00:00 - Intro
00:53 - Start of nmap
05:45 - Using Kerbrute to identify valid users
09:40 - Finding credentials for Hope.Sharp in an image on the website
10:40 - Showing Kerbrute paswordspray silently fails when time is out of sync
13:00 - Having troubles running the Python Bloodhound Ingestor, a digestmod error
15:50 - Giving up fixing my environment, creating a python virtual environment to run this script
18:00 - Uploading data to bloodhound, discovering a kerberoastable (web_svc) account, running GetUserSPN and Cracking the hash
23:20 - Parsing the raw Bloodhound Data with JQ and dumping all the valid usernames
25:20 - Using JQ select to show only the users that are enabled, its sql like syntax
28:50 - Running a password spray with kerbrute to find edgar.jacobs has the same credentials as Web_SVC
33:25 - Using CrackMapExec (CME) with the spider_plus module to dump all file names, then using JQ to parse the results with map_values(keys)
36:00 - Using SMBClient to download files, getting an excel document that has a protected row, modifying the document to remove the password and getting more passwords
40:00 - Using CME to run a large password spray guessing a single specific password for each user with the no bruteforce flag
41:25 - Back to Bloodhound, discovering our user can ReadGMSAPassword of an account that can reset password of an administrator
43:00 - Dumping files as Sierra.Frye with CME, discovering certificates, downloading them and then failing to crack them with John
49:10 - Using CrackPkcs12 to crack the PFX certificate, then loading it into our browser and accessing a Powershell WebConsole
57:20 - Gaining a powershell webconsole, flailing around a littlebit trying to read the GMSA Password
59:43 - Using Get-ADServiceAccount on to read information about the GMSA Account and get the password
1:03:00 - Running commands as the GMSA User with Powershell and Invoke-Command to reset Tristan.Davies Password... We could of psexec'd after this but I decided to do it the hard way.
1:08:00 - Getting a Nishang Reverse Shell, thought this would be easy but there's quite a bit of AV Evasion we have to do
1:14:40 - Getting rid of some of the reverse shell output allows nishang to bypass AV
1:20:25 - Using John to Crack the PFX File, I forgot to use pfx2john prior.

свернуть