00:00 - Introduction 00:45 - Start of nmap 03:00 - Null Authentication lets us list open shares 05:30 - Using SMBClient and downloading the overwatch binary and config from the fileshare 08:40 - Using ilSpycmd to decompile the dotnet from Linux 10:04 - Looking at the overwatch source, which is a WCF (Windows Communication Foundation) Binary 14:00 - Taking nmap allports output, doing some bashful to get a list of open ports to do our normal nmap against the open ports 17:40 - Finding MSSQL on port 6520, we can login. The Enum_Links shows an SQL Server, it hangs and says the host SQL07 doesn't exist 21:45 - Using BloodyAD to show AD Attributes we can write to, discover we can create DNS Entries, then creating a DNS Entry for SQL07 to point back to us and then getting the SQLMGMT user credentials 25:00 - Looking at the WCF Endpoint, examining the WSDL and explaining it a little bit 26:30 - Executing endpoints in the WCF Endpoint from PowerShell with New-WebServiceProxy and getting RCE on the server 33:00 - Showing how we could have enumerated services from our first shell
Trust cues for videos
Clips curated by TrustOps carry the Curated label. External embeds link out to the original publishers.
