{"version":1,"type":"rich","provider_name":"Libsyn","provider_url":"https:\/\/www.libsyn.com","height":90,"width":600,"title":"7MS #720: Tales of Pentest Pwnage \u2013 Part 84","description":"Hey friends! Today\u2019s another Tales of Pentest Pwnage! Quick tangent first on a couple side projects: I\u2019ve got a music thing at&amp;nbsp;quack.house&amp;nbsp;(like the duck noise, not the drug) and a podcast with my dancer son Atticus at&amp;nbsp;DadOfADancer.com. Speaking of Atticus \u2014 he just landed a spot in Master Ballet Academy\u2019s summer program in Phoenix, and I am a very proud dance dad over here. OK, on to the pentest:  A weird runas quirk:&amp;nbsp;If your AD test account password ends in a percent sign, runas seems to misbehave (Claude thinks Windows is interpreting the&amp;nbsp;%&amp;nbsp;as a variable delimiter). Workaround: runascs.exe, which wraps your tool launch with creds inline. Worked like a champ \u2014 notes over on the&amp;nbsp;7MinSec.wiki. Standard first pass:&amp;nbsp;PingCastle for the AD overview, then Snaffler for share crawling, with&amp;nbsp;Chimas&amp;nbsp;as a nicer web UI for searching the Snaffler JSON. The \u201cSnaffler missed something\u201d moment:&amp;nbsp;Snaffler is great but it primarily uses pattern matching, so manual review of interesting directories still matters. I found a PowerShell script with a funky obfuscation routine, fed it to Claude for context, tracked down the function definition, and ended up decrypting a local admin password. Going loud:&amp;nbsp;SMB-sprayed that cred across the subnets \u2192 handful of machines popped \u2192 ran a deeper, targeted Snaffler against just those boxes \u2192 enumerated sessions and spotted a domain admin interactively logged in. Plan A fizzled:&amp;nbsp;Wanted to pull off a favorite trick \u2014 sneak in via WinRM and queue a scheduled task as the logged-in DA (no password needed). WinRM was disabled. Oh fart. Plan B \u2014 the \u201ctrap\u201d file:&amp;nbsp;Dropped a malicious .library-ms file directly into the DA\u2019s desktop folder. No clicks required \u2014 just the desktop being open is enough to trigger an HTTP coercion to my evil box. (Caveat: I think you need a DNS record or computer object that the victim box trusts as \u201cintranet zone.\u201d) The escalation:&amp;nbsp;Had ntlmrelayx standing by, ready to relay to LDAP on a DC. The coerced auth fired the moment the \u201ctrap\u201d file landed on disk. An interactive LDAP shell fired in the DA\u2019s context, and I used it to add my low-priv account to the Domain Admins group. Defense angles:&amp;nbsp;Rather than chase each technique individually (LDAP signing, web client GPOs, library-ms neutralization, etc.), I like to back up to the systemic fixes that break the chain earlier. Big ones here: deploy LAPS so a single decrypted local admin password isn\u2019t a master key everywhere, and a thorough sweep for sensitive data and custom obfuscation routines hanging out on shares.  Got thoughts on any of this? Shoot \u2019em over \u2014 I always love hearing how you\u2019d have tackled things differently. ","author_name":"7 Minute Security","author_url":"https:\/\/7MinSec.com","html":"<iframe title=\"Libsyn Player\" style=\"border: none\" src=\"\/\/html5-player.libsyn.com\/embed\/episode\/id\/41117365\/height\/90\/theme\/custom\/thumbnail\/yes\/direction\/forward\/render-playlist\/no\/custom-color\/88AA3C\/\" height=\"90\" width=\"600\" scrolling=\"no\"  allowfullscreen webkitallowfullscreen mozallowfullscreen oallowfullscreen msallowfullscreen><\/iframe>","thumbnail_url":"https:\/\/assets.libsyn.com\/secure\/item\/41117365"}