00:00 - Intro
01:00 - Start of nmap, the Server Header changes based upon DNS
04:00 - Navigating to the website, discovering the "New Starter Form" which has some key information like a welcome password and username convention
07:00 - Password spraying the Powershell Web Access (PSWA), discovering a valid credential but wrong host, word document had another host which is valid for edavies
09:15 - Playing around in the PSWA
10:00 - Looking at hidden files, discovering c:utilsdesktop.ini which states its a directory that is excluded by AV
12:00 - Making the mistake of running WinPEAS inside the PSWA
14:45 - Setting up ConPtyShell to get a proper PTY reverse shell on windows
15:40 - Making some light modifications to ConPtyShell in order to evade antivirus
16:50 - Getting the ConPtyShell and showing the colors/tab autocomplete
19:30 - Running WinPEAS to show another user is logged on (and the AV Exclusions)
21:55 - Switching to Metasploit, because it makes it easier to migrate into an interactive process, which allows us access to view the desktop of the logged in user
24:30 - Using Screenshot and Screenshare inside of meterpreter to record the screen and get a password that was typed onto a terminal (imonks)
29:00 - Creating a credential object with imonks, so we can Invoke-Command on the domain controller
31:00 - When specifying the correct configurationname our enter-pssession fails because we can't run measure-object. Running Get-Command and Get-Alias to view what commands we can run
35:00 - Discovering wm.ps1, which we can modify to get a shell as jmorgan on our desktop
40:00 - Creating a powershell one-liner to replace a string in a file with cat and set-content
44:40 - Screwed up our fail because of a random line break. Playing around with it until we can fix it.
47:30 - Shell returned as JMorgan, dumping the SAM/SYSTEM files and cracking local passwords on the workstation
58:30 - Looking at other Domain Users, attempting to password spray the users we don't have in order to see if there's password re-use between local desktop and domain
1:02:00 - We are awallace on the Domain Controller, getting a reverse shell
1:06:00 - Discovering c:Program FilesKeepMeOn, which is executing .bat files every 5 minutes. Putting our powershell one liner in there and getting a shell as lhopkins
1:11:25 - Shell as lhopkins, but still not domain administrator running bloodhound
1:21:40 - Going over the Bloodhound Data
1:23:40 - Adding edavies to the Site_Admin group
1:32:50 - Adding imonks to the Site_admin group, then andding ippsec to domain admins
Support the originator by clicking the read the rest link below.
