00:00 – Intro
01:10 – Start of NMAP
04:20 – Gobuster using a case insensitive wordlist because windows
08:50 – Checking out the application on port 8080, wallstant
10:30 – OWA Discovering the Exchange version based upon login interface
12:00 – OWA How the “User Enumeration” of Exchange may work… It’s time based
14:20 – Troubleshooting the Metasploit Module, SSL Error prevents it from loading ECONNRESET SSL_CONNECT
19:00 – Using Wallstant to build a username list to perform password spray
24:15 – Using Username Anarchy to take our list of names and build a wordlist of usernames
32:00 – For some reason when using Metasploit’s OWA Password Spray, OWA_2010 is broken… but settiing it to OWA_2013 works.
34:30 – Showing SprayingToolkit to bruteforce OWA without metasploit
39:10 – Sending an email address to all users and seeing if anyone clicks the link
41:40 – Using Responder to attempt to force the user’s computer to give up an NTLMv2 Hash over HTTP
47:00 – Cracking the NTLMv2 Hash of k.svensson
49:50 – Failing to use Evil-WinRM to access the box, switching to powershell on linux
54:10 – Using Powershell on Linux to Enter-PSSession on a Windows Box then finding out we are in constrainedlanguage mode
56:20 – Breaking out of ConstrainedLanguage Mode by creating a function
1:00:00 – Getting a reverse shell in FullLanguage mode, then looking at some PSRC and PSSC files
1:04:20 – Finding a link to StickyNotes on the desktop
1:06:50 – Doing a hex dump of the stickynote log to see there is a password written
1:08:30 – Attempting to use the JEA_TEST_ACCOUNT but failing without ConfigurationName parameter due to JEA
1:11:50 – Using an LFI Vulnerability in the function JEA can do in order to access any file
1:13:30 – Using the LFI to get root.txt
1:14:30 – Box is done.. Trying to dump the proces and flailing, never get it working but figured people may still enjoy it.

source