7MS #716: Tales of Pentest Pwnage – Part 83

In this episode of the 7-Minute Security Podcast, Brian Johnson shares his favorite penetration test pwnage tale of 2026—a high-stakes, multi-year engagement against a security-conscious organization that had significantly hardened its environment over time. After years of testing, the client had eliminated low-hanging fruit, enforced strict access controls, and implemented robust EDR and network ACLs, making traditional attack vectors ineffective. Brian recounts his journey through failed attempts to exploit Kerberos hashes, bypass WinRM and RDP restrictions, and extract registry hives despite aggressive EDR detection. The breakthrough came through a clever workaround: using shadow copies of registry hives and copying them to another machine’s C$ share to bypass EDR detection, allowing him to extract cached credentials. The real crown jewel was exploiting an ESC1 vulnerability in an Active Directory Certificate Services (ADCS) template, but only accessible from a domain computer context—requiring a custom Kerberos-based certificate request using gettgt.py and CertiPy. This ultimately led to a domain admin compromise, triggering a celebratory moment at 1 a.m. Brian also reflects on the limitations of HTTP authentication coercion due to disabled LLMNR and blocked DNS modifications, offering a nuanced lesson in real-world attack constraints. The episode concludes with a reminder to check out updated resources on 7minsec.wiki, including the snaffler syntax, CertiPy guide, and the new domain name switch from bpatty.rocks to 7minsec.wiki.