7MS #640: Tales of Pentest Pwnage – Part 63
7 Minute Security7 Sep 2024

7MS #640: Tales of Pentest Pwnage – Part 63

This was my favorite pentest tale of pwnage to date! There’s a lot to cover in this episode so I’m going to try and bullet out the TLDR version here:

  • Sprinkled farmer files around the environment
  • Found high-priv boxes with WebClient enabled
  • Added “ghost” machine to the Active Directory (we’ll call it GHOSTY)
  • RBCD attack to be able to impersonate a domain admin using the CIFS/SMB service against the victim system where some higher-priv users were sitting
  • Use net.py to add myself to local admin on the victim host
  • Find a vulnerable service to hijack and have run an evil, TGT-gathering Rubeus.exe – found that Credential Guard was cramping my style!
  • Pulled the TGT from a host not protected with Credential Guard
  • Figured out the stolen user’s account has some “write” privileges to a domain controller
  • Use rbcd.py to delegate from GHOSTY and to the domain controller
  • Request a TGT for GHOSTY
  • Use getST.py to impersonate CIFS using a domain admin account on the domain controller (important thing here was to specify the DC by its FQDN, not just hostname)
  • Final move: use the domain admin ccache file to leverage net.py and add myself to the Active Directory Administrators group

Avsnitt(696)

7MS #103: OFFTOPIC-I Was in a Movie Once

7MS #103: OFFTOPIC-I Was in a Movie Once

This is an off-topic episode about the time I was in the holiday comedy super-smash laugh-fest, Jingle All the Way.

20 Okt 20157min

7MS #102: Recon-ng!

7MS #102: Recon-ng!

I'm a big fan of Recon-ng and you should be too! Check it out - and learn more about Tim Tomes, its creator - at www.lanmaster53.com. And here's the video I mentioned in the podcast - my first look at Recon-ng in action: https://www.youtube.com/watch?v=vkmNTNl6urw

15 Okt 20158min

7MS #101: OFFTOPIC-I Am Chris Farley

7MS #101: OFFTOPIC-I Am Chris Farley

The new(ish) Chris Farley documentary is fantastic - see it!

14 Okt 20157min

7MS #100: Assessment Curses Can Be Blessings

7MS #100: Assessment Curses Can Be Blessings

Ever had an assessment that you thought would be the death of you? I had one recently, but after sticking it out, it turned out to be a blessing in disguise.

9 Okt 20157min

7MS #99: How to Deliver Bad News in a Good Way

7MS #99: How to Deliver Bad News in a Good Way

Today's episode gives you some tips on how to deliver bad news in an assessment in a positive way. I think that last sentence was a grammatical nightmare.

2 Okt 20158min

7MS #98: Intro to PCI Scoping

7MS #98: Intro to PCI Scoping

So far I've focused on the technical aspects of PCI, but I'm trying to get familiar with the overall scoping questions that my tenacious QSA friends ask when they start a gap analysis. This episode shares some interesting tidbits I learned while doing some QSA "shadowing" on an assessment of a restaurant.

30 Sep 20158min

7MS #97: OFFTOPIC-Limbo

7MS #97: OFFTOPIC-Limbo

We're going off topic today and talking about video games! LIMBO for the Xbox!

25 Sep 20157min

7MS #96: How to Make Enemies During a Security Assessment

7MS #96: How to Make Enemies During a Security Assessment

Yep, we're talking about how to make ENEMIES during a security assessment today (and maybe turn them into friends).

23 Sep 20159min

Populärt inom Politik & nyheter

aftonbladet-krim
motiv
p3-krim
svd-dokumentara-berattelser-2
rss-krimstad
fordomspodden
svenska-fall
rss-viva-fotboll
flashback-forever
aftonbladet-daily
grans
olyckan-inifran
rss-vad-fan-hande
rss-sanning-konsekvens
svd-nyhetsartiklar
dagens-eko
blenda-2
rss-flodet
rss-frandfors-horna
spotlight