HTB Machines for OSEP Preparation
Apr 27, 2023Red TeamDefense Evasion Share on:
In-Progress
List of HTB (Hack the Box) Machines to prepare for OSEP Exam (PEN-300) by offensive security.
3. Client Side Code Execution With Office
Attack Type | HTB Machine | Attack Used in HTB | Walkthrough Link |
---|---|---|---|
Phishing with Microsoft Office: RTF Document | REEL | malicious RTF Document (CVE-2017-0199) | Video : https://youtube.com/watch?v=ob9SgtFm6_g&t=794 Tool: https://github.com/bhdresh/CVE-2017-0199 |
Phishing with Microsoft Office: LibreOffice | RE | LibreOffice Macro | Video : https://youtube.com/watch?v=ob9SgtFm6_g&t=794 Tool: <> |
Phishing/Macro | REEL2 | Grab NTLMv2 with Malicious link | Video : https://youtube.com/watch?v=Ro2vXt_WFDQ&t=2350 Tool: <> |
Phishing with Microsoft Office: LibreOffice | RABBIT | LibreOffice Macro | Video : https://youtube.com/watch?v=5nnJq_IWJog&t=1935 Tool: <> |
=> Non-HTB VIDEOS
Attack Type | Video By | Attack Used in Video | Link |
---|---|---|---|
Phishing with Microsoft Office | S3cur3Th1sSh1t | macro,amsi bypassm gadget2JS, persistence, ETW …etc. | Video: https://www.youtube.com/watch?v=KeSRGjnTdSc |
PowerShell Shellcode Runner | DWResearch | Weaponising Word With Powershell | Post: https://www.dwresearch.online/post/weaponising-word-with-powershell |
4. Client Side Code Execution With Windows Script Host
Attack Type | HTB Machine | Attack Used in HTB | Link |
---|---|---|---|
=> Non-HTB VIDEOS
Attack Type | Video By | Attack Used in Video | Link |
---|---|---|---|
Shellcode Runner in C# | Reversing Hub | Process hallowing with shellcode in C# | Video: https://www.youtube.com/watch?v=AL5SgHidfmQ |
DotnetToJscript | ired.team | Executing C# Assemblies from Jscript | Post: Executing C# Assemblies from Jscript |
5. Process Injection and Migration
Attack Type | HTB Machine | Attack Used in HTB | Link |
---|---|---|---|
6. Introduction to Antivirus Evasion
Attack Type | HTB Machine | Attack Used in HTB | Link |
---|---|---|---|
Obfuscating Macro | RE | Video : https://youtube.com/watch?v=YXAakamjO_I&t=1005 |
7. Advanced Antivirus Evasion
Attack Type | HTB Machine | Attack Used in HTB | Link |
---|---|---|---|
Amsi Bypass | APT | Video : https://youtube.com/watch?v=eRnqtXwCZVs&t=4650 | |
Amsi Bypass | PivotAPI | Video : https://youtube.com/watch?v=eRnqtXwCZVs&t=4650 | |
Amsi Bypass | MULTIMASTER | Video : https://youtube.com/watch?v=iwR746pfTEc&t=6814 |
8. Application Whitelisting
Attack Type | HTB Machine | Attack Used in HTB | Link |
---|---|---|---|
Applocker Bypass | REEL2 | Breaking out of ConstrainedLanguage Mode by creating a function | Video : https://youtube.com/watch?v=Ro2vXt_WFDQ&t=3600 |
Applocker Bypass | GIDDY | Escaping powershell constrained mode with PSBypassCLM | Video : https://youtube.com/watch?v=Ro2vXt_WFDQ&t=3600 |
Applocker Bypass | SEKHMET | intended way of bypassing applocker | Video : https://youtube.com/watch?v=vsgPsMZx59w&t=6300 |
Applocker Bypass | - | AppLocker Bypass COR Profiler | Video : https://youtube.com/watch?v=Ro2vXt_WFDQ&t=3600 |
9. Bypassing Network Filters
Attack Type | HTB Machine | Attack Used in HTB | Link |
---|---|---|---|
DNS Filters | |||
Web Proxies | |||
HTTPS Inspection | |||
Domain Fronting | |||
DNS Tunneling |
10. Linux Post-Exploitation
Attack Type | HTB Machine | Attack Used in HTB | Link |
---|---|---|---|
User Configuration Files: bashrc | AWKWARD | discovering a unique file in a users .bashrc | Video: https://youtube.com/watch?v=gmaizI5Xcqs&t=2520 |
User Configuration Files: Vim | SWAGSHOP | privesc with vim with sudo | Video: https://youtube.com/watch?v=qECG2_8xw_s&t=2130 |
ATTENDED | exploiting VIM RCE and using ping | Video: https://youtube.com/watch?v=ABVR8EgXsQU&t=743 |
=> Non-HTB VIDEOS
Attack Type | Video By | Attack Used in Video | Link |
---|---|---|---|
Shared Libraries | The Cyber Mentor | Escalation Via LD_PRELOAD | Video: https://www.youtube.com/watch?v=ZTnwg3qCdVM&t=6581s |
11. Kiosk Breakouts
Attack Type | HTB Machine | Attack Used in HTB | Link |
---|---|---|---|
=> Non-HTB VIDEOS
Attack Type | Video By | Attack Used in Video | Link |
---|---|---|---|
Kiosk Breakout | John Hammond | Kiosk BUILD - “Easy Mode” / FrontFace Lockdown | Video: https://www.youtube.com/watch?v=blNSJxk9PtE |
