Today’s tale of pentest pwnage involves:

• Using mssqlkaren to dump sensitive goodies out of SCCM
• Using a specific fork of bloodhound to find machines I could force password resets on (warning: don’t do this in prod…read this!)

Don’t forget to check out our weekly Tuesday TOOLSday – live every Tuesday at 10 a.m. over at 7MinSec.club!

Hey friends, today I talk about how fun it was two combine two cool pentest tactics, put them in a blender, and move from local admin to mid-tier system admin access (with full control over hundreds of systems)! The Tuesday TOOLSday video we did over at 7minsec.club will help bring this to life as well.

This week your pal and mine Joe “The Machine” Skeen kept picking away at pwning Ninja Hacker Academy. To review where we’ve been in parts 1 and 2:

• We found a SQL injection on a box called SQL, got a privileged Sliver beacon on it, and dumped mimikatz info
• From that dump, we used the SQL box hash to do a BloodHound run, which revealed that we had excessive permissions over the Computers OU
• We useddacledit.py to give ourselves too much permission on the Computers OU

Today we:

• Did an RBCD attack against the WEB box
• Requested a service ticket to give us local admin superpowers on WEB
• Performed a secretsdump against WEB
• Struggled to do a mimikatz dump at the end of the episode (after we ended the stream I realized I could’ve just done the mimikatz dump because I had local admin access! Oh well, we’ll pick things up again during part 4 next month!)