7 writeups tagged with ADCS
Active Directory with ADCS misconfiguration. ESC1 certificate template abuse allows requesting a certificate as Domain Admin for full compromise.
MSSQL with xp_cmdshell for initial RCE. Active Directory certificate abuse (ADCS) to impersonate Domain Admin.
CVE-2025-24071 abuses .searchConnector-ms files to capture NTLMv2 hashes. Relay attack and ADCS ESC4 escalate to Domain Admin.
SQLi on login page, LFI reveals PHP source. MSSQL xp_cmdshell for shell. Firefox DPAPI credential decryption leads to Domain Admin via ADCS.
MSSQL with xp_cmdshell after credential spraying. ADCS ESC4 template modification for certificate impersonation to gain Domain Admin.
Shadow Credentials attack via WriteProperty on user object. ADCS ESC9 certificate template abuse to impersonate a privileged account.
MSSQL Silver Ticket attack via SPN enumeration. Responder captures NTLMv2 hash from SQL query, certificate auth for Domain Admin.
