• 7MS #640: Tales of Pentest Pwnage – Part 63

  • Sep 7 2024
  • Length: 43 mins
  • Podcast

7MS #640: Tales of Pentest Pwnage – Part 63

Listen for free

View show details

  • Summary

  • This was my favorite pentest tale of pwnage to date! There’s a lot to cover in this episode so I’m going to try and bullet out the TLDR version here:

    • Sprinkled farmer files around the environment
    • Found high-priv boxes with WebClient enabled
    • Added “ghost” machine to the Active Directory (we’ll call it GHOSTY)
    • RBCD attack to be able to impersonate a domain admin using the CIFS/SMB service against the victim system where some higher-priv users were sitting
    • Use net.py to add myself to local admin on the victim host
    • Find a vulnerable service to hijack and have run an evil, TGT-gathering Rubeus.exe – found that Credential Guard was cramping my style!
    • Pulled the TGT from a host not protected with Credential Guard
    • Figured out the stolen user’s account has some “write” privileges to a domain controller
    • Use rbcd.py to delegate from GHOSTY and to the domain controller
    • Request a TGT for GHOSTY
    • Use getST.py to impersonate CIFS using a domain admin account on the domain controller (important thing here was to specify the DC by its FQDN, not just hostname)
    • Final move: use the domain admin ccache file to leverage net.py and add myself to the Active Directory Administrators group
    Show More Show Less
Politics & Government
Show More Show Less
activate_Holiday_promo_in_buybox_DT_T2
activate_samplebutton_t1

What listeners say about 7MS #640: Tales of Pentest Pwnage – Part 63

Average customer ratings

Reviews - Please select the tabs below to change the source of reviews.

Audible.co.uk reviews

Amazon reviews
No Reviews are Available