https://stream.echo6.co/videos/watch/471e6ebd-70dd-4db6-9394-c0a9d96b020f 00:00 - Introduction 00:45 - Start of nmap 02:20 - Taking a look at the page, manually decoding the Flask Cookie 06:15 - Running NetExec with MSSQL Priv module which lets us know we can impersonate, switching to mssqlclient 09:30 - Impersonating appdev, which can read the financial_planner table 12:25 - Converting the PBKDF2 hash to the Django format so we can try to crack it 16:20 - Using NXC to run RID BRUTE through MSSQL and get other users to spray the password with 20:50 - Using Evil-WinRM to access the box as Adam.Scott then poke at the webserver files, nothing here 22:45 - Getting the Windows Patch Level, noticing windows 2025 and searching exploits to find BadSuccessor 30:00 - Setting up Chisel so we can tunnel back to our box to run the badsuccessor module with nxc 32:50 - Looking at NXC Issues to see the support for BadSuccessor is still a PR, installing the special branch with uv 39:15 - Setting our system time to the time on the webserver based upon the Date Header from Curl 40:15 - Running BadSuccessor getting the NTLM hash of administrator and using psexec to get on the box Wed, 15 Apr 2026 11:44:45 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/471e6ebd-70dd-4db6-9394-c0a9d96b020f All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.