Latest

Early Situational Awareness allows us to move laterally between different users with common DACLs misconfigurations and using the compromised users credentials to discover a Password Database file that is crackable in the FTP port that leads to user access. For root access, more common DACLs were found that lead us to perform DCSync on the domain. Thus, gaining DA

Guest logon enumeration was allowed that lead to a zip and pfx file that was crackable by John, giving user access and then discovering Powershell history commands that lead to mapping DACLs hinting at LAPS being enabled. This also lead to reading the DA password in plaintext

Guest logon enumeration was used to discover an LDAP querying application that was reverse-engineered to find encrypted credentials that allowed for more enumeration that leads to LDAP eunumeration to discover more credentials for user access. Bloodhound shows an attack vector having access with an ACE of GenericAll over a computer account that leads to Resource-Based Constrained Delegation that grants SYSTEM access

Initial Enumeration reveals an Excel file which discloses sensitive credentials that allow us to gain a foothold, then performing lateral movement to identify more credentials and gaining user access. Then, leveraging ACL misconfigurations to enumerate vulnerable cerificates which leads to ESC4. Thus, gaining DA

Early recon reveals a web-based LDAP Server that allows for exfiltrating sensitive credentials and gaining user access, escalating privileges by identifying the user is a member of the Server Operators group