Z-r0crypt

Security Enthusiast

Copyright © 2024 License
Powered by Hugo and Hyde-X

HTB Machines for OSEP Preparation

Apr 27, 2023
Red TeamDefense Evasion Share on:

In-Progress

List of HTB (Hack the Box) Machines to prepare for OSEP Exam (PEN-300) by offensive security.

3. Client Side Code Execution With Office

Attack Type HTB Machine Attack Used in HTB Walkthrough Link
Phishing with Microsoft Office: RTF Document REEL malicious RTF Document (CVE-2017-0199) Video : https://youtube.com/watch?v=ob9SgtFm6_g&t=794
Tool: https://github.com/bhdresh/CVE-2017-0199
Phishing with Microsoft Office: LibreOffice RE LibreOffice Macro Video : https://youtube.com/watch?v=ob9SgtFm6_g&t=794
Tool: <>
Phishing/Macro REEL2 Grab NTLMv2 with Malicious link Video : https://youtube.com/watch?v=Ro2vXt_WFDQ&t=2350
Tool: <>
Phishing with Microsoft Office: LibreOffice RABBIT LibreOffice Macro Video : https://youtube.com/watch?v=5nnJq_IWJog&t=1935
Tool: <>

=> Non-HTB VIDEOS

Attack Type Video By Attack Used in Video Link
Phishing with Microsoft Office S3cur3Th1sSh1t macro,amsi bypassm gadget2JS, persistence, ETW …etc. Video: https://www.youtube.com/watch?v=KeSRGjnTdSc
PowerShell Shellcode Runner DWResearch Weaponising Word With Powershell Post: https://www.dwresearch.online/post/weaponising-word-with-powershell

4. Client Side Code Execution With Windows Script Host

Attack Type HTB Machine Attack Used in HTB Link

=> Non-HTB VIDEOS

Attack Type Video By Attack Used in Video Link
Shellcode Runner in C# Reversing Hub Process hallowing with shellcode in C# Video: https://www.youtube.com/watch?v=AL5SgHidfmQ
DotnetToJscript ired.team Executing C# Assemblies from Jscript Post: Executing C# Assemblies from Jscript

5. Process Injection and Migration

Attack Type HTB Machine Attack Used in HTB Link

6. Introduction to Antivirus Evasion

Attack Type HTB Machine Attack Used in HTB Link
Obfuscating Macro RE Video : https://youtube.com/watch?v=YXAakamjO_I&t=1005

7. Advanced Antivirus Evasion

Attack Type HTB Machine Attack Used in HTB Link
Amsi Bypass APT Video : https://youtube.com/watch?v=eRnqtXwCZVs&t=4650
Amsi Bypass PivotAPI Video : https://youtube.com/watch?v=eRnqtXwCZVs&t=4650
Amsi Bypass MULTIMASTER Video : https://youtube.com/watch?v=iwR746pfTEc&t=6814

8. Application Whitelisting

Attack Type HTB Machine Attack Used in HTB Link
Applocker Bypass REEL2 Breaking out of ConstrainedLanguage Mode by creating a function Video : https://youtube.com/watch?v=Ro2vXt_WFDQ&t=3600
Applocker Bypass GIDDY Escaping powershell constrained mode with PSBypassCLM Video : https://youtube.com/watch?v=Ro2vXt_WFDQ&t=3600
Applocker Bypass SEKHMET intended way of bypassing applocker Video : https://youtube.com/watch?v=vsgPsMZx59w&t=6300
Applocker Bypass - AppLocker Bypass COR Profiler Video : https://youtube.com/watch?v=Ro2vXt_WFDQ&t=3600

9. Bypassing Network Filters

Attack Type HTB Machine Attack Used in HTB Link
DNS Filters
Web Proxies
HTTPS Inspection
Domain Fronting
DNS Tunneling

10. Linux Post-Exploitation

Attack Type HTB Machine Attack Used in HTB Link
User Configuration Files: bashrc AWKWARD discovering a unique file in a users .bashrc Video: https://youtube.com/watch?v=gmaizI5Xcqs&t=2520
User Configuration Files: Vim SWAGSHOP privesc with vim with sudo Video: https://youtube.com/watch?v=qECG2_8xw_s&t=2130
ATTENDED exploiting VIM RCE and using ping Video: https://youtube.com/watch?v=ABVR8EgXsQU&t=743

=> Non-HTB VIDEOS

Attack Type Video By Attack Used in Video Link
Shared Libraries The Cyber Mentor Escalation Via LD_PRELOAD Video: https://www.youtube.com/watch?v=ZTnwg3qCdVM&t=6581s

