Description
00:00 - Introduction
01:05 - Start of nmap
03:50 - Grabbing files off the open share, looking at logs and seeing an error message that contains an old credential
07:50 - Using BloodyAD to pull information from the account to see password last set, also running BloodHound
09:45 - Running Certipy, then using JQ to show me certificates with non-default groups/accounts in enrollment
12:25 - Going over Bloodhound, showing our SVC_RECOVERY can take over MSA_HEALTH$
16:30 - Showing BloodyAD to allow ourselves read access to the MSA_HEALTH$ password, could also do Shadow Credentials
20:30 - Getting on the box with WinRM, discovering Monitor.ps1 file. Use COM to look at scheduled task
24:30 - Using MSFVenom to create a malicious DLL, zip it up and upload wait for the scheduled task to execute it
32:40 - Got access to Jaylee Clifton, using Rubeus tgtdeleg to get us a Kerberos ticket so we can run commands as them on our box
38:45 - Using Certipy to confirm the server is vulnerable to ESC17
41:45 - Looking at WSUS Config, discover things are pointed to wsus.logging.htb which does not exist
46:10 - Using Certipy to create a certificate that can impersonate wsus.logging.htb
49:00 - Setting up WSUKS to push a malicious windows update