7MS #396: Tales of Internal Pentest Pwnage - Part 13

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

In last week's episode I was very close to potentially synching up some very sensitive data with my super secret back door account. In this episode, we resolve the cliffhanger and talk about:

• How I don't remember lyrics or titles to songs - even the ones I love - such as My Prerogative. That's why Jack Black is my spirit animal, and he's awesome for singing Elton John songs right to Elton John

• If you get DA (relatively) quickly, consider pivoting to a network assessment and crack hashes with secretsdump, test egress filtering, run Network Detective and more

• Once you've cracked all the hashes you can, run it through hashcombiner and Pipal like this:

python /opt/hashcombiner/hash_combiner.py user_hash hash_password | sort > combined.txt
cut -d ':' -f 2 combined.txt > passwords.txt
ruby /opt/pipal/pipal.rb passwords.txt > pip.txt

• The procdump + lsass trick is still really effective (though sometimes AV gobbles it)

• Wanna see if a user has a specific Chrome extension installed? Check this article and then use CrackMapExec with -x dir c:\x\y\z to verify its existence!

• I jacked up my ankle and suffered an avulsion fracture. It's good times.

There are a bunch of people I need to thank because their tools/encouragement/advice played a part in making the test successful:

• Cyber Mentor
• hausec
• Josh T
• Dirk-jan Mollema
• Cyberfreaq who helped me resolve a key issue with mitm6
• Dominic from Slack
• Gh0sthax from Slack
• Nate from Slack