OSCP Practice Lab: Active Directory Attack Path #3 (Advanced/Client-Side Exploits)

This video walks through one of the more advanced paths to complete domain compromise that I practiced for the OSCP. More specifically this is a longer walkthrough (sorry!) where we use a client-side exploitation method with MS Office, as well as, Active Directory enumeration via SharpHound/BloodHound.
Thank you for watching and I hope this helps you with your journey!

The link to setting up this lab environment will be posted in the near future.


0:00 Intro
0:55 OpenVPN
3:48 MS01 Enumeration
14:09 Web App Enum
25:21 Office Macro
51:43 MS01 Initial Foothold
1:02:34 Office Macro Alt Method
1:16:29 MS01 winPEAS
1:25:14 MS01 Priv Esc via Web Shell
1:42:55 Hunting for Active Directory Credentials
1:47:35 Pivoting with Ligolo-ng
1:54:30 NMAP Scan the LAN Subnet
2:02:10 Finding Deleted Credentials
2:08:10 Cracking Password Protected Word .doc File
2:32:58 MS01 Dumping Credentials with Mimikatz
2:45:22 MS01 SharpHound
2:51:01 MS01 BloodHound
3:01:06 LAPS
3:11:38 More BloodHound and ForceChangePassword
3:26:00 MS02 RDP Lateral Movement
3:40:18 MS02 BloodHound Additional Data
3:46:56 MS02 Mimikatz
3:50:13 Mimikatz rules
3:54:05 DC01 Pwned via psexec