00:00 - Introduction
00:45 - Start of nmap
03:00 - Doing some low-priv AD recon with NetExec (SMB, MSSQL, User Dump, Shares, Bloodhound, etc)
06:50 - Looking at the Spider_Plus output and seeing two interesting excel files
09:45 - Cannot open the Excel, unzipping it to look at the files manually and discover the SA password to MSSQL
13:20 - Running MSSQL Commands with NetExec and the SA user to get a shell on the box
15:30 - Discovering the SQL Install directory with a configuration file that has a password, spraying all users with that password to see it works with Ryan
19:00 - Looking at what our owned users can do via bloodhound
22:40 - Showing SharpHound collects more data than the python ingestor
27:20 - Showing an attack path of Ryan Taking over CA_SVC which can perform ESC4
29:30 - Using OwnerEdit/DaclEdit to take over CA_SVC then Certipy to create a shadow credential and get the NTLM Hash
32:00 - Talking about the ESC4 Exploit
34:45 - Performing the ESC4 Exploit to make the template vulnerable then performing ESC1 to get administrator
Support the originator by clicking the read the rest link below.
