01:04 - Begin of Recon
06:45 - Checking the web interfaces
07:20 - Discovering there is a Certificate Authority
08:50 - Taking a look at LDAP
10:55 - Examining SMB to find shares
12:00 - Searching the Operations and Department Shares
14:50 - Viewing permissions of a SMB Share with SMBCACLS
19:10 - Discovering a writeable share, dropping a SCF File to get a hash
22:04 - Using Hashcat to crack NetNTLMv2
24:40 - Using SMBMap to identify if this user has access to anything extra
25:40 - Discovering the CertSRV Directory
28:00 - Discovering Powershell Remoting
30:00 - Error from WinRM (Need SSL)
31:00 - Using openSSL to generate a private key
31:52 - Going to /CertSRV to sign our certificate as Amanda
34:00 - Adding the SSL Authentication to WinrM
35:15 - Playing with LDAP Again (with the Amanda Creds)
37:50 - Shell on the box with WinRM as Amanda
38:15 - Running SharpHound
40:29 - Applocker is on the box, lets move it in the windows directory
42:00 - Trying to get the bloodhound data off the box.
44:20 - Starting bloodhound
45:27 - File didn't copy lets load up Covenant
49:30 - Covenant is up and running - Create a HTTP Listener
50:30 - Hosting a Launcher
52:30 - Getting a grunt
54:40 - Running SeatBelt
57:00 - Running SharpHound
60:00 - Finally uploading the bloodhound data
01:01:18 - Running Bloodhound with all Collection Methods
01:05:15 - Discovering the MRLKY can DCSYNC
01:07:25 - Cannot kerberoast because of the Double Hop Problem, create token with MakeToken
01:12:30 - Cracked the Kerberoasted Hash, doing maketoken with mrlky and running DCSYnc
01:14:40 - Running WMIExec to get Administrator
01:22:00 - UNINTENDED Method 1: Amanda can write to Clean.bat
01:24:30 - UNINTENDED Method 2: Forensic artifacts leave MRKLY Hash in C:\windows\system32\file.txt