00:00 - Introduction, assumed breach box
00:58 - Start of nmap
03:00 - Checking out what the credentials we are given go to, see WinRM but it doesn't give us much
06:50 - Running python bloodhound as olivia
09:45 - Looking at the json output manually to discover non-default groups
14:50 - Examining Olivia's outbound controls to see there is a chain to Benjamin, who has FTP Access
18:00 - Using Net RPC to change Michael and Benjamin's password
20:00 - Downloading the Password Safe database off the FTP Server, then cracking it
24:20 - Extracting the passwords from the password safe and then spraying to find Emily's is still valid
26:15 - Going back to Bloodhound, discovering Emily has GenericWrite over Ethan, who can DCSync.
28:25 - Running TargetedKerberoast to take advantage over GenericWrite and make Ethan's account kerberoastable and then crack it
30:15 - Running SecretsDump then talking about other flags like PasswordHistory
Support the originator by clicking the read the rest link below.
