always like that. But I've noticed a few times now,
especially in the medium boxes because I don't show all the boxes that I do. I also practice
on my own. That this happens. And so I just got used to when I do no session, I will just do it
like this. I don't like this screenshot...Like this...Call me OCD...perfectionist. I don't care.
Sometimes I like my things to be clean. And that screenshot wasn't...let's put this here. What
else can we do? The passport, maybe...No. Okay. Let's open this file. let's move it...Because
I believe that is loot...Oh my god...Loop. And let's go into...loose. And then let's open this
document...Okay. Since last year, we've got quite a few accidents with SQL service, looking at
you, Ryan. Okay...Um, that's rude. Let's go into general information...No loot, credentials...Oh,
it's missing something...It's missing hashes...And there, I will have to say uncracked...and
cracked because we're in a Windows environment, it will most probably have hashes. But anyway,
the reason why I wanted to do go here is because we've got...credentials so we've got Ryan. Let's
continue reading...So Tom...Tom decided it was a good idea to write the basic procedure on how
to access and test the changes on the database, of course, none of this will be done on the live
server...of course not. we cleaned the DC mockup to a dedicated server. Tomu removed the instance
from the DC as soon as he comes back from his vacation. So he's on vacation. the second reason
behind this document is to work like a guide when no senior can be available for all juniors. I'm a
junior...We've got another user here. Let's just write him down. And it's hyperlinked...So what's
this? Oh, it's an email address...Brandon Brown. Interesting...accessing from its domain joint,
we're not domain joint...accessing from known domain joint...here, but this is Windows...Bonus.
For new hide and those that are still waiting, their users to be created and terms assigned can
sneak a peek at the database with user public user and password guest. Users can write. Well,
isn't that perfect? Let's...take this...This one we can delete...Oh, actually...quickly, just
to finish, the UDP scans are probably done. Okay...Three new notes. Let's just quickly get
this over with and do the UVPs...And...like this, and then...network time protocol...It's not...it's
not time...let's go our date...How does this work again...I've got this in my notes...our
dates...dash n...pseudo r dash n. Does this work? So...given that we have okay, I will explain...We
have an active directory...and...we have Kerberos. And whenever you have Kerberos...you need to
pay attention to the time. Yes. Look at this. The time between my box, the difference
between my box and the time here is very different. And so what we want to do is just
update this and match them because Kerberos needs this. Good thing I noticed that...Okay.
That should be done...Okay. Let's see. Anyway, let's go back to the scans. So we've got the
network time protocol...NTP...Then we've got...DNS again on UDP...Fifty three. Damn, I forgot...and
NTP, I didn't name correctly...Like this. And then we've got Kerberos...Eighty eight...Kerberos
sec like this. And then we can continue where we left. So we found some credentials...So
let's go into loot...here...And let's...take these two...But these are MS-SQL...Yes. They're
MS-SQL creds. So let's just write it like this, and then also...copy...here...Let's
take a screenshot...Iteration...inside of the...public...share within...SMB...We
found...this interesting...SQL server...Press Sija...Which serves as...guide...for
how to connect...We also...found some...credentials...So...let's connect. Okay.
So how do we connect to this MS-SQL...server? We're gonna use Impact it. Emcap, Impact it, MS
SQL...dash h. And so here we're gonna...specify our target...Then we're gonna specify if
I...Okay. So at...And then...okay. So it's sequel...dot...HackTheBox. Username...is...public
user...And then...like this...Yes. Okay. That worked. Okay...So like this. And we are able
to connect...We are able...to connect to the MS SQL database...Okay. Now when it comes to
MS SQL...I don't really like the syntax...and I'm not very good at it. So I will look at my
notes. common services...SQL databases...cheat sheet. There you go. So what do we do first?
First, we look at the version...Version like so. Take a screenshot...of...that...And then
we say let's enumerate...screenshot...Then what else? The users...We can say select...Who are
we? So select username...We are guests...Okay. What else can we do? We can list...all of the
databases...So we do select...name from...Master TBO...sys databases...Master, temp d, model, and
MSDB...These are standard databases...I believe MS SQL standard...databases...Master...MSDB,
model...TemTP is also one, even if it doesn't show here...Yes. Seventy B is also one. So
there's not really much we can do here...yes, we can do...let me check...Okay. So we can try
and and execute commands...Let's first take a screenshot of this...No interesting...database.
