It starts with a simple web page that takes a URL and generates a PDF. Precious is on the easier side of boxes found on HackTheBox. To get administrator access, I’ll abuse relaying Kerberos, showing both KrbRelay to add a user to the administrators group, and KrbRelayUp to get the machine account hash and do a DC sync attack.Ĭtf hackthebox htb-precious nmap subdomain ffuf ruby phusion passenger nginx exiftool pdfkit feroxbuster cve-2022-25765 command-injection bundler yaml-deserialization youtube This user is able to modify a group and from there modify a user to add a shadow credential and finally get a shell on the box.
Access to a share provides a Nim binary, where some dynamic analysis provides yet another set of creds. LDAP enumeration leads to the next set of creds. I’ll figure out the username format for the domain, and AS-REP-Roast to get creds.
BINARY DOMAIN PC CONTROLLER FIX FULL
Still, even today, it’s a maze of Windows enumeration and exploitation that starts with some full names in the metadata of images. At that time, many of the tools necessary to solve the box didn’t support Kerberos authentication, forcing the place to figure out ways to make things work.
Htb-absolute hackthebox ctf windows iis crackmapexec ldapsearch dnsenum feroxbuster exiftool username-anarchy kerbrute as-rep-roast hashcat kerberos kinit klist bloodhound bloudhound-python rpc dynamic-reversing wireshark shadow_credential certipy krbrelay visual-studio runascs krbrelayup rubeus dcsyncĪbsolute is a much easier box to solve today than it was when it first released in September 2022.
0 kommentar(er)
