00:00 - Introduction
01:00 - Start of nmap
03:30 - Exploring the file share
07:15 - Finding Encrypter.exe, which is a dotnet encrypter. Discovering the seed is based upon time, modifying it to decrypt using metadata from the encrypted file to get the seed.
15:30 - The encrypted file was a Keepass Database, looking into it and seeing credentials and a uthenticator backup
19:45 - Installing the "Authenticator" app and seeing the backup format is the same
21:30 - Explaining why we want to just bruteforce AES vs Argon2id
25:50 - Creating a program in javascript to bruteforce the AES by decrypting and examining the contents of what was decrypted
40:40 - Cracking program done, then logging into TeamCity
45:45 - We can't modify the files on TeamCity but we can use the personal build, supply a dif and get it to execute code that way
49:50 - Defender blocked nishang reverse shell, doing some quick obfuscation to bypass defender and get a shell
55:50 - Discovering Teamcity keeps track of personal builds, looking at old ones and discovering powershell credentials. Decrypting the Secure String to get e.black's password
1:08:00 - Running the bloodhound python collector in a Docker
1:17:40 - Writing a bloodhound query to show Organization Units in active directory, then using Get-ACL to see unique privileges to each OU
1:24:15 - Explaining the attack path, e.blake can manipulate ADCS, s.blade can add machines to a specific OU. We can create a vulnerable ADCS Template and exploit this with Certifried
1:31:30 - Creating and publishing the Vulnerable Certificate. Cloning computer, then modifying msPKI-Enrollment-Flag
1:53:30 - Doing an easier vulnerable template, to make this box vulnerable to ESC1. Set msPKI-Enrollment-Flag, msPKI-Certificate-Name-Flag,
Support the originator by clicking the read the rest link below.