So what we can do is do...XP...CMD shell...Who am I...Is that not correct? Oh no. No, no. It's
execute...SP configure...XPCMD...shell...One...Oh, okay. The CMD shell doesn't exist. Okay. So we
cannot execute a shell...Can we read files...That is also something you can do instead of MS
SQL...yeah, here. So...select...all...from Openrow...set...bulk...n...That doesn't
look correct...Let me just...okay. But guys, please don't lynch me for just copying...from
my notes, but...sue me. You don't have the permissions to do bulk load statements, okay. This
is good enough...let's try...something cool...That end. I believe I know what's gonna be the way in.
It's gonna be quite cool. Watch this. So...the way MS-SQL communicates with SMB is pretty nice...So
there's two...two things we can try. So let me first...launch an SMB server. Again, this is
not the command. The alias is...this. So pseudo impacted SMB server and then SMB two supports
why? Because...yeah, SMB two is supported. Then share is the name of the share that will be
created inside of...the the the the current working directory. The reason why it's showing
this directory is because we are currently in that. But inside of the config, it says dollar
PWD, which then adapts to wherever I am. So if I go back and then do SMB server, the...Oh...Okay.
I'll I'll look into that later. But what I will do then...is I'll just do this one...responder...dash
I ten zero is also a nice. Okay. We'll do it with the responder. So inside of MS-SQL, we do MSA
exec, and then master...And then XP subters...And then back by backslash and then our own...IP.
So basically, we're gonna ask the...database to connect back to our host. Over SMB. And then
we should get a connection back if it works, of course...Permission was denied...So sub there
is not allowed. Okay. Let's now try the other one, which is called Dear...Tree. Let's try...and
boom...Amazing...Let's...take a screenshot of this. I like this. This is very nice. So
this is one of the cooler ways of getting domain...credentials...We try to connect...back
to our own host...over SMB from...the MS-SQL DB...Start a listener...With responder...pseudo
responder...dash I for interface turn zero, which is our current interface. And then we get a
hash...And now what can we do with this hash? This is an NTLMv2 hash. So let's copy this...Go into
loot...Uncracked. And then...here we can close this. We can close this. We can disconnect from
here, and then we're going to loot. We're already there. We touch, and we...says MS-SQL...hash...We
open it. Let's collapse all of this...And then we can delete all of that. And we've got another
user...which is a service accounts. Okay. Very nice...There you go. And so now we can crack it.
So let's do hash cat...dash...dash help...And then we go up a bit, and we look for Net's...n t l m v
two...And let's do five thousand six hundred...So, m, five thousand six hundred...MS SQL hash with
the word list...rockyou...And then we'll do dash o for output file, and we'll do MS-SQL hash.
Correct...Let's see if we can crack this...and we can...We should now have a cracked file here,
and we have...a password...Amazing...Oh...like this...and like this. Perfect...Let's
delete that. Perfect. Okay. So now we've got credentials...let's go into MS SQL...And we
cracked it...and got...of new credentials...like this...let's go back into to lose. I know it's a
lot of back and forth, but...I just I just really love being thorough with all of because later if
I'm studying, I can just go back into the box and know exactly what I did. And yeah, it's just
worth it. It's it's a lot of work...but it is worth it. Okay. So let's do net exec...SMB...with
our IP...With IP, the issue...like this dash p...and then our password...Like this. And then
let's see...Those are valid credentials...And what do we have to remote...We have WinRM, so
let's see if we can remote into this machine. We can. We've got the pwned. So very nice.
We have officially...got...internal access into the domain...so...Let's do internal
and...then...found...Are valid...and we can connect...into the network...if I...win...r
m, which is the Windows remote management protocol...like so. Okay. So let's do that.
we can do evil-winrm -i...take the IP, and then dash u and the password...And when...Okay.
So now...We are a service account. So let's see if this is what we want...Let's go into
desktop...We don't have a user dot text. Okay...So...this is a...service account...Have
a...user to text...file. Okay...So...we don't have a user to text file. So what we could now
do is upload WinPEAS...We could wait. Let's do one of my priv...Okay. We don't have a lot
of...privileges...nor...privileges...wait. Let's go...Let's enumerate this properly.
Okay. What do we have? We've got public. Oh, okay. So these, this is the share that
we were able to see before...Okay. let's go back. What else do we have? SQL server?
Let's go into the SQL server...Interesting. I don't believe that SQL server is a
default directory...so let's explore this a bit more. We've got two executables
and two folders...Let's go into logs first, of course...and...download...this error
lock...Okay...And then...let's go to...in internal...And then do pseudo copy...home food,
data...arrow log. Oh, to here...And then we can open it...Error lock. Okay. Got a big error
lock. Let's read that...Let's kill mock. This is what...my man was talking about. Something
with mock...yeah, a lot of log language here, a lot of gibberish...Initial allocation, okay.
