Today I do a short travelogue about my trip to Washington, geek out about some cool training I did with Velociraptor, ponder drowning myself in blue team knowledge with XINTRA LABS, and share some thoughts about the conference talk I gave called 7 Ways to Panic a Pentester.

Hey! I’m speaking in Wanatchee, Washington next week at the NCESD conference about 7 ways to panic a pentester! Today’s tale of pentest pwnage is a great reminder to enumerate, enumerate, enumerate! It also emphases that cracking NETLM/NETNTLMv1 isn’t super easy to remember the steps for (at least for me) but this crack.sh article makes it a bit easier!

Today we continue where we left off in episode 641, but this time talking about how to automatically deploy and install a Ubuntu-based dropbox! I also share some love for exegol as an all-in-one Active Directory pentesting platform.

Ron Cole of Immersive Labs joins us to talk pentest war stories, essential skills he learned while serving on a SOC, and the various pentest training and range platforms you can use to sharpen your security skills! Here are the links Ron shared during our discussion:

• VetSec
• Fortinet Veterans Program
• Immersive Labs Cyber Million
• FedVTE

Today we’re revisiting the fun world of automating pentest dropboxes using Proxmox, Ansible, Cursor and Level. Plus, a tease about how all this talk about automation is getting us excited for a long-term project: creating a free/community edition of Light Pentest LITE training!

This was my favorite pentest tale of pwnage to date! There’s a lot to cover in this episode so I’m going to try and bullet out the TLDR version here:

• Sprinkled farmer files around the environment
• Found high-priv boxes with WebClient enabled
• Added “ghost” machine to the Active Directory (we’ll call it GHOSTY)
• RBCD attack to be able to impersonate a domain admin using the CIFS/SMB service against the victim system where some higher-priv users were sitting
• Use net.py to add myself to local admin on the victim host
• Find a vulnerable service to hijack and have run an evil, TGT-gathering Rubeus.exe – found that Credential Guard was cramping my style!
• Pulled the TGT from a host not protected with Credential Guard
• Figured out the stolen user’s account has some “write” privileges to a domain controller
• Use rbcd.py to delegate from GHOSTY and to the domain controller
• Request a TGT for GHOSTY
• Use getST.py to impersonate CIFS using a domain admin account on the domain controller (important thing here was to specify the DC by its FQDN, not just hostname)
• Final move: use the domain admin ccache file to leverage net.py and add myself to the Active Directory Administrators group

Today’s tale of pentest pwnage talks about the dark powers of the net.py script from impacket.

Today we’re talking pentesting – specifically some mini gems that can help you escalate local/domain/SQL privileges:

• Check the C: drive! If you get local admin and the system itself looks boring, check root of C – might have some interesting scripts or folders with tools that have creds in them.
• Also look at Look at Get-ScheduledTasks
• Find ids and passwords easily in Snaffler output with this Snaffler cleaner script
• There’s a ton of gold to (potentially) be found in SQL servers – check out my notes on using PowerUpSQL to find misconfigs and agent jobs you might able to abuse!