I have made a total of about 89 different CTF:s in Tryhackme:
Completing all Active Directory networks at Tryhackme
Tryhackme profile (Click here)
Here are a few walkthroughs related to interesting topics. These are part of my OSCP preparation; the machines are more or less similar to those in the OSCP.
Intelligence
Password spraying, DNS manipulation, BloodHound analysis, abusing 'ReadGMSAPassword' rights, and leveraging a managed service account with constrained delegation for administrative shell access
Cascade
LDAP enumeration, SMB exploitation, and TightVNC configuration analysis. The challenge includes shell access, SQLite database decryption, and leveraging AD Recycle group privileges to access a main administrator account using a recovered temporary admin's credentials.
Monteverde
AD enumeration, password spray, SMB share access, XML credential discovery, WinRM access, and Azure AD Connect credential extraction
AV Evasion: Shellcode
shellcode encoding, packing, binders, and crypters. Exploring how to build and deliver payloads, focusing on avoiding detection by common AV engines.
Active Directory Persistence
Gaining persistence in AD enviroment with Credentials, Golden/Silver tickets, Generating own Certificates, Modifying SID-values, ACL and GPO. Almost every techniques
are incredibly invasive and hard to remove. In real-world scenarios, the exploitation of most of these techniques would result in a full domain rebuild.
Buffer overflow
Identifying the Offset, Creating a Byte Array and Bad Characters, Crashing the Server & Identifying ESP Address, Eliminating Bad Characters until a clean payload is obtained,
Finding a Jump Point and updating the retn variable in the exploit.py script and giving the payload space to unpack itself in memory with (\x90) bytes to the padding variable in the script.
Attacking Active Directory
User enumeration with kerbrute without generating "account failed ID 4625", AS-REP Roasting found users, Cracking user's hash, Enumerating SMB-shares,
Dumping hashes with secretsdump and Passing the Hash.
Exploiting Active Directory
Enumerating with Bloodhound, Privilege Escalation with misconfiguration groups in rights in AD enviroment, Exploiting Kerberos Delegation, using Kekeo to generate our tickets and then use Mimikatz to load those tickets into
memory, forging TGS requests and gaining administrative and RDP permissions to victim.
Internal
Bruteforcing Wordpress login-page, Using .php-reverse shell, , Cracking Jenkins credentials with Hydra and using Jenkis script console to gain reverse shell.
Open in a new tab.
Back to home Forward
Here are a few walkthroughs related to interesting topics. These are part of my OSCP preparation; the machines are more or less similar to those in the OSCP.
Intelligence
Password spraying, DNS manipulation, BloodHound analysis, abusing 'ReadGMSAPassword' rights, and leveraging a managed service account with constrained delegation for administrative shell access
Cascade
LDAP enumeration, SMB exploitation, and TightVNC configuration analysis. The challenge includes shell access, SQLite database decryption, and leveraging AD Recycle group privileges to access a main administrator account using a recovered temporary admin's credentials.
Monteverde
AD enumeration, password spray, SMB share access, XML credential discovery, WinRM access, and Azure AD Connect credential extraction
AV Evasion: Shellcode
shellcode encoding, packing, binders, and crypters. Exploring how to build and deliver payloads, focusing on avoiding detection by common AV engines.
Active Directory Persistence
Gaining persistence in AD enviroment with Credentials, Golden/Silver tickets, Generating own Certificates, Modifying SID-values, ACL and GPO. Almost every techniques are incredibly invasive and hard to remove. In real-world scenarios, the exploitation of most of these techniques would result in a full domain rebuild.
Buffer overflow
Identifying the Offset, Creating a Byte Array and Bad Characters, Crashing the Server & Identifying ESP Address, Eliminating Bad Characters until a clean payload is obtained, Finding a Jump Point and updating the retn variable in the exploit.py script and giving the payload space to unpack itself in memory with (\x90) bytes to the padding variable in the script.
Attacking Active Directory
User enumeration with kerbrute without generating "account failed ID 4625", AS-REP Roasting found users, Cracking user's hash, Enumerating SMB-shares, Dumping hashes with secretsdump and Passing the Hash.
Exploiting Active Directory
Enumerating with Bloodhound, Privilege Escalation with misconfiguration groups in rights in AD enviroment, Exploiting Kerberos Delegation, using Kekeo to generate our tickets and then use Mimikatz to load those tickets into memory, forging TGS requests and gaining administrative and RDP permissions to victim.
Internal
Bruteforcing Wordpress login-page, Using .php-reverse shell, , Cracking Jenkins credentials with Hydra and using Jenkis script console to gain reverse shell.
Open in a new tab.