7MS #693: Pwning Ninja Hacker Academy – Part 3
19 September 2025

7MS #693: Pwning Ninja Hacker Academy – Part 3

7 Minute Security

About

This week your pal and mine Joe “The Machine” Skeen kept picking away at pwning Ninja Hacker Academy.  To review where we’ve been in parts 1 and 2:

    We found a SQL injection on a box called SQL, got a privileged Sliver beacon on it, and dumped mimikatz info From that dump, we used the SQL box hash to do a BloodHound run, which revealed that we had excessive permissions over the Computers OU We useddacledit.py to give ourselves too much permission on the Computers OU

Today we:

    Did an RBCD attack against the WEB box Requested a service ticket to give us local admin superpowers on WEB Performed a secretsdump against WEB Struggled to do a mimikatz dump at the end of the episode (after we ended the stream I realized I could’ve just done the mimikatz dump because I had local admin access!  Oh well, we’ll pick things up again during part 4 next month!)