Рет қаралды 33,140
00:00 - Intro
00:50 - Begin of nmap
02:45 - Enumerating RPC to identify usernames
04:45 - Setting up a bruteforce and creating a custom wordlist with hashcat
08:45 - Enumerating LDAP with LDAPSEARCH
10:55 - Discovering the cascadeLegacyPwd LDAP Attribute which has a password
12:45 - Using CrackMapExec to test the credential found in LDAP
14:30 - Installing the latest CrackMapExec to gain access to the Spider_Plus Module
17:30 - Using the spider_plus module of CME (CrackMapExec) to crawl the SMB Share as R.Thompson
20:10 - Mounting the SMB Share as R.Thompson in order to view the files in Data share
26:10 - Discovering the VNC Install.reg file which contains an encrypted password
30:10 - Using Metasploit IRB to decrypt TightVNC's password
32:30 - Using the VNC Password to gain a WinRM Session to Cascade as s.smith discovering he is in the Audit Group
37:20 - Using DNSPY to decompile the CascAudit DotNet application
39:50 - Setting a breakpoint in DNSPY where the password is decrypted and viewing the variable after it decrypts the pw
42:10 - Gaining e remote shell as ArkSvc to discover this user is in the AD Recycle Bin Group
43:10 - Viewing deleted Active Directory items to see the TempAdmin has the CascadeLegacyPwd field and discovering this is the PW for administrator