https://stream.echo6.co/videos/watch/b6174436-1183-4eb6-8210-9f23ace2194c 00:00 - Introduction 01:00 - Start of Nmap 03:00 - Playing with the web page, but everything is static doing a VHOST Bruteforce to discover school.flight.htb 07:10 - Discovering the view parameter and suspecting File Disclosure, testing by including index.php and seeing the source code 09:20 - Since this is a Windows, try to include a file off a SMB Share and steal the NTLMv2 Hash of the webserver then crack it 13:30 - Running CrackMapExec (CME) checking shares, doing a Spider_Plus to see the files in users 18:30 - Running CrackMapExec (CME) to create a list of users on the box then doing a password spray to discover a duplicate password 20:20 - Checking the shares with S.Moon and discovering we can write to the Shared Directory 21:30 - Using NTLM_Theft to create a bunch of files that would attempt to steal NTLM Hashes of users when browsing to a directory getting C.Bum's creds with Desktop.ini 26:18 - C.Bum can write to Web, dropping a reverse shell 29:30 - Reverse shell returned as svc_apache, discovering inetpub directory that c.bum can write to 32:40 - Using RunasCS.EXE to switch users to cbum 37:30 - Creating an ASPX Reverse shell on the IIS Server and getting a shell as DefaultAppPool 48:00 - Reverse shell returned as DefaultAppPool, showing it is a System Account 50:05 - Uploading Rubeus and stealing the kerberos ticket of the system account, which because this is a DC we can DCSync 52:50 - Running DCSync Wed, 15 Apr 2026 11:15:35 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/b6174436-1183-4eb6-8210-9f23ace2194c All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.