This is the SQL server starting, I believe...Yes. SQL server started in single user mode...seven
named DC SQL Mark. So this is definitely what my man was saying. Then we've got the different
databases running...Change okay. So configuration option show advanced option changed from zero to
one...Okay. So this is some of the things that I was trying to do before, but we don't have really
permissions...S, severity...Logan failed for users SQL, Ryan Cooper. Nice. We've got another set
of credentials...Well, a username, rather. Password did not match for the login provided.
Log in failed for the user...This looks like a password. Wait. Okay. So Ryan Cooper...Password
did not match that for the login provided...Did he write his password as a login...Sure. Okay.
Let's try that...Let's see if we have another set of credentials...Enumeration...We went
into the logs file, a folder...and found an interesting...error...log dot back file...That
contains a lot...of...the log gibberish...but also...credentials...So let's test them out.
Let's test out these credentials...Let's do the same thing we did before...Okay. I was
scared there for a second...So we've got this, and then let's do...win a Ram. Of course,
that's gonna be pwned...Like that. And then what we can do is...to...evil, n r m...dash
I...close this...Bam. Perfect. Like this. Perfect for the screen...And we've got privilege
escalation. This should be privilege escalation, actually...Yeah. I'll just copy all of this. And
also put it into privilege escalation. Right. And then and then call this...as user...SQL...or was
it service SQL like this, I think? And then now as...user Ryan...Cooper...Okay. So let's go and
to no. Let's first do who am I did prefer before, but let's do all...Will this screenshot work...No.
Of course not. Okay. So let's...put this back like this, like that, and then let's just
copy everything...Okay. So we are part of what groups? Remote management...Yes. Of course.
Otherwise, we wouldn't have been able to log in. Certificate service...decom access. Another thing
with certificates. Okay...Let's go and Google what this group can do...No...The auto enrollment
server is invoked by using the distributed component object model, is important is configured
for local e com access for system processes...and accounts with administrative privileges...Wait.
What? It is important to ensure that Microsoft Windows is configured for local decom access for
system processes and accounts with administrative privileges. But I don't have administrative
privileges...Oh...Okay. Okay. I know what this is...So...judging by the groups I'm in...and
by the enumeration I did before, AlDAP and certificates...The box is probably trying to test
me on my knowledge of certificates...exploitation, basically. This is very important. When you do
in HackTheBox, you need to get a feeling for what you're being tested on. It's like an exam
in school. Like, there's certain things that you've done during the year, and the teacher
is testing you on those things. And...look, analyze the box we've been doing. We've been doing
this box, and it's had SSL on the LDAP. I am now seeing that I'm inside a group that is again SSL
or no, certificate. So...First of all, it's the first box that we've done with certificates,
and it comes back twice. So most probably, the box trying to test me on something to do with
the certificates. And maybe I'm biased because I've been doing the academy on certificates
specifically. But...let's try. I mean, it couldn't help because it couldn't hurt because
also...Active Directory certificate...services are very often misconfigured. The research has only
come out a year or two ago. And so there's still a lot of things to research, and I'm actually still
seem to like active directory more and more. You know, I used to hate Windows, but I'm starting
to get by the fond of it. Okay. So...we are part of...the...what's the group called? Certificate
service...DECOM Access Group...And on the website...Dox Digi cert...It says...that's...which
we...are...Oh, by the way, I forgot something important...desktop...Let's go. I've got the
user dot text...Ludes...user dot tech. Like this. Okay. Where was I? Pravesc...Which we are
not so...most probably...We have some sorts...of advocate...misconfiguration...And...Let's
try and enumerate this. So part of the research...Okay. Let me find this research for
you guys. ADCS...let's just type that...Spacked ops...Yes. This...This is their white paper. No.
This is a blog post...that they released...So who are they? Will Schroeder...there you go. I should
really start learning the names of all the people within the industry because they keep dropping
amazing stuff. Go support these guys as much as you can. Will Schruder and Lee Christensen.
