I have made a total of about 89 different CTF:s in Tryhackme:

Completing all Active Directory networks at Tryhackme

Tryhackme profile (Click here)






Here are a few walkthroughs related to interesting topics. These are part of my OSCP preparation; the machines are more or less similar to those in the OSCP.


Intelligence

Password spraying, DNS manipulation, BloodHound analysis, abusing 'ReadGMSAPassword' rights, and leveraging a managed service account with constrained delegation for administrative shell access



Cascade

LDAP enumeration, SMB exploitation, and TightVNC configuration analysis. The challenge includes shell access, SQLite database decryption, and leveraging AD Recycle group privileges to access a main administrator account using a recovered temporary admin's credentials.



Monteverde

AD enumeration, password spray, SMB share access, XML credential discovery, WinRM access, and Azure AD Connect credential extraction


AV Evasion: Shellcode

shellcode encoding, packing, binders, and crypters. Exploring how to build and deliver payloads, focusing on avoiding detection by common AV engines.




Active Directory Persistence

Gaining persistence in AD enviroment with Credentials, Golden/Silver tickets, Generating own Certificates, Modifying SID-values, ACL and GPO. Almost every techniques are incredibly invasive and hard to remove. In real-world scenarios, the exploitation of most of these techniques would result in a full domain rebuild.


Buffer overflow

Identifying the Offset, Creating a Byte Array and Bad Characters, Crashing the Server & Identifying ESP Address, Eliminating Bad Characters until a clean payload is obtained, Finding a Jump Point and updating the retn variable in the exploit.py script and giving the payload space to unpack itself in memory with (\x90) bytes to the padding variable in the script.




Attacking Active Directory

User enumeration with kerbrute without generating "account failed ID 4625", AS-REP Roasting found users, Cracking user's hash, Enumerating SMB-shares, Dumping hashes with secretsdump and Passing the Hash.



Exploiting Active Directory

Enumerating with Bloodhound, Privilege Escalation with misconfiguration groups in rights in AD enviroment, Exploiting Kerberos Delegation, using Kekeo to generate our tickets and then use Mimikatz to load those tickets into memory, forging TGS requests and gaining administrative and RDP permissions to victim.



Internal


Bruteforcing Wordpress login-page, Using .php-reverse shell, , Cracking Jenkins credentials with Hydra and using Jenkis script console to gain reverse shell.



Image

Open in a new tab.

Back to home Forward