00:00 - Introduction 00:58 - Start of nmap 03:30 - Taking a look at the website 05:50 - Using NetExec to search for file shares and discovering the Development share is open. Using smbclient to download everything 08:00 - Exploring the Ansible Playbooks in the Development Share to discover encrypted passwords (ansible vault) 10:00 - Converting the Ansible Vault Hashes to John/Hashcat format so we can crack them 13:30 - Decrypting the values and getting some passwords, one of which lets us log into PWM (webapp) 19:50 - Adding a rogue ldap server into the PWM Config, then clicking test config will send us the password for the ldap account 27:00 - Running Certipy to find the server is vulnerable to ESC1, we just need to enroll a computer 28:00 - Using NetExec to show how the MachineAccoutnQuote, confirming we can enroll machines 29:00 - Using Impacket to add a rogue computer 30:00 - Using Certipy to perform the ESC1, it works but smart card login isn't enabled so we can't
Hide player controls
Hide resume playing