https://stream.echo6.co/videos/watch/dbb431d4-d574-4987-8d70-8990e4c33169 00:00 - Intro 01:00 - Start of nmap, getting hostname and 05:20 - Discovering the Server Header changes for virtualhost, probably navigating to a different box/container/etc [MasterRecon] 10:50 - Getting a good SSTI Fuzz String then identifying this string causes an error on the webserver. Removing parts of the string until we see the type of SSTI 13:40 - Playing with ASP Code in this SSTI or ASP Code Injection... Not sure what the vulnerability is 15:30 - Getting a VBScript One Liner to execute code and then getting a reverse shell 24:30 - Discovering a x509 certificate, decoding it with openssl, and discovering a second hostname 29:00 - Downloading and running chisel to setup a reverse socks proxy so we can attempt to pivot through this container 31:54 - Running nmap through the chisel socks proxy with proxychains 34:20 - Setting FoxyProxy to only send specific domains through our proxy 36:30 - Discovering the softwareportal.windcorp.htb attempts to install software on machines, set it to our machine and wireshark to see how 3it connects back to us 38:30 - Using responder to intercept the WinRM Connection and then use hashcat to crack the credentials 42:40 - Using CrackMapExec with our cracked credentials discovering we can access a file share that has Jamovi Files 45:00 - Installing Jamovi then finding out the XSS and proving RCE with Calc. Setting it to execute javascripts off of our webserver 53:20 - Creating a web cradle to execute a reverse shell, in typical ippsec fashion have a typo that we will fix later 56:20 - Fixed up the web cradle, reverse shell returned. Some light enumeration and talking about honey pots that have logon hours set to never 1:00:00 - Start of certificate exploit, downloading tools certify, rubeus, ADCS, PowerView 1:04:45 - Running Certify to find vulnerable certificates, we can edit the certificate template which enables us to enroll a smart card 1:08:00 - Running Get-SmartCardCertificate and then checking certificate store to see we didn't have anything. Showing we need to change the script because a weird thing with UPN's on this box 1:10:50 - Running Get-SmartCardCertificate again with our fix, then getting the certificate thumbprint and using Rubeus to get the credential 1:14:30 - Enabling RDP on the box so we can visually see the certificate 1:19:10 - Opening up MMC to see the certificate 1:23:20 - Doing the Certificate Exploit again but stepping through it all manually using Linux instead of Windows when possible 1:24:20 - Showing the vulnerable certificate template before modifying and what the certificate usage is 1:26:30 - Showing the certificate template after using Set-ADObject to modify the template 1:27:25 - Generating a Certificate Request 1:29:40 - Using CertReq to sign the certificate we generated 1:31:30 - Showing my Kerberos Configuration 1:32:50 - Using CertUtil to output the CA Certificate 1:33:50 - Setting up our port forwards so we can communicate with Kerberos 1:37:45 - Running kinit to login with our X509 Smart Card Certificate, get error show how to debug KINIT with trace 1:39:40 - Changing our time to match the DC and then running KINIT again and getting a session 1:40:50 - Using Evil-WinRM to get a shell with our kerberos certificate Mon, 13 Apr 2026 23:01:43 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/dbb431d4-d574-4987-8d70-8990e4c33169 All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.