00:00 - Intro
01:00 - Running nmap
02:40 - Running CrackMapExec to enumerate the share
04:10 - Talking about a common misconception about "Null SMB Authentication"
08:00 - Downloading a PDF off the open share
08:55 - Using SWAKS to send an emailw ith a link to see if anything clicks it
10:30 - Exploring the CVE's mentioned in the PDF to see one of them is Folina
11:55 - Someone clicked our link! The User Agent Shows WindowsPowerShell/5.1.19041.906, which leaks the patch level of the box
14:00 - Building a Folina Payload
17:00 - Using ConPtyShell as our payload for Folina, so we have a proper PTY with tab auto complete on windows rev shells
21:50 - Reverse Shell obtained, discover we are btables and a little enumeration shows we are in a HyperV Container
27:30 - Running SharpHound
32:20 - Importing the results into Bloodhound and seeing we have AddKeyCredentialLink which is a shadow credentials to a user
34:00 - Using Invoke-Whisker.ps1 to create shadow credentials for a user, then using Evil-WinRM to login
35:30 - Running Invoke-Whisker
41:40 - Discovering we are in WSUS Administrators Group, checking if other tools highlight this
45:50 - Going into a SharpWSUS blog post that talks about adding a malicious windows update
46:45 - Compiling SharpWSUS
48:30 - Making sure SharpWSUS Runs, copying PSExec to the box
50:00 - Explaining the SharpWSUS Attack Path
52:00 - In typical ippsec fashion, I have a typo in my payload psexec.nexe lol.
55:50 - The payload did not work, lets simplify it by removing special characters and just executing netcat
59:55 - Shell returned as admin!
1:01:10 - Beyond Root: Enable RDP then showing the WSUS Administration Panel
Support the originator by clicking the read the rest link below.
