https://stream.echo6.co/videos/watch/2e439ff1-dfa2-49b2-bae6-b20734a49fad 00:00 - Introduction 01:00 - Start of nmap 02:45 - Discovering the Dev Subdomain 04:00 - Playing with the Resume Download, discovering a File Disclosure Vulnerability 05:40 - Discovering some odd behavior with ../, its just a replace. Grabbing web.config 08:15 - Using YsoSerial.Net to create a malicious ViewState Gadget, be careful with command prompt and single quotes! 12:00 - Getting a reverse shell with a web cradle 14:10 - Shell returned, discovering a Password stored with Secure String, decrypting it 17:40 - Showing the password, using Invoke-Command to switch users but having trouble getting the SeDebugPriv enabled 23:00 - Method 1: Using Meterpreter to take advantage of SeDebug by Migrating into another process 24:45 - Method 2: Showing RunasCS will get us the debug permission but PSGetSys script will fail. Meterpreter does not fail oddly 29:45 - Method 2.5: Disabling the firewall and showing Evil-WINRM works with PSGetSys, so it is how RunasCS is generating the shell Wed, 15 Apr 2026 13:28:39 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/2e439ff1-dfa2-49b2-bae6-b20734a49fad All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.