Share this page!

sn🥶vvcr💥sh Profile picture
Twitter logo
Jul 1 5 tweets 3 min read
[#HackStory 🧵] (1/4) Here’s a generic case of reaching a locked-down PC from a firewalled segment in AD. The background is: 172.16.66.6 (the target) can talk to 192.168.1.11 (a PWNed server) but not vice versa and to no one else in the foreseeable network 👀

#ad #pentest
(2/4) Being a DA an adversary can create an evil GPO that will coerce Immediate Scheduled Task execution on the target. The task downloads and executes a PS cradle pointing to the PWNed server. Sure, there’re fancy (py|Sharp)GPOAbuse, etc… But when it’s a pentest, who cares 😒
(3/4) Meanwhile, some v4tov4 port proxies are configured on the pivot point by the adversary via netsh 😈
(4/4) After 90 to 120 minutes the GPO gets applied and the adversary receives a reverse shell / C2 agent on his box with a further ability to spawn a reverse SOCKS proxy 🎉
(5/4) Not the last to be mentioned that GPOs are not the only way to coerce job execution on a group of targets. There’re also some lovely control centers that some commercial AV/EDR developers gently provide pentesters with 🤫

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with sn🥶vvcr💥sh

sn🥶vvcr💥sh Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @snovvcrash

sn🥶vvcr💥sh Profile picture
Oct 29, 2021
Yo, ho, was doing a bit of pentesting today. Inspired by @ippsec I shall give you my short story of 3 different paths to DA in 5 hours of work (hot pics are inside). Enjoy!
Path 1. DHCPv6 poisoning for initial access (thx to @_dirkjan)➡️authenticated PetitPotam to grab NTLMv1-SSP (thx to @topotam77)➡️ntlmv1-multi (thx to @Evil_Mog) + crack.sh to crack the response and get NT hash of DC➡️DCSync (thx to @SecureAuth) ImageImageImageImage
(1/2) Path 2. Scan the network to discover an MS17-010 unpatched system ➡️ Use AutoBlue-MS17-010 to perform the exploitation with an x86 shellcode ➡️ Dump LSASS via comsvcs.dll LOLBAS technique ➡️ Exfiltrate the dump with PowerShell ➡️ Parse it to get credz of a privileged user ImageImageImageImage
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(