https://stream.echo6.co/videos/watch/34fe7427-7dbb-4156-acb4-198c0e212625 00:00 - Intro 00:53 - Start of nmap 05:45 - Using Kerbrute to identify valid users 09:40 - Finding credentials for Hope.Sharp in an image on the website 10:40 - Showing Kerbrute paswordspray silently fails when time is out of sync 13:00 - Having troubles running the Python Bloodhound Ingestor, a digestmod error 15:50 - Giving up fixing my environment, creating a python virtual environment to run this script 18:00 - Uploading data to bloodhound, discovering a kerberoastable (web_svc) account, running GetUserSPN and Cracking the hash 23:20 - Parsing the raw Bloodhound Data with JQ and dumping all the valid usernames 25:20 - Using JQ select to show only the users that are enabled, its sql like syntax 28:50 - Running a password spray with kerbrute to find edgar.jacobs has the same credentials as Web_SVC 33:25 - Using CrackMapExec (CME) with the spider_plus module to dump all file names, then using JQ to parse the results with map_values(keys) 36:00 - Using SMBClient to download files, getting an excel document that has a protected row, modifying the document to remove the password and getting more passwords 40:00 - Using CME to run a large password spray guessing a single specific password for each user with the no bruteforce flag 41:25 - Back to Bloodhound, discovering our user can ReadGMSAPassword of an account that can reset password of an administrator 43:00 - Dumping files as Sierra.Frye with CME, discovering certificates, downloading them and then failing to crack them with John 49:10 - Using CrackPkcs12 to crack the PFX certificate, then loading it into our browser and accessing a Powershell WebConsole 57:20 - Gaining a powershell webconsole, flailing around a littlebit trying to read the GMSA Password 59:43 - Using Get-ADServiceAccount on to read information about the GMSA Account and get the password 1:03:00 - Running commands as the GMSA User with Powershell and Invoke-Command to reset Tristan.Davies Password... We could of psexec'd after this but I decided to do it the hard way. 1:08:00 - Getting a Nishang Reverse Shell, thought this would be easy but there's quite a bit of AV Evasion we have to do 1:14:40 - Getting rid of some of the reverse shell output allows nishang to bypass AV 1:20:25 - Using John to Crack the PFX File, I forgot to use pfx2john prior. Wed, 15 Apr 2026 09:25:55 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/34fe7427-7dbb-4156-acb4-198c0e212625 All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.