00:00 - Introduction
01:00 - Start of nmap
02:30 - Running NetExec discovering an open share (HR), which contains a password for new hires
04:05 - Using NetExec to list accounts via RID Brute Force and explaining how it works under the hood with RPCLient
07:20 - Some VIM-Fu to convert the NetExec output to show only a list of users and performing a password spray
10:00 - Gaining access to David Orelious, which has access to the Dev Share which has the password of another user
12:10 - Shell as Emily with WinRM, discovering the SeBackup privileges, looking up how to abuse this
14:40 - Using Reg Save to backup the SAM and SYSTEM Hive, and then extracting administrator password from it, which gives root
16:30 - Showing we could also backup the NTDS.DIT with RoboCopy
26:50 - Talking about the Impacket Reg.Py script and showing we could try to backup the registry directly to our box, but the file transfer is unreliable
Support the originator by clicking the read the rest link below.