They are, like, top of the game for active directory research. And the white paper...I'll put
everything in the in the in the description, but essentially...What they released is this research
and then also...some tools. it started with Kikyo adding...certificate login into Rubius. Which is
great. I've read all of this, and this is why, I'm enjoying this so much because I've been reading
it the last couple of days. so yeah, that was the first thing that kind of spawned...their research
into active directory certificate services. Essentially, they found out that you can use a
certificate to authenticate to active directory, which is pretty wild. And it's almost...better
even than having a...password like, it functions a bit like pass the hash. You have a hash. You
have a certificate. You can log in...but anyway we'll we'll see all of that. I will link all of
this in the description...But yeah, the tool they released is certify. So let's go into...let's open
a new...terminal, and then let's go to...previous. And then copy from...opt...Shop is it sharp?
Shop could action any...setify, damn...like this. Okay...So this I now...have...to...I have to
pseudo copy, certify...to...home food...data...And then here, I have to upload...certify.exe...And
then I also wanna load Rubius because I will probably need both...Okay. So let's go
into my notes. No. Actually, let's try it like this. So...we have setify...Setify
dot DXC...Okay. Let's go full screen...What can we do? Find information about all registered
CA's...So find vulnerable...abusable certificate templates using default low privileged groups,
which we are...So let's find vulnerable...Okay. Let's do that...Find...was it...Backslash
or like this, probably...Okay. Let's go back into our notes...Okay...within their
research, they released certain tools, blah blah, let's...use...Certify.exe...to
enumerate the...ADCS, active directory cert for certificates. Services...and
their...certificate...Templates because basically...the templates is where the
settings, the context of security of a certificate is stored. So whenever
you have a vulnerable certificate or a misconfiguration...it is found within...the
certificate templates. As you can see here, so the template name, user authentication...We've
got the certificate authority name is DC sequel, h t b sequel DCCA. And this is the name of
the...of the vulnerable...template. We've got oh wow. We've got quite a few...We've got a lot
of vulnerable...Wait. Okay. So listing info about Enterprise CA. Okay...So let's see...available
certificate templates...Template name, user...Okay. So if I understand this correctly,
we have a lot of different templates that are vulnerable...Enrollment permission...right
owner...Okay. I need to I need to read more because...I still don't really see and understand
everything here. So these are some of the uh EKUs uh extended...key, extended...key...uses, extended
key uses, and those are the settings that cause misconfiguration. Right. And so here, for example,
you've got Oh, these are like certain flags that are...enabled or disabled. So for each...for each
certificate to be exploitable, certain conditions obviously have to be met. And...this tool,
certify.exe, basically checks this. So...Should we just try any...template name...and they all
have...Let's try and look for authenticate, authentic...Client authentication...Oh, okay.
So okay. The re what I just did was I looked inside of these templates, not all of them
allow...authentication. Well, actually they do. Most of them do. So the PK extended you,
a key usage, that's the e...EKU that I said, is the flag that needs to be enabled and tells you
what you can do. I I wish I could show you how it looks in actors directory. Basically, it it it it
shows you the settings, of course. And so here, you can see the big...the...EKUs, and
I am looking for client authentication, EKU...Template name, user authentication. That
looks okay...So just the last one. Okay...so let's...take this...And put it inside of our
notes...Okay. So...certify.exe...Like this, but then...I executed this...You ran...to list...all
vulnerable...ADCS templates...No certificate...and found the following...interesting one...The the
reason why it's interesting is basically because it's called user authentication...it allows me
to authenticate...and as domain administrator, which is obviously what we want. So now let's see
how we can exploit this. So...let's do certify.exe again...Actually, do I have it in my notes how
to...continue here...I do...what I can also do...is certify find vulnerable and then...current
user...And that will give me...That will give me again all of them. Okay...okay. Let's just
try...enumerate access control information fall find all. Okay. So this is finding...And now
let's request a new certificate using the current user context. So requests...CA, we've got that.
