i would have never ever able to solve this without help, makes me feel like how much is there to learn by the superb video and explanation, the tricks that u show gives me goosebump, may be by the end of this year i will able to acquire this level of knowledge and skill set, please keep making these videos.
They way you did this box was so clean, easy to understand and still touching every core concepts that has been brought into by the maker. Very well done!!
One of your best vids imo. I usually just enjoy watching, but don't really learn much. This time I feel like I learned a lot, and also enjoyed lot more as a consequence. Keep it up!
smbclient also has the `--use-kerberos=required` switch. Not sure if that works with this box, but, a thought I had. Also it appears that kerbrute has a switch `--user-as-pass` under the passwordspray subcommand.
Glad you enjoyed my machine :) and yeah I wish I could have disabled the xp_cmdshell thing but because the SQL server thinks you're admin (that's the whole point of the silver ticket part of course), it seemed like there was no way to stop people just re enabling it
thanks ippsec, learned so much. Very much appreciate the way you solve the box but go back to explore the path the author intended it shows so much respect. Also, awesome how that point...is when the doom music kicks in :D
whats crazy wild about this is the fact that impacket got an update for -dc-host support specifically for this box check the issues and you see the box creator talking about he wished this got fixed months ago when he created the box
haha yeah it took 6 months for the machine to be approved by HTB so I really hoped they'd have fixed it by then. Looks like they have now though. That "dc-host" option that ippsec used in the video didn't exist before.
I know that we get Admin because we specified the id to be 500 in tickter but then why not just run a reverse shell executable with xp_cmdshell to get an Admin shell. Kinda confused as to how we go from Administrator to a low priv user again. Love the vids!
Box was very awesome until goofy privesc at the end. Not that code analysis and understanding the technologies and stuff isn't valuable but man it should have just kept the AD theme going
why is it when i crate a ticket and then export KRB5CCNAME=Administrator.ccache then i klist i get a error saying klist: krb5_cc_get_principal: refuses to open group/other readable files FILE:Administrator.ccahe
I won't ever play windows boxes. There are about 5 quintillion paths to authenticate. Passwords sometimes stored in plain text, sometimes as hashes, sometimes encrypted. Domain Users, Machine Users, SPNs, Managed Service Accounts. 12 gorillion permissions on Users, Machines, Services, AD Objects... I used to laugh at "security by obscurity".
![แม่กลองสองใจ - ซีแกรม โตเกียว มิวสิค [ OFFICIAL MUSIC VIDEO ]](http://i.ytimg.com/vi/GSQfVjcr_f4/mqdefault.jpg)
![ภาพนี้ก็ฮาเหมือนกันนะเนี้ย #1 SS8 [ พากย์นรก MEME.EXE ] | easy boy](http://i.ytimg.com/vi/Ytc50m91QK8/mqdefault.jpg)
i would have never ever able to solve this without help, makes me feel like how much is there to learn by the superb video and explanation, the tricks that u show gives me goosebump, may be by the end of this year i will able to acquire this level of knowledge and skill set, please keep making these videos.
They way you did this box was so clean, easy to understand and still touching every core concepts that has been brought into by the maker. Very well done!!
One of your best vids imo. I usually just enjoy watching, but don't really learn much. This time I feel like I learned a lot, and also enjoyed lot more as a consequence. Keep it up!
ok im not the only one 😂
smbclient also has the `--use-kerberos=required` switch. Not sure if that works with this box, but, a thought I had. Also it appears that kerbrute has a switch `--user-as-pass` under the passwordspray subcommand.
Glad you enjoyed my machine :) and yeah I wish I could have disabled the xp_cmdshell thing but because the SQL server thinks you're admin (that's the whole point of the silver ticket part of course), it seemed like there was no way to stop people just re enabling it
Great explanation as always. We learn a lot each time, thanks a lot
Awesome video as always, cheers from Brasil
Learned a lot watching this video thank you!!
Excellent lesson for me, Thank you.
I was waiting windows boxes sir . Once again tq ...
thanks ippsec, learned so much. Very much appreciate the way you solve the box but go back to explore the path the author intended it shows so much respect. Also, awesome how that point...is when the doom music kicks in :D
The NTLM Hash Generator site has a lowercase option built in. Just to save you a step in the future. Thank you for the video!
Its called MDI now (Microsoft Defender for Identity). It hooks into the NIC and looks at all DC communication.
whats crazy wild about this is the fact that impacket got an update for -dc-host support specifically for this box check the issues and you see the box creator talking about he wished this got fixed months ago when he created the box
haha yeah it took 6 months for the machine to be approved by HTB so I really hoped they'd have fixed it by then. Looks like they have now though. That "dc-host" option that ippsec used in the video didn't exist before.
merci beaucoup a toi :))
0days folder on the desktop as you do...
Hey Ippsec. I wonder if there are any other way to support you since your patreon is stopped. Do you prefer TH-cam subscription or some other way ?
TH-cam Subscription is the preferred method now.
Great box from VbScrub as always. Thanks Ippsec for sharing your knowledge.
I know that we get Admin because we specified the id to be 500 in tickter but then why not just run a reverse shell executable with xp_cmdshell to get an Admin shell.
Kinda confused as to how we go from Administrator to a low priv user again.
Love the vids!
yo bro, what operating system you are using,
u r doing more than great,
can i get your discord i wanna work with you,
All the ebest
haha I'm with you there
Push!
How your Pwnbox is like this? The Pwnbox in HTB is different
maybe it's his box?
yeah he did some modifications to the pwn box and runs it locally
cant remember what vid he talks about that in
thank you if you can help after
Box was very awesome until goofy privesc at the end. Not that code analysis and understanding the technologies and stuff isn't valuable but man it should have just kept the AD theme going
If you wont reset password call to ippsec ;)
first
why is it when i crate a ticket and then export KRB5CCNAME=Administrator.ccache then i klist i get a error saying klist: krb5_cc_get_principal: refuses to open group/other readable files FILE:Administrator.ccahe
I won't ever play windows boxes. There are about 5 quintillion paths to authenticate. Passwords sometimes stored in plain text, sometimes as hashes, sometimes encrypted. Domain Users, Machine Users, SPNs, Managed Service Accounts. 12 gorillion permissions on Users, Machines, Services, AD Objects...
I used to laugh at "security by obscurity".
lol it's insane really
@ippsec