11. Kiosk Breakouts

Attack Type HTB Machine Attack Used in HTB Link

=> Non-HTB VIDEOS

Attack Type Video By Attack Used in Video Link
Kiosk Breakout John Hammond Kiosk BUILD - “Easy Mode” / FrontFace Lockdown Video: https://www.youtube.com/watch?v=blNSJxk9PtE
Kiosk Breakout John Hammond Kiosk BREAKOUT - Web Browser to Command Prompt (Easy Mode) Video: https://www.youtube.com/watch?v=R7srpHUshuI
Kiosk Breakout John Hammond Assigned Access Kiosk - BREAKOUT (Hard Mode) Video: https://www.youtube.com/watch?v=aBMvFmoMFMI
Kiosk Breakout John Hammond

12. Windows Credentials

Attack Type HTB Machine Attack Used in HTB Link
Local Windows Credentials: LSASS Dump ATOM Using rundll32 to create a memory dump of LSASS Video : https://youtube.com/watch?v=1OC2eRVX0ic&t=1830
Local Windows Credentials: LSASS Dump BLACKFIELD running pypykatz to extract credentials Video : https://youtube.com/watch?v=1OC2eRVX0ic&t=1830
Local Windows Credentials: SAM Dump BASTION Extracting local passwords from SAM and SYSTEM with secretsdump Video : https://youtube.com/watch?v=2j3FNp5pjQ4&t=660
Local Windows Credentials: LAPS STREAMIO Identifying and Extracting the LAPS Password Video : https://youtube.com/watch?v=B9nozi1PrhY&t=11697
Local Windows Credentials: LAPS PivotAPI Discovering a user who can add groups to LAPS Video : https://youtube.com/watch?v=FbTxPz_GA4o&t=5990
Access Tokens: UAC ARKHAM UAC Bypass Video : https://youtube.com/watch?v=krC5j1Ab44I&t=3340
Access Tokens: SeImpersonate SCRAMBLED Abusing SeImpersonate Privilege Video : https://youtube.com/watch?v=2j3FNp5pjQ4&t=660
Access Tokens: Incognito HACKBACK Using incognito to grab our impersonation token for HACKER user Video : https://youtube.com/watch?v=B9nozi1PrhY&t=11697

13. Windows Lateral Movement

Attack Type HTB Machine Attack Used in HTB Link
Remote Desktop Protocol
Fileless lateral movement

14. Linux Lateral Movement

Attack Type HTB Machine Attack Used in HTB Link
DevOps SEAL Abusing ansible playbook Video: https://www.youtube.com/watch?v=wCfztTcioU8&t=1260s
DevOps INJECT Ansible enumeration and privilege escalation Video: https://www.youtube.com/watch?v=3VuIaUvHsTI&t=1320s
Kerberos on Linux TENTACLE Configuring our attacker’s box kerberos to connect to Tentacle’s KDC, and steal keytab Video : https://youtube.com/watch?v=kKhuUXPmJ_o&t=3870
Kerberos on Linux CERBERUS examine the SSSD configuration and get a domain password Video : https://www.youtube.com/watch?v=IX4h5aaSK1g&t=2160s
Kerberos on Linux SEKHMET Dumping the sssd.ldb, Using kinit to get a kerberos ticket Video : https://youtube.com/watch?v=kKhuUXPmJ_o&t=3870

15. Microsoft SQL Server

Attack Type HTB Machine Attack Used in HTB Link
MS SQL in AD ESCAPE Using mssqlclient to login to access MSSQL Video: https://youtube.com/watch?v=PS2duvVcjws&t=390
MS SQL Escalation SCRAMBLED enabling xp_cmdshell and getting a reverse shell Video: https://youtube.com/watch?v=_8FE3JZIPfo&t=1000
MS SQL Escalation STREAMIO Using xp_dirtree to make the MSSQL database connect back to us and steal the hash Video: https://youtube.com/watch?v=_8FE3JZIPfo&t=1000

16. Active Directory Exploitation

Attack Type HTB Machine Attack Used in HTB Link
AD Object permission theory REEL Explaining Active Directory (AD) Security Objects (GenericWrite, WriteOwner,etc) Video: https://youtube.com/watch?v=ob9SgtFm6_g&t=3205
Abusing GenericAll SUPPORT Abusing GenericAll object permission Video: https://youtube.com/watch?v=iIveZ-raTTQ&t=970
Abusing GenericAll, WriteDACL MULTIMASTER Abusing GenericAll, WriteDACL Video: https://youtube.com/watch?v=iwR746pfTEc&t=7410
Abusing GenericWrite, WriteDACL REEL Taking ownership and changing other user’s password Video: https://youtube.com/watch?v=ob9SgtFm6_g&t=3503
Kerberos Delegation PivotAPI Unconstrained delegation with the SQL User. Upload rubeus, use tgtdeleg Video: https://youtube.com/watch?v=FbTxPz_GA4o&t=7215
Kerberos Delegation INTELLIGENCE Unconstrained delegation Video: https://secnigma.wordpress.com/2021/11/27/hack-the-box-intelligence/
Kerberos Delegation SUPPORT RBCD Video: https://youtube.com/watch?v=iIveZ-raTTQ&t=970
Post: https://pencer.io/ctf/ctf-htb-support/#rbcd

Share this post on: