Explore >> Select a destination
|
You are here 
|
blog.ikuamike.io | ||
| | | | |
0xdf.gitlab.io
|
|
| | | | | One of the neat things about HTB is that it exposes Windows concepts unlike any CTF I'd come across before it. Forest is a great example of that. It is a domain controller that allows me to enumerate users over RPC, attack Kerberos with AS-REP Roasting, and use Win-RM to get a shell. Then I can take advantage of the permissions and accesses of that user to get DCSycn capabilities, allowing me to dump hashes for the administrator user and get a shell as the admin. In Beyond Root, I'll look at what DCSync looks like on the wire, and look at the automated task cleaning up permissions. | |
| | | | |
taeluralexis.com
|
|
| | | | | Exploit a machine through SMB and elevate privileges by performing a kerberoasting attack on a domain admin. | |
| | | | |
www.justus.pw
|
|
| | | | | [AI summary] The user successfully gained access to a system by exploiting a Heartbleed vulnerability, decrypted an RSA key using a password obtained from memory, and then used that key to log in as the 'hype' user. After enumerating the system, they accessed a Tmux session to gain root access and retrieved the root flag. | |
| | | | |
0xdf.gitlab.io
|
|
| | | I loved Sizzle. It was just a really tough box that reinforced Windows concepts that I hear about from pentesters in the real world. I'll start with some SMB access, use a .scf file to capture a users NetNTLM hash, and crack it to get creds. From there I can create a certificate for the user and then authenticate over WinRM. I'll Kerberoast to get a second user, who is able to run the DCSync attack, leading to an admin shell. I'll have two beyond root sections, the first to show two unintended paths, and the second to exploit NTLM authentication over HTTP, and how Burp breaks it. | ||
