https://stream.echo6.co/videos/watch/33ac967f-a9f3-4c21-ac33-1ea5e342cea9 00:00 - Introduction 01:10 - Start of nmap which contains pluck version 05:50 - Looking into CVE-2024-9405 which is a File Disclosure vulnerability 08:00 - Discovering a backup password, cracking it, then uploading a malicious plugin 13:00 - RCE Obtained, defender is blocking reverse shell, obfuscating the command to bypass 17:30 - Creating a malicious LNK file, then when someone clicks on it we get a shell as Brandon.Keywarp 31:00 - Setting up the Bloodhound Community Edition and fixing bug which isn't showing us any images 34:40 - Using Bloodhoudn to show we can enroll in various certificate templates 37:00 - Discovering Defender Exclusions as a low privilege user by reading the event log for event id 5007 43:10 - Using Certify to request a certificate and then Rubeus to use the pass the ticket attack to get our users NTLM Hash 56:45 - Explaining our NTLM Relay attack that we are about to do 1:02:30 - Installing a version of impacket that allows for shadow_creds within ldap and then setting up the ntlmrelayx to forward connections to the DC's ldap 01:07:10 - Using PetitPotam with Brandon's hash to get the MS01$ to authenticate to us, and showing why we need to start the Webclient Service 1:15:00 - Setting shadow_creds for MS01$ then using s4u to impersonate the administrator user, so we can access the filesystem. Dumping local hashes with secretsdump 1:27:50 - Discovering a Keypass database in Sharon's directory, cracking it 1:36:18 - Going back to Bloodhound and seeing OP_SHARON.MULLARD can read GMSA Passwords, using nxc to dump SVC_CA$ 1:38:56 - Looking at what SVC_CA$ can do, identifying a chain abusing ESC13 twice to jump through groups to get to the Backup Service 1:44:39 - Using PyWhisker to set the shadow credentials on svc_cabackup then using PKINITTools to get the NTHASH of SVC_CABACKUP 1:54:40 - Using Certipy to create a certificate within ManagerAuthentication to place ourself in the Certificate Managers Group 1:57:00 - Using Certipy to create a certificate within the BackupSvcAuthentication to place ourselves in the ServiceAccounts Group 1:59:55 - Using Impacket to dump the registry of the domain controller to grab the DC01$ Password 2:07:50 - Having troubles with impacket writing to our SMB Server, writing it to the SYSVOL then copying it to the webserver 2:14:50 - Grabbing the DC01$ password with secretsdump from the SAM dump and then using this to run dcsync to get the MIST.HTB\Administrator account Wed, 15 Apr 2026 09:48:23 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/33ac967f-a9f3-4c21-ac33-1ea5e342cea9 All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.