- Published on
SMB enumeration reveals ansible configuration files for a running webserver that is hosting an LDAPS Server. In those files, contains an ansible vault that has a crackable password revealing credentials to the LDAP Server and executing a Pass-Back Attack revealing more sensitive credentials that are used for initial foothold. Later enumerating ADCS reveals ESC1 for Computer Accounts group which led to creating a computer account and spawning an LDAP-shell and adding the low-privileged user to the Administrators group gaining DA access