7MS #589: Tales of Pentest Pwnage - Part 51

In today's tale of pentest pwnage we talk about:

• The importance of local admin and how access to even one server might mean instant, full control over their backup or virtualization infrastructure

• Copying files via WinRM when copying over SMB is blocked:

$sess = New-PSSession -Computername SERVER-I-HAVE-LOCAL-ADMIN-ACCESS-ON -Credential *

...then provide your creds...and then:

copy-item c:\superimportantfile.doc -destination c:\my-local-hard-drive\superimportantfile.doc -fromsession $sess

• If you come across PowerShell code that crafts a secure string credential, you may able to decrypt the password variable with:

[System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($MyVarIWantToDecryptGoesHere))