7MS #693: Pwning Ninja Hacker Academy – Part 3
7 Minute Security
This week your pal and mine Joe “The Machine” Skeen kept picking away at pwning . To review where we’ve been in parts 1 and 2: We found a SQL injection on a box called SQL, got a privileged Sliver beacon on it, and dumped mimikatz info From that dump, we used the SQL box hash to do a BloodHound run, which revealed that we had excessive permissions over the Computers OU We useddacledit.py to give ourselves too much permission on the Computers OU Today we: Did an RBCD attack against the WEB box Requested a service ticket...
info_outline
7MS #692: Tales of Pentest Pwnage – Part 76
7 Minute Security
Happy Friday! Today’s another hot pile of pentest pwnage. To make it easy on myself I’m going to share the whole narrative that I wrote up for someone else: I was on a pentest where a DA account would sweep the networks every few minutes over SMB and hit my box. But SMB signing was on literally everywhere. The fine folks here recommended I try relaying to something NOT SMB, like MSSQL. This article had good context on that: . I relayed the DA account to a SQL box that BloodHound said had a “session” from another DA. One part I can’t explain is the first relay got me a shell in...
info_outline
7MS #691: Tales of Pentest Pwnage – Part 75
7 Minute Security
Holy schnikes, today might be my favorite tale of pentest pwnage ever. Do I say that almost every episode? yes. Do I mean it? Yes. Here are all the commands/links to supplement today’s episode: Got an SA account to a SQL server through -ing With that SA account, I learned how to coerce Web auth from within a SQL shell – read more about that I relayed that Web auth with ntlmrelayx -smb2support -t ldap://dc --delegate-access --escalate-user lowpriv I didn’t have a machine account under my control, so I did SPNless RBCD on my lowpriv account – read more about that ...
info_outline
7MS #690: Tales of Pentest Pwnage – Part 74
7 Minute Security
Today’s tale of pentest pwnage is a classic case of “If your head is buried in the pentest sand, pop it out for a while, touch grass, and re-enumerate what you’ve already enumerated, because that can lead to absolute GOLD!”
info_outline
7MS #689: Pwning Ninja Hacker Academy – Part 2
7 Minute Security
Hello friends! Today your friend and mine, Joe “The Machine” Skeen joins me as we keep chipping away at pwning ! Today’s pwnage includes: “Upgrading” our Sliver C2 connection to a full system shell using ! Abusing nanodump to do an lsass minidump….and find our first cred. Analyzing BloodHound data to find (and own) excessive permissions against Active Directory objects
info_outline
7MS #688: Building a Pentest Training Course Is Fun and Frustrating
7 Minute Security
Today I talk about a subject I love while also driving me crazy at the same time: building a pentest training course! Specifically, I dissect a fun/frustrating GPO attack that I need to build very carefully so that every student can pwn it while also not breaking the domain for everybody else. I also talk about how three different flavors of AI failed me in solving a simple task.
info_outline
7MS #687: A Peek into the 7MS Mail Bag – Part 5
7 Minute Security
Hi friends, we’re doing something today we haven’t done in a hot minute: take a dip into the 7MinSec mail bag! Today we cover these questions: If I’m starting a solo business venture as a security consultancy, is it a good idea to join forces with other solo security business owners and form a consortium of sorts? Have you ever had anything go catastrophically wrong during a pentest? Yes, and this is an important link in the story: What ever happened with the annoying apartment neighbor who stomped around like a rhino when you made any noise during COVID? What happened to...
info_outline
7MS #686: Our New Pentest Training Course is Almost Ready
7 Minute Security
Oh man, I’m so excited I can hardly sleep. Our new three-day (4 hours per day) training is getting closer to general release. I talk about the good/bad/ugly of putting together an attack-sensitive lab that students can abuse (but hopefully not break!), and the technical/curriculum-writing challenges that go along with it.
info_outline
7MS #685: The Time My Neighbor Almost Got Scammed Out of $13K
7 Minute Security
Today’s kind of a “story time with your friend Brian” episode: a tale of how my neighbor almost got scammed out of $13k. The story has a lot of red flags we can all keep in mind to keep ourselves (as well as kids/friends/parents/etc.) safer from these types of shenanigans.
info_outline
7MS #684: Pwning Ninja Hacker Academy
7 Minute Security
Hey friends, today we start pwning – cool CTF-style lab that has you start with no cred and try to conquer domain admin on two domains!
info_outlineHey friends, our good buddy Joe “The Machine” Skeen and I are back this week with part 2 (check out part 1!) tackling GOAD SCCM again! Spoiler alert: this time we get DA! YAY!
Definitely check out these handy SCCM resources to help you – whether it be in the lab or IRL (in real life):
- GOAD SCCM walkthrough
- MisconfigurationManager – tremendous resource for enumerating/attacking/privesc-ing within SCCM
- This gist from Adam Chester will help you decrypt SCCM creds stored in SQL