00:00 - Intro
01:00 - Start of nmap, downloading files over FTP
05:25 - The contents of all the PDF's don't really help. Using exiftool to extract authors.
08:20 - Using Kerbrute to bruteforce valid users and getting ASREP Hash. It is ETYPE 18, which hashcat doesn't support. Use downgrade to generate ETYPE 23 and crack the hash
11:15 - Going into what ETPE Means
16:40 - Using CrackMapExec to dump a list of file shares, then using Spider_Plus plugin to dump files
17:30 - Doing some JQ Magic navigate the Spider_Plus data
20:15 - Converting the Outlook Message Files (MSG) to plaintext with msgconvert
25:00 - Running Restart-Oracle.exe with Process Monitor to find out the process is writing to a TEMP Directory
27:00 - Removing delete permissions on the Windows Temp Directory, so the Restart-Oracle program can't delete the files out of temp, finding based64 and getting another EXE
32:00 - Running the extracted executable with Process Monitor to discover it loads dotnet
34:50 - METHOD 1: Opening the extracted executable in x64debug, setting it to break upon EXIT then examining its memory to find the dotnet executable
38:48 - METHOD 1: Opening the dotnet in DNSPY to discover the password
40:25 - METHOD 2: Using API MONITOR to examine the API Calls the program makes and finding the password (Sorry for audio glitches here, chrome did weird things)
47:41 - Fixing the permissions on our TEMP Directory with icacls so our user can delete files again
49:45 - Using CrackMapExec to dump a list of all users because the Oracle credentials we got from reversing did not work.
53:00 - Discovering the MSSQL User and changing oracles password scheme to fit MSSQL
55:25 - Downloading Alamot's MSSQL_Shell and getting a shell on the box (unintended way, do more with this at the end)
58:40 - Downloading and running MSSQL Proxy, which will let us create a SOCKS Proxy through the MSSQL Service
1:12:10 - Setting proxychains up to utilize MSSQL Proxy and using Evil-WinRM to get a shell on the box, then downloading and cracking a Keypass Database
1:20:40 - Using SSH to get into the box, the trick here is telling our SSH Client to not use public key authentication
1:22:15 - Running Bloodhound.py to get Bloodhound data from the box
1:27:20 - Examining bloodhound data to discover our user can reset passwords on several users, and showing Dr.Zaiuss can reset Superfume... Resetting each password to get to Superfume then downloading another exe out of developers
1:37:50 - Using DNSpy to edit the compiled dotnet program to print the password after it decrypts it
1:39:50 - Back to bloodhound with the new credential! Discovering Jari can reset Gibdeon who can add groups to LAPS
1:46:00 - Loading PowerView up in Evil-WinRM and Bypassing AMSI, then resetting Gibdeon's pw and adding him to groups
1:53:30 - Attempting to get the LAPS Password with Get-ADComputer and failing
1:55:20 - Using a Python Program to dump LAPS Password, then using PSExec to log into the box as administrador!
2:00:15 - Unintended method! Unconstrained delegation with the SQL User. Upload rubeus, use tgtdeleg
2:07:20 - Copying the ticket and using TicketConverter to conver the ticket from KIRBI to CCACHE then setting KRB5CCNAME to the ticket and having impacket use the ticket
2:10:32 - Impacket doesn't work because of clock skew, it doesn't tell us the error, showing CrackMapExec will display the error
2:11:10 - Using NTPDate to sync our time to the AD Server, then running secretsdump
Support the originator by clicking the read the rest link below.
