https://stream.echo6.co/videos/watch/5c40adf3-949b-445f-8ef1-16277b46349d 00:00 - Introduction 01:08 - Start of nmap discovering only Active Directory (AD) Related ports 04:15 - Running Certipy both with and without the vulnerable flag 07:00 - Outputting Certipy to JSON and then writing a JQ Query that will show us non-default users that can enroll certificates 09:00 - Explaining the JQ Query that will take the list, filter out specific words, then show us items that still have an item 13:30 - Running Bloodhound.py to get some bloodhound data 16:00 - Looking at what Judith can do in Bloodhound, showing discovering by clicking outbound permissions 17:30 - Certipty gave us a high value target, can also use bloodhound to show us a path to the high value target which involves WriteOwner, GenericWrite, and GenericAll 19:00 - Abusing WriteOwner with owneredit, allowing us to add members with dacledit, and then taking ownership and then adding ourself to the group 23:30 - Using Certipy to abuse GenericAll/GenericWrite to create a shadow credential and grab the NTLM Hash 30:08 - Going over ESC9 31:20 - Using Certipy to exploit ESC9, updating UPN, requesting cert, updating UPN, and then using the certificate 34:25 - Grabbing the NTLM Hash of administrator with certipy, then logging in with WinRM 35:45 - Showing the certificate we generated 40:40 - Running SharpHound with a low privilege user to show it grabs more than the Python Bloodhound Module 43:35 - Building a Cypher Query to match all users that have CanPSRemote to computers 46:45 - Building a Cypher Query to show the shortest path from owned to the certificate template we want 51:00 - Changing our Cypher Query to show a specific user to the template Mon, 13 Apr 2026 16:51:28 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/5c40adf3-949b-445f-8ef1-16277b46349d All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.