7MS #640: Tales of Pentest Pwnage – Part 63
Update: 2024-09-07
Description
This was my favorite pentest tale of pwnage to date! There’s a lot to cover in this episode so I’m going to try and bullet out the TLDR version here:
- Sprinkled farmer files around the environment
- Found high-priv boxes with WebClient enabled
- Added “ghost” machine to the Active Directory (we’ll call it GHOSTY)
- RBCD attack to be able to impersonate a domain admin using the CIFS/SMB service against the victim system where some higher-priv users were sitting
- Use net.py to add myself to local admin on the victim host
- Find a vulnerable service to hijack and have run an evil, TGT-gathering Rubeus.exe – found that Credential Guard was cramping my style!
- Pulled the TGT from a host not protected with Credential Guard
- Figured out the stolen user’s account has some “write” privileges to a domain controller
- Use rbcd.py to delegate from GHOSTY and to the domain controller
- Request a TGT for GHOSTY
- Use getST.py to impersonate CIFS using a domain admin account on the domain controller (important thing here was to specify the DC by its FQDN, not just hostname)
- Final move: use the domain admin ccache file to leverage net.py and add myself to the Active Directory Administrators group
Comments
Top Podcasts
The Best New Comedy Podcast Right Now – June 2024The Best News Podcast Right Now – June 2024The Best New Business Podcast Right Now – June 2024The Best New Sports Podcast Right Now – June 2024The Best New True Crime Podcast Right Now – June 2024The Best New Joe Rogan Experience Podcast Right Now – June 20The Best New Dan Bongino Show Podcast Right Now – June 20The Best New Mark Levin Podcast – June 2024
In Channel