00:00 - Intro
00:50 - Start of nmap
04:00 - Navigating to the page
05:00 - Discovering the forgot password feature enables people to enumerate valid users
06:45 - Finding the default credentials for mojo portal and then logging in as admin
07:50 - Uploading an ASPX Webshell but finding out the aspx extension is blacklisted
10:30 - Looking at the GitHub issues for MojoPortal
12:00 - Copying a file to bypass the bad extension filter of uploaded material and getting our webshell
12:50 - Showing the importance of redirecting STDERR to STDOUT on web shells to discover why some commands fail
15:00 - Failing to run a Powershell Reverse Shell bypassing AV, only to find out it is in ConstrainedLanguage Mode
18:30 - Attempting to upload netcat to find out its blocked via group policy
20:30 - Enumerating Applocker with Powershell Get-AppLockerPolicy -Effective -xml
26:50 - Looking at the Get-BadPasswords directory, finding an NTLM Hash
31:30 - Logging into the box via kerberos because NTLM is Disabled
38:40 - Using CrackMapExec's Spider_Plus module to enumerate all the files on the share
43:20 - Enumerating the Windows Firewall to discover only bginfo64 will be able to communicate out
47:00 - Creating a DLL to use with DLL Injection to 7zip
53:45 - Running a bunch of icacls commands with our DLL to identify permissions
57:00 - We have WriteOwner to BGInfo64.exe, which was allowed through the firewall. We can change the owner and then write our netcat on it!
1:09:00 - Shell returned as GinaWild, finding an encrypted pfx file in the Recycle Bin
1:15:30 - Cracking the PFX File with CrackPkcs12 to discover it is a code signing certificate
1:22:30 - Importing the code-signing certificate so we can sign powershell scripts letting us bypass applocker
1:26:50 - Telling the Get-BadPasswords program to run, and getting a shell as BPassRunner
1:27:30 - Identifying how Get-BadPasswords pulls the NTLM Hashes and then getting Administrators hash
1:29:50 - Using Impacket's GetTGT to get a ticket as administrator
Support the originator by clicking the read the rest link below.
