00:00 - Introduction
01:05 - Start of nmap
05:00 - Discovering the internal.analysis.htb subdomain
07:55 - Talking about why I want to run FeroxBuster here and showing the menu so we can stop crawling non-interesting directories (ex: js, css, img)
13:30 - Discovering list.php in users and fuzzing parameters
16:40 - Start of program to bruteforce usernames
21:55 - Got the first character of every username, get the full name
29:00 - Discovering the script it vulnerable to LDAP Injection
31:50 - Converting our ldap username bruteforcer to exploit this ldap injection and exfil fields
41:00 - Talking about having to deal with wildcards in the field
50:10 - Completing the script
55:50 - Discovering we can upload PHP Scripts using the SOC Report page
1:00:30 - Reverse shell returned
1:01:45 - Creating a PHP Script to dump the database, we could pivot with chisel but we've done that 100 times before
1:09:00 - Discovering Snort runs every 2 minutes, talking abou tthe DynamicProcessor and how if we can upload a DLL we can get RCE as Admin
1:19:10 - Getting JDOE's password from HTTP Access Logs and the registry
Support the originator by clicking the read the rest link below.
