00:00 — Intro
01:00 — Start of nmap
03:00 — Enumerating fileshares with SMBClient and CrackMapExec, highlighting some picky syntax
06:15 — Mounting the profiles$ directory so we can build a username list
09:00 — Using Kerbrute to enumerate valid usernames
13:40 — Running GetNPUsers to perform an ASREP Roast
17:50 — Checking what we can do with the Support User from the ASREP Roast
20:45 — Running the python Bloodhound ingestor from Linux
27:55 — Bloodhound ran, playing around with the data, eventually seeing support can reset audit2020s password
32:20 — Setting an Windows users (Audit2020) password from linux using RPCClient
36:45 — Audit2020 has access to the forensic share which has a memory dump of lsass, running pypykatz to extract credentials
42:20 — Using Evil-WinRM to access the box as SVC_Backup and discovering the backup privilege
43:30 — Failing to get WBADMIN to send a backup file to impacket
47:30 — Creating a NTFS Block Device/Partition but does not fix our impacket issues
49:45 — Editing samba to create a windows fileshare from linux. Purposefully dont point it to our NTFS Disk so you can see the errors.
54:54 — Pointing samba to our NTFS Directory, to show it works much better
55:50 — Running wbadmin to create a backup to our fileshare and include ntds.dit
57:00 — Running wbadmin to restore a ntds.dit out of our backup and creating a backup of the SYSTEM Registry hive
1:02:00 — Using secretsdump to extract credentials out of the ntds.dit and show the history flag
1:04:20 — Showing you cant grab the flag as SYSTEM user due to EFS (Encrypted File System). Using WMIExec to get a shell as the actual user
1:12:30 — Using Mimikatz to restore the password of Audit2020, so its like we were never there.