00:00 - Introduction
01:00 - Start of nmap
04:50 - Looking at what an XLL Is
06:50 - Finding a skeleton xll payload, then compiling it on Linux
12:20 - Shell returned, grabbing the NTLMv2 Hash of our user with responder
17:45 - Looking into hMailServer, discovering emails from other users. Hints at dropping URL Shortcuts in a directory
21:20 - Converting the XLL Payload to an exe, then uploading it to the box and creating a URL Shortcut and getting shell as Dallon.Matrix
25:40 - Using Powershell to search a directory for files containing password, discovering the Powershell ConsoleHost_History
28:00 - Using Bloodhound.Py to get bloodhound data
37:20 - Discovering we can ForceChangePassword on other users
42:15 - For some reason our Bloodhound Python Ingestor didn't get the WinRM Edge, running Sharphound to see it should of been there
46:00 - The users in App Dev can enter the "App Development" directory which has a program called kbfiltr, and a hint towards StandaloneRunner.exe being ran
50:45 - Creating the StandaloneRunner LOLBin and waiting for the scheduled task to open the exe to get a shell as administrator
Support the originator by clicking the read the rest link below.
