Рет қаралды 42,798
00:00 - Intro
01:05 - Start of nmap
1:55 - Quickly testing SMB, then using CME to get a hostname of the box
3:30 - Testing out the website, discovering admin:admin logs us in. Running gobuster with HTTP Auth
04:55 - The website allows us to write to a file share. Going over SCF Files and how we can use them to steal NTLMv2 Hashes by having an external icon
07:30 - Using hashcat to crack the NTLMv2 Hash
08:45 - Using CME with these credentials to discover we can WinRM to the box
11:30 - Downloading WinPEAS and using our Evil-WinRM shell to execute it
14:40 - Going over the WinPEAS Output and discovering a Ricoh printer driver
21:50 - Going over the Ricoh printer driver exploit
23:10 - Switching to Metasploit, showing an issue with the WinRM Module in MSF
26:25 - Using MSFVenom to create an executable then having WinRM send us the meterpreter shell
29:30 - Having trouble getting the exploit to run... Switching to a 32 bit payload... then migrating to a interactive process
32:05 - Using Meterpreter to migrate to an interactive process then suddenly the exploit works
34:30 - Using the powershell PrintNightmare to privesc
37:20 - Showing the two WinRM MSF Scripts operate completely differently.