00:00 - Intro
01:02 - Start of nmap, discover Active Directory and a web server
02:45 - Doing some common checks against a Domain Controller
04:50 - Discovering PDF's with filenames based upon the date
05:25 - Building a customized wordlist based upon the date with the date command
08:30 - Downloading the PDF's with wget and then examining metadata
11:25 - Using Kerbrute to validate the usernames in the metadata are correct
12:50 - Using pdftotext to convert all the PDF's into text files, so we can grep through text
14:20 - Finding the password NewIntelligenceCorpUser987, then using KerBrute to perfrom a passwordspray
15:40 - Running CrackMapExec Spider_Plus while we do some other CME things
17:20 - Running Python Bloodhound with the credentials we got from the password spray
19:10 - Using JQ to parse the data from CME's spider_plus module to discover a powershell script
22:50 - Importing the bloodhound results and then searching for attack paths
26:00 - Discovering we probably need to get access to the SVC_INT GMSA (Group Managed Service Account)
27:50 - Going back over the powershell script we downloaded, and then creating a DNS Record with krbrelayx's dnstool
28:57 - Using dnstool to create an A Record on an Active Directory Server
32:30 - Using the MSF Capture http_ntlm module to capture an NTLMv2 Hash of people that access our webserver (Responder also would work but was broke on my box)
36:35 - Using John to crack the ntlmv2 hash and gaining access to the Ted Graves account
42:19 - Using gMSA Dumper to extract the svc_int hash
43:43 - Using impacket's getST to generate a SilverTicket which we can use for impersonating an administrator
46:00 - Using NTPDate to syncronize the time to our domain controller
48:30 - Using our ticket with psexec to gain access to the server
Support the originator by clicking the read the rest link below.
