https://stream.echo6.co/videos/watch/5f9e7e6b-074a-4c3b-8030-0ab25c4c1281 00:00 - Introduction 01:30 - Start of nmap 03:30 - Examining the website looking for interesting functionality 07:50 - The check updates page loads a unique DLL and puts a JWT in the request 12:30 - Opening Blazorized.Helpers.Dll with ilSpy to discover a hardcoded JWT 15:27 - Using Burp to add the header to all of our requests and installing the Blazor Traffic Processor Plugin 19:00 - Examining the traffic, discovering the server instructs our client to get a JWT from localstorage 22:00 - Discovering MSSQL Injection in the Super Admin Panel, getting RCE 29:30 - Reverse shell returned 31:56 - Running SharpHound, then standing up a WebDAV server on nginx so we can use files back to our host over HTTP PUT Requests 39:00 - Starting Bloodhound discovering we can SetSPN on another user 45:20 - Setting the SPN on a user via Powerview, which lets us kerberoast to get a hash and cracking it 50:20 - Using PowerView Find-InterestingDomainAcl to show unique things our user can do and discovering we can set loginscripts 58:50 - Using AccessChk to find a writable directory in the SYSVOL Directory 01:03:50 - Using Powerview to set the Login Script to our file and getting a shell 01:10:00 - Using mimikatz to dcsync and get the administrator password Mon, 13 Apr 2026 20:44:56 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/5f9e7e6b-074a-4c3b-8030-0ab25c4c1281 All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.