7 Minute Security

This week your pal and mine Joe “The Machine” Skeen kept picking away at pwning .  To review where we’ve been in parts 1 and 2: We found a SQL injection on a box called SQL, got a privileged Sliver beacon on it, and dumped mimikatz info From that dump, we used the SQL box hash to do a BloodHound run, which revealed that we had excessive permissions over the Computers OU We useddacledit.py to give ourselves too much permission on the Computers OU Today we: Did an RBCD attack against the WEB box Requested a service ticket...

7 Minute Security

Happy Friday! Today’s another hot pile of pentest pwnage. To make it easy on myself I’m going to share the whole narrative that I wrote up for someone else: I was on a pentest where a DA account would sweep the networks every few minutes over SMB and hit my box. But SMB signing was on literally everywhere. The fine folks here recommended I try relaying to something NOT SMB, like MSSQL. This article had good context on that: . I relayed the DA account to a SQL box that BloodHound said had a “session” from another DA. One part I can’t explain is the first relay got me a shell in...

7 Minute Security

Holy schnikes, today might be my favorite tale of pentest pwnage ever. Do I say that almost every episode? yes. Do I mean it? Yes. Here are all the commands/links to supplement today’s episode: Got an SA account to a SQL server through -ing With that SA account, I learned how to coerce Web auth from within a SQL shell – read more about that  I relayed that Web auth with ntlmrelayx -smb2support -t ldap://dc --delegate-access --escalate-user lowpriv I didn’t have a machine account under my control, so I did SPNless RBCD on my lowpriv account – read more about that ...

7 Minute Security

Today’s tale of pentest pwnage is a classic case of “If your head is buried in the pentest sand, pop it out for a while, touch grass, and re-enumerate what you’ve already enumerated, because that can lead to absolute GOLD!”

7 Minute Security

Hello friends!  Today your friend and mine, Joe “The Machine” Skeen joins me as we keep chipping away at pwning !  Today’s pwnage includes: “Upgrading” our Sliver C2 connection to a full system shell using ! Abusing nanodump to do an lsass minidump….and find our first cred. Analyzing BloodHound data to find (and own) excessive permissions against Active Directory objects

7 Minute Security

Today I talk about a subject I love while also driving me crazy at the same time: building a pentest training course! Specifically, I dissect a fun/frustrating GPO attack that I need to build very carefully so that every student can pwn it while also not breaking the domain for everybody else. I also talk about how three different flavors of AI failed me in solving a simple task.

7 Minute Security

Hi friends, we’re doing something today we haven’t done in a hot minute: take a dip into the 7MinSec mail bag! Today we cover these questions: If I’m starting a solo business venture as a security consultancy, is it a good idea to join forces with other solo security business owners and form a consortium of sorts? Have you ever had anything go catastrophically wrong during a pentest?  Yes, and this is an important link in the story:  What ever happened with the annoying apartment neighbor who stomped around like a rhino when you made any noise during COVID? What happened to...

7 Minute Security

Oh man, I’m so excited I can hardly sleep. Our new three-day (4 hours per day) training is getting closer to general release. I talk about the good/bad/ugly of putting together an attack-sensitive lab that students can abuse (but hopefully not break!), and the technical/curriculum-writing challenges that go along with it.

7 Minute Security

Today’s kind of a “story time with your friend Brian” episode: a tale of how my neighbor almost got scammed out of $13k.  The story has a lot of red flags we can all keep in mind to keep ourselves (as well as kids/friends/parents/etc.) safer from these types of shenanigans.

7 Minute Security

Hey friends, today we start pwning  – cool CTF-style lab that has you start with no cred and try to conquer domain admin on two domains!