Mssql

Guest Logon enumeration leads to early access to an SQL Server which allows for performing an NTLM Relay attack that captures a crackable hash. Using the valid credentials to find other credentials of another user in a backup log file. Elevating to Domain Admin by enumerating vulnerable certificate templates that reveal the current template is vulnerable to ESC1

Initial Enumeration reveals an Excel file which discloses sensitive credentials that allow us to gain a foothold, then performing lateral movement to identify more credentials and gaining user access. Then, leveraging ACL misconfigurations to enumerate vulnerable cerificates which leads to ESC4. Thus, gaining DA