00:00 - Introduction
01:05 - Start of nmap
05:20 - Running Bloodhound
07:55 - Bloodhound, Shortest Path to Tier 0 shows us two ADM users which can add themselves to Delegated Admins
09:45 - Dumping Password set time of users in bloodhound with JQ to see any passwords set at the same time
13:00 - Discovering the GMSA account, looking at it and discovering it can add themselves to ServiceManagers and that FS01 can ReadGMSAPassword
13:50 - FS01 is a member of the Pre Windows 2000 Compatible Access Group, which sets the password of the account to the hostname of the box
16:30 - NXC failed us, using bloodyAD to read the GMSA Password
18:50 - Opening up wireshark to look at why NXC Failed but BloodyAD Worked, quickly modifying NXC to fix the issue (it defaulted to ldaps when gmsa is used)
23:20 - Bloodhound, Looking at what ServiceManagers can do, it has GENERICALL to many service accounts, one is disabled.
25:40 - Using BloodyAD to re-enable the SVC_SQL account and then running TargetedKerberoast to dump hashes, also manually dump them with bloodyad and nxc by setting an spn
36:50 - Spraying the password from SVC_SQL with users of the domain, finding c.neri has the same password
40:30 - Using NXC to generate the KRB5 Config File, then using evil-winrm to login to the box
42:55 - Dumping the users encrypted credential blob and dpapi information, then manually decrypting with pypykatz
52:50 - Bloodhound, c.neri_adm can perform RBCD Attack to impersonate users of the domain
55:30 - Using BloodyAD to add FS01 to the DelegatedAdmin group, then getST to impersonate DC01 and perform secretsdump to get root
1:04:30 - Beyond Root: Exploring the Sensitive Flag in bloodhound to prevent the RBCD Attack
1:11:10 - Protected Users Group did stop it, but Bloodhound didn't set sensitive to true! Manually setting the protection via BloodyAD to validate bloodhound is identifying sensitive accounts
Support the originator by clicking the read the rest link below.