Kiosk Breakout | John Hammond | Kiosk BREAKOUT - Web Browser to Command Prompt (Easy Mode) | Video: https://www.youtube.com/watch?v=R7srpHUshuI |
Kiosk Breakout | John Hammond | Assigned Access Kiosk - BREAKOUT (Hard Mode) | Video: https://www.youtube.com/watch?v=aBMvFmoMFMI |
Kiosk Breakout | John Hammond |
12. Windows Credentials
Attack Type | HTB Machine | Attack Used in HTB | Link |
---|---|---|---|
Local Windows Credentials: LSASS Dump | ATOM | Using rundll32 to create a memory dump of LSASS | Video : https://youtube.com/watch?v=1OC2eRVX0ic&t=1830 |
Local Windows Credentials: LSASS Dump | BLACKFIELD | running pypykatz to extract credentials | Video : https://youtube.com/watch?v=1OC2eRVX0ic&t=1830 |
Local Windows Credentials: SAM Dump | BASTION | Extracting local passwords from SAM and SYSTEM with secretsdump | Video : https://youtube.com/watch?v=2j3FNp5pjQ4&t=660 |
Local Windows Credentials: LAPS | STREAMIO | Identifying and Extracting the LAPS Password | Video : https://youtube.com/watch?v=B9nozi1PrhY&t=11697 |
Local Windows Credentials: LAPS | PivotAPI | Discovering a user who can add groups to LAPS | Video : https://youtube.com/watch?v=FbTxPz_GA4o&t=5990 |
Access Tokens: UAC | ARKHAM | UAC Bypass | Video : https://youtube.com/watch?v=krC5j1Ab44I&t=3340 |
Access Tokens: SeImpersonate | SCRAMBLED | Abusing SeImpersonate Privilege | Video : https://youtube.com/watch?v=2j3FNp5pjQ4&t=660 |
Access Tokens: Incognito | HACKBACK | Using incognito to grab our impersonation token for HACKER user | Video : https://youtube.com/watch?v=B9nozi1PrhY&t=11697 |
13. Windows Lateral Movement
Attack Type | HTB Machine | Attack Used in HTB | Link |
---|---|---|---|
Remote Desktop Protocol | |||
Fileless lateral movement | |||
14. Linux Lateral Movement
Attack Type | HTB Machine | Attack Used in HTB | Link |
---|---|---|---|
DevOps | SEAL | Abusing ansible playbook | Video: https://www.youtube.com/watch?v=wCfztTcioU8&t=1260s |
DevOps | INJECT | Ansible enumeration and privilege escalation | Video: https://www.youtube.com/watch?v=3VuIaUvHsTI&t=1320s |
Kerberos on Linux | TENTACLE | Configuring our attacker’s box kerberos to connect to Tentacle’s KDC, and steal keytab | Video : https://youtube.com/watch?v=kKhuUXPmJ_o&t=3870 |
Kerberos on Linux | CERBERUS | examine the SSSD configuration and get a domain password | Video : https://www.youtube.com/watch?v=IX4h5aaSK1g&t=2160s |
Kerberos on Linux | SEKHMET | Dumping the sssd.ldb, Using kinit to get a kerberos ticket | Video : https://youtube.com/watch?v=kKhuUXPmJ_o&t=3870 |
15. Microsoft SQL Server
Attack Type | HTB Machine | Attack Used in HTB | Link |
---|---|---|---|
MS SQL in AD | ESCAPE | Using mssqlclient to login to access MSSQL | Video: https://youtube.com/watch?v=PS2duvVcjws&t=390 |
MS SQL Escalation | SCRAMBLED | enabling xp_cmdshell and getting a reverse shell | Video: https://youtube.com/watch?v=_8FE3JZIPfo&t=1000 |
MS SQL Escalation | STREAMIO | Using xp_dirtree to make the MSSQL database connect back to us and steal the hash | Video: https://youtube.com/watch?v=_8FE3JZIPfo&t=1000 |
16. Active Directory Exploitation
Attack Type | HTB Machine | Attack Used in HTB | Link |
---|---|---|---|
AD Object permission theory | REEL | Explaining Active Directory (AD) Security Objects (GenericWrite, WriteOwner,etc) | Video: https://youtube.com/watch?v=ob9SgtFm6_g&t=3205 |
Abusing GenericAll | SUPPORT | Abusing GenericAll object permission | Video: https://youtube.com/watch?v=iIveZ-raTTQ&t=970 |
Abusing GenericAll, WriteDACL | MULTIMASTER | Abusing GenericAll, WriteDACL | Video: https://youtube.com/watch?v=iwR746pfTEc&t=7410 |
Abusing GenericWrite, WriteDACL | REEL | Taking ownership and changing other user’s password | Video: https://youtube.com/watch?v=ob9SgtFm6_g&t=3503 |
Kerberos Delegation | PivotAPI | Unconstrained delegation with the SQL User. Upload rubeus, use tgtdeleg | Video: https://youtube.com/watch?v=FbTxPz_GA4o&t=7215 |
Kerberos Delegation | INTELLIGENCE | Unconstrained delegation | Video: https://secnigma.wordpress.com/2021/11/27/hack-the-box-intelligence/ |
Kerberos Delegation | SUPPORT | RBCD | Video: https://youtube.com/watch?v=iIveZ-raTTQ&t=970 Post: https://pencer.io/ctf/ctf-htb-support/#rbcd |