7MS #640: Tales of Pentest Pwnage – Part 63

7 Minute Security

Innehåll tillhandahållet av Brian Johnson. Allt poddinnehåll inklusive avsnitt, grafik och podcastbeskrivningar laddas upp och tillhandahålls direkt av Brian Johnson eller deras podcastplattformspartner. Om du tror att någon använder ditt upphovsrättsskyddade verk utan din tillåtelse kan du följa processen som beskrivs här https://sv.player.fm/legal.

10d ago 43:19

MP3•Episod hem

This was my favorite pentest tale of pwnage to date! There’s a lot to cover in this episode so I’m going to try and bullet out the TLDR version here:

Sprinkled farmer files around the environment
Found high-priv boxes with WebClient enabled
Added “ghost” machine to the Active Directory (we’ll call it GHOSTY)
RBCD attack to be able to impersonate a domain admin using the CIFS/SMB service against the victim system where some higher-priv users were sitting
Use net.py to add myself to local admin on the victim host
Find a vulnerable service to hijack and have run an evil, TGT-gathering Rubeus.exe – found that Credential Guard was cramping my style!
Pulled the TGT from a host not protected with Credential Guard
Figured out the stolen user’s account has some “write” privileges to a domain controller
Use rbcd.py to delegate from GHOSTY and to the domain controller
Request a TGT for GHOSTY
Use getST.py to impersonate CIFS using a domain admin account on the domain controller (important thing here was to specify the DC by its FQDN, not just hostname)
Final move: use the domain admin ccache file to leverage net.py and add myself to the Active Directory Administrators group

640 episoder

#Tech #Tech News #Brian Johnson #Information Security #Security #News