HackTheBox - Voleur

00:00 - Introduction
01:00 - Start of nmap
07:20 - Running RustHound
08:30 - Running smbclient with Kerberos, to login to the fileshare as Ryan and downloading/cracking a word document with password
12:50 - Opening the Access Review Document, discovering multiple credentials and looking at bloodhound to see what we can do
18:30 - Performing a TargetedKerberost to gain access to the WinRM Account and then using RunasCS to gain a shell as SVC_LDAP
25:40 - Using the AD Powershell Module to restore a deleted user
27:20 - Showing we didn't need a shell to restore the deleted user, doing it manually first showing ldapsearch can see deleted users then running the tombstone netexec module
38:30 - Todd.Wolfe is a member of second-line technician. Looking at the fileshare to discover his user backup
41:40 - Running Netexec Spider_Plus to dump the fileshare and discovering DPAPI Saved Blobs
46:00 - Using impacket-dpapi to decrypt the dpapi data that was in the backup
50:30 - Getting access to Jeremy.Combs, who has SSH Access to the box
58:30 - Finding the NTDS Backup, running secretsdump to get Administrator