HackTheBox - Access HD

00:58 - Begin of recon: ftp, telnet, IIS 7.5 03:00 - Downloading all files off an FTP Server with WGET 05:30 - Examining the "Access Control.zip" file. 06:30 - Cracking a zip file with John 07:45 - Creating a wordlist for cracking the zip (strings of the mdb file) 10:00 - Exploring the MDB Files (Access Database) with MDBTools (mdb-sql and mdb-tables) 12:30 - Grabbing the same password we cracked by checking the auth_user table 13:35 - Converting the PST File (Outlook Email) to PlainText via readpst 15:00 - Logging into telnet with the credentials from the email 15:45 - Switching to a Nishang Shell to execute powershell 18:15 - Running JAWS (Just Another Windows Scanner) 23:34 - Discovering Stored Credentials on the box for ACCESSAdministrator 25:11 - Examining the Shortcut on PUBLICDESKTOP which shows us how the "Stored Credential" is used. 25:58 - Using powershell to view information of a Shortcut 27:25 - Using the Stored Credential via runas /savecred (some flailing around, darn windows quotes) 30:31 - Creating Base64 (UTF-16LE) on linux to use in as a Powershell EncodedCommand 31:54 - Box done, Administrator returned. (Flailing around until 54:20) 32:38 - Begin of decrypting the Stored Credential, uploading Mimikatz 33:40 - Using powershell to download files 36:36 - Discovering that I was trying to save mimikatz to a directory i cannot write to :( 37:15 - Testing Applocker methods to bypass the Software Restriction Policy (Give up on this one) 38:50 - Trying to get Meterpreter shell via Unicorn (Fails, unknown reason) 41:28 - Getting a Empire Agent running 43:35 - Empire Agent Returned, Injecting meterpreter shellcode. 45:46 - Attempting to use Mimikatz from within Meterpreter to decrypt dpapi::creds 46:52 - Explaining Mimikatz Arguments when in "non-interactive" mode 54:20 - Grabbing needed files to decrypt DPAPI::CREDS offline 56:09 - Switing to Windows to run Mimikatz 01:02:32 - Decrypting the Creds stored in DPAPI