00:00 - Introduction
01:10 - Start of nmap
04:45 - Discovering the website is Django, Wappalyzer tells us but also talking about how we could manually identify with the help
08:00 - Creating an account, discovering we need to activate it, using Forgot Password to activate it
09:50 - There is a QR Code that lets users login by scanning it, looking at the URL it appears there could be an IDOR
11:28 - Discovering ID 2 is an admin, crafting a QR Code with the admin ID in it and gaining access to the Django Admin
14:30 - Enumerating the MSSQL Database, discovering we can impersonate SA and then enable XP_CMDSHELL
24:30 - Trying to get a Reverse Shell, AV is blocking it, do some light obfuscation to bypass it
31:40 - Shell returned as the webapp user, can't get WinPEAS Running due to AV
40:40 - Discovering a password left behind by the SQL Express Install, password spray to get access to mikasaAckerman
45:10 - Showing the NxcDb, which logs all the successful logins with nxc
50:00 - Discovering a Memory Dump, downloading it to our box then using MemProcFs
55:20 - Installing PyPyKatz which will have it automatically use pypykatz (mimikatz) to dump lsa
1:02:40 - More password sprays to get access to Lorra199, then using WinRM and discovering we can enumerate the Active Directory Recycle Bin
1:05:30 - Restoring Liza Kazanof from the recycle bin, then resetting the password due to it being expired.
1:11:15 - Liza has the SeBackup privilege, using DiskShadow and Robocopy to download ntds.dit to dump the domain
1:23:20 - The issue we had with DiskShadow is because of how the script file was encoded, major pita
1:29:30 - Running SecretsDump to get the administrator hash and login to the box
1:30:45 - BEYOND ROOT: Abusing GenericWrite to the Domain as Lorra199 to get a shell
1:32:40 - Going back to the memprocfs and showing we could have just ran secretsdump on the registry hives to get Lorra199's password. Administrator hash is invalid due to the password being changed since the dump was created
1:35:10 - First time setting up the Bloodhound Community Edition (new version that is supported)
1:41:00 - Fighting with Bloodhound.py since the main branch is installed
1:47:00 - Throwing in the towel fighting with my python environment, building a docker container to run bloodhound.py for us to ensure we are running the latest version
1:51:48 - Importing the latest bloodhound data and getting the attack path that shows genericwrite
1:54:20 - Adding a computer, giving it delegation, then dumping the AD Database with secretsdump
Support the originator by clicking the read the rest link below.