21 writeups tagged with AD
Splunk misconfiguration leaks credentials. Active Directory enumeration reveals a privilege escalation path through ACL abuse to Domain Admin.
Active Directory with ADCS misconfiguration. ESC1 certificate template abuse allows requesting a certificate as Domain Admin for full compromise.
MSSQL with xp_cmdshell for initial RCE. Active Directory certificate abuse (ADCS) to impersonate Domain Admin.
MSSQL enumeration with credential discovery, followed by Active Directory privilege escalation through ACL misconfigurations.
Active Directory environment with Shadow Credentials and Resource-Based Constrained Delegation abuse to achieve full domain compromise.
AD enumeration with BloodHound reveals a password reset path. HR share credential reuse and GenericWrite abuse to reach Domain Admin.
Active Directory machine exploiting misconfigured LAPS and ACL abuse chain to escalate from low-privileged user to Domain Admin.
SQLi on login page, LFI reveals PHP source. MSSQL xp_cmdshell for shell. Firefox DPAPI credential decryption leads to Domain Admin via ADCS.
ASREPRoasting yields crackable hash. ForceChangePassword on account via BloodHound. Volatility lsass dump reveals backup operator for DCSync.
Custom .NET info collector binary contains obfuscated LDAP password. GenericAll on DC via Resource-Based Constrained Delegation for Domain Admin.
Network printer admin panel LDAP credential exfiltration via attacker-controlled server. Server Operators group membership for domain privilege escalation.
SMB share contains ZIP with password-protected PFX certificate. Cracked PFX used for WinRM. LAPS password read via LDAP for Administrator.
LFI via lang parameter captures NTLM hash with Responder. Password spray, IIS WebDAV shell upload, RunasCs for lateral movement to Domain Admin.
ASREPRoasting on user names enumerated from the bank website. DCSync attack via GenericAll rights for Domain Admin hash dump.
Azure AD Connect with user enumeration via RPC. Password spraying finds default creds. Azure AD Sync password extraction for Domain Admin.
MSSQL with xp_cmdshell after credential spraying. ADCS ESC4 template modification for certificate impersonation to gain Domain Admin.
SMB guest access reveals default password in HR note. User enumeration + password spray, SeBackupPrivilege abuse for NTDS.dit extraction.
Shadow Credentials attack via WriteProperty on user object. ADCS ESC9 certificate template abuse to impersonate a privileged account.
FTP credentials from initial account. Targeted Kerberoasting via BloodHound paths, GenericWrite abuse, DCSync for Domain Admin hash.
MSSQL Silver Ticket attack via SPN enumeration. Responder captures NTLMv2 hash from SQL query, certificate auth for Domain Admin.
SMB anonymous access to SYSVOL leaks GPP-encrypted password. Kerberoasting the Administrator SPN cracks the hash for full domain access.
