00:00 - Introduction
00:58 - Start of nmap
03:30 - Taking a look at the website
05:50 - Using NetExec to search for file shares and discovering the Development share is open. Using smbclient to download everything
08:00 - Exploring the Ansible Playbooks in the Development Share to discover encrypted passwords (ansible vault)
10:00 - Converting the Ansible Vault Hashes to John/Hashcat format so we can crack them
13:30 - Decrypting the values and getting some passwords, one of which lets us log into PWM (webapp)
19:50 - Adding a rogue ldap server into the PWM Config, then clicking test config will send us the password for the ldap account
27:00 - Running Certipy to find the server is vulnerable to ESC1, we just need to enroll a computer
28:00 - Using NetExec to show how the MachineAccoutnQuote, confirming we can enroll machines
29:00 - Using Impacket to add a rogue computer
30:00 - Using Certipy to perform the ESC1, it works but smart card login isn't enabled so we can't log in right away.
33:30 - Looking at the error message, finding we can PassTheCert to LDAP which then will let us get admin
37:15 - Using PassTheCert to add ourselves to the Domain Administrator group
39:25 - Showing PassTheSert to set_rbcd, which will enable our rogue computer the ability to sign krb, allowing us to impersonate the administrator
Support the originator by clicking the read the rest link below.