No. Request a new certificate using the current machine context...Request a new certificate using
the current user contacts but for an alternate name if supported. oh yeah. The alternate name
is essentially who the certificate is written out for. And...is this correct...Let's look at
my notes a tiny bit...Yeah. At this rings a bell. Request a new certificate on behalf of another
user using an enrollment agency good. No. Okay. Let's try this one. You know what? It doesn't
hurt to try. So let's do certifying...but EXC, request...CA. We have the CA. So let's go
here...The CA name is all of this...Then...What else? Temperature...templates, we've also
got...user authentication...Then what else...old name...Old name, does it say something
with old name here...What is it written out for? I believe that's correct. And...given that
I am Ryan Cooper, and I am...okay. Yes. So I'm I'm requesting a certificate for oh, the
administrator...That makes sense...Is this correct...Is this correct...The certificate
had been oh yes...And then convert with this. Okay...Wow. Jimmy, you are making progress...This
is amazing. So...let's take all of that...And paste it here...We have requested...another
certificate...as administrator...Okay. It doesn't look very nice when it's small like that,
but in my notes like this, it will look better. But that's okay. And then it tells me to use Open
SSL...Okay. It tells me to save all of this inside cert or Pam. Okay. I'll do that...Oh, I don't need
to. Here. let's go inside my notes...Okay. So let me go up...and...then...go like this...pop pop
pop pop...like this, and then go down...and then we go into back. Prevesque...And then we call this
touch search top pen as it tells me to. Yeah. It says dot pam here. So I should call it cert dot
pam. And then I do VIM...cert dot pam. And then I pay oh no. What I have what I've done...No,
I don't need to do that...Like this...Let's copy all of that...And then...space...and
then...this. Why does that not work...Oh...I have to press enter...Yes...Okay...Like this,
and then go all the way up. There's, I know, I know, I know. VIM is supposed to be used
with the shortcuts and everything...I haven't learned. I've learned them at least ten times
into every time I forget because I don't use it enough. And yeah, just get off, get off my shit.
I will eventually do it. Okay. So open SSL...on this file. Will that work? Password, let's
go...passwords...and then again, password. Did I typo? Did I do a typo...cert.pfx. Okay. So
we've got cert.pfx...let's now...pseudo...copy, set up PFX...into home...data...yeah, just
copy there and then go up and upload...set up PFX...Okay. That file is now there. And now the
last thing I have to do...is use Rubius. I did look at my notes just there. I don't know why I
did that. I'm sorry, but I did. Oh, so here I ask for a ticket granting tickets. This is the tool.
This is the...the new functionality that Kiki O added to Rubius. So you are able to use...a
certificate as...a...way of authenticating. Certificate kit, and then...and then certs
.pfx. And this should now...The specified network password is not correct...Oh, god...U s w
x c...Password...as we approached cred password, no...Create hidden program. No...Calcul...Okay.
Should I not create a password...Let's...delete cert of PFX...And then pseudo remove...home...full
data...set...and then do copy...like that. And then here...delete...cert...dot v effects. Does
that work? Yes. And then...to...upload again...And now try the Rubius again...So that works. Yes.
Okay. So no more passwords...And...This is the ticket granting ticket for administrator...How do
I use that again...Okay. So pass the ticket. I can now do pass the ticket. Let's go into password
attacks. Windows lateral movements, past the tickets...Oh, inside of Rubius...Can I now...did
this work...Ticket successfully imported. So I should be able...to now go into c backslash...use
this...and then administrator...Convert Kirby to base four formats...Do I have to do that? Yes, I
do. Oh, Ruby, pass the tickets...I have the base sixty-four key...Let's see...What I can also
try...instead of past the ticket...is...let's do...I'm wasting time. No way...Rubius...dot
exe...Oh, okay. back...to...Ryan...and then...desktop...And then do rubius dot exe,
and then we can do no app...and get credentials, I believe...Yes. Here. No. Okay. Get credentials.
Let's try that...Get credentials...And what is no wrap again? I I and I remember using it a
lot. So...Oh...I've got the hash. Okay...Yeah, I did it. This is it. Okay. So let's take some
notes...before we do pass the hash because we've basically finished...So what did we do...We
created...the cert.pfx...We used it here. Let me take this...And then...what else do we
do...Then in the end...used that ticket to get credentials...Like that. I will flush these nodes
out in a bit, but basically now I'll do pass the hash...we have...successfully...exploited...the
certificate...And...potentially...acquired an administrator...hash...Here it is. We can go
into loot...and say administrator...and then paste the hashtag. And then we can confirm that.
By saying...net exec...I said b...our IP...And then...dash u...administrator...Dash capital
h...and our hash...Pwned...Yes...WinRM...Yes. We did it...We're quite happy at this...This is,
this was nice. I looked at my notes a tiny bit, but not too much. Oh, there's one open here. So
I need to close this one...and then...We did it, guys. We did it...We have pwned...Escape. And we
have root...Nice. Let's take a screenshot...You know, gotta do what we gotta do...Yes. this was
fun. This was refund. Yes...So we've done it. I'm gonna flush out the notes a tiny bit, but one
hour thirty-six, that's fine. Thank you, guys, for watching. I hope you had as much
fun as I did. please like, subscribe, share the video if you learned something. Or
whatever. Just do what you gotta do. Comment down below. That helps a lot. Put the notification
bell on. That's what all the other YouTubers say all the time...And yeah, I hope you enjoyed.
I'll see you guys in the next one. Peace.
