podcast:

vota permalink to share 7 Minute Security

Brian Johnson


7 Minute Security is a weekly information security podcast focusing on penetration testing, blue teaming and building a career in security.
The podcast also features in-depth interviews with industry leaders who share their insights, tools, tips and tricks for being a successful security engineer.



episode:

7MS #640: Tales of Pentest Pwnage – Part 63

07.09.2024 03:15


permalink to episode vota



This was my favorite pentest tale of pwnage to date!  There’s a lot to cover in this episode so I’m going to try and bullet out the TLDR version here:

  • Sprinkled farmer files around the environment
  • Found high-priv boxes with WebClient enabled
  • Added “ghost” machine to the Active Directory (we’ll call it GHOSTY)
  • RBCD attack to be able to impersonate a domain admin using the CIFS/SMB service against the victim system where some higher-priv users were sitting
  • Use net.py to add myself to local admin on the victim host
  • Find a vulnerable service to hijack and have run an evil, TGT-gathering Rubeus.exe – found that Credential Guard was cramping my style!
  • Pulled the TGT from a host not protected with Credential Guard
  • Figured out the stolen user’s account has some “write” privileges to a domain controller
  • Use rbcd.py to delegate from GHOSTY and to the domain controller
  • Request a TGT for GHOSTY
  • Use getST.py to impersonate CIFS using a domain admin account on the domain controller (important thing here was to specify the DC by its FQDN, not just hostname)
  • Final move: use the domain admin ccache file to leverage net.py and add myself to the Active Directory Administrators group



Continue listening to: 7 Minute Security






Podcast Episodes News Top Fav.


We are building a community of podcasters and markets with one voice