lee/hpr-knowledge-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
hpr-knowledge-base/hpr_transcripts/hpr3405.txt
Lee Hanken 7c8efd2228 Initial commit: HPR Knowledge Base MCP Server 
- MCP server with stdio transport for local use
- Search episodes, transcripts, hosts, and series
- 4,511 episodes with metadata and transcripts
- Data loader with in-memory JSON storage

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-26 10:54:13 +00:00

30 lines
3.7 KiB
Plaintext
Raw Permalink Blame History

Episode: 3405
Title: HPR3405: Hacking Stories with Reacted: part 2
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3405/hpr3405.mp3
Transcribed: 2025-10-24 22:47:21
---
This is Hacker Public Radio Episode 3405 for Friday, the 20th of August 2021.
Today's show is entitled Hacking Stories with Reupted Part 2.
It is hosted by Operator and is about three minutes long and carries a clean flag.
The summary is, I talk about some old, old, old, pen-testing stories from days old.
This episode of HBR is brought to you by an Honesthost.com.
Get 15% discount on all shared hosting with the offer code HBR15.
That's HBR15.
Better web hosting that's Honest and Fair at An Honesthost.com.
I wanted to add a quick note there to this interject.
When I was doing the escalation, I actually got access to administrative credentials.
I had access to about 300 systems, but none of those systems would allow me to get administrator access or a domain admin.
They weren't running any processes, they had no domain admin login, they had no escalated users and or any other users that had escalated privileges in any other area than whatever area that had already had.
Traditionally what happens is you log into one box, you spray those credentials across, you have access to hundreds of boxes, and one of those boxes has a process that's roaming, running as some kind of escalated users, right?
Well, I wanted to interject. The way I got domain admin is that I had access to 200 systems with valid credentials, and when you're logging in with valid credentials and you're logging in easy, legitimate services like Wi remotely, which should never be enabled really by default.
Unless you're doing WMI stuff, but I was using WMI when PowerShell started to get popular, so I had WMI scripts that would log into those 200 boxes, look for Unique or Unique users outside of the user that had already been running and dump the processes and compute our name of those computers.
So I was sitting down simply there for like a day, or a day and a half, I think for about a day, most of the day I was watching these 200 systems to see at what point when the different user logged in, and I got lucky out of the 200 or 300 systems I was watching in this loop that I was running.
At one point in time, they ran some kind of backend process that ran as a domain administrator. It was like a single backup script or some kind of backup script or something, and I was actually able to, within the time permitted, I was actually able to log into that system, figure that that user was a domain administrator, and then hijacked that process and spawned my little command prompt and that myself as a user using that standard interpreter stuff.
But I wanted to interject into the end of this thing and give some background into how I got that lateral movement to domain admin, because sometimes you have domain admin, or sometimes you have local administrator, but you can't go from local administrator to domain admin because of some other issue, some other control inadvertently or on purpose.
You've been listening to heckaPublicRadio at heckaPublicRadio.org. We are a community podcast network that releases shows every weekday, Monday through Friday. Today's show, like all our shows, was contributed by an HBR listener like yourself.
If you ever thought of recording a podcast, then click on our contributing to find out how easy it really is. HeckaPublicRadio was founded by the Digital DovePound and the Infonomicon Computer Club, and is part of the binary revolution at binrev.com.
If you have comments on today's show, please email the host directly, leave a comment on the website, or record a follow-up episode yourself.
Unless otherwise status, today's show is released under Creative Commons, Attribution, ShareLite, 3.0 license.
Reference in New Issue View Git Blame Copy Permalink