HackTheBox - Escape

00:00 - Introduction 01:00 - Start of nmap 03:10 - Examining SSL Certificates and seeing “sequel-DC-CA“, which hints towards there being a Certificate Authority 05:45 - Using CrackMapExec to enumerate file shares 06:30 - Accessing the Public Share, downloading a PDF File and finding credentials in it, using CME again and using CME to test smb, winrm, and mssql 10:00 - Using mssqlclient to login to access MSSQL 10:50 - Using XP_DIRTREE to request a file off an SMB Share in order to intercept the hash of the user running MSSQL, then cracking it 18:45 - Using Evil-WinRM to login to the box with SQL_SVC account, uploading and not finding a vulnerable certificate 20:45 - Looking at the error logs and discovering a user entered their password as a username so it got logged. Logging in as 23:40 - Running Certify again as Ryan and finding a vulnerable UserAuthentication Certificate 25:00 - Using Certify Scenario #3 to create a UserAuthentication certific