Posts

During a recent penetration test I did against a critical infrastructure operator, I had achieved Domain Administrator through two independent routes; ADCS ESC4, and by combining an LMCompatibility value of 2 with LDAP signing disabled. With that out of the way, I had time to shift focus away from the AD and identity side of the organization and focus my attention to their edge devices, of which there were many. ...

Quick Intro As an electrical engineer with a passion for electronics, I have recently been reverse engineering and researching commonly deployed edge and IoT devices found in critical use environments. This research focuses on the Mozart FM Transmitter (web management interface version WEBMOZZI-00287), manufactured by DB Broadcast. I have discovered about 14 CVEs and likely more exist in the software as it is rather poorly made and its very concerning that the vendor supplies technology to major organizations like the United Nations, The BBC, CNBC and others. ...

While the core concepts aren’t new, I believe the use of ADCS for domain computer takeover through Virtual Account abuse is previously undocumented/unexplored route to achieving your goals. I would like to start off by giving credit to my coworker, Michael(https://www.linkedin.com/in/michael-mcin/) for exploring today’s abuse paths but also for setting up a home environment to develop PoC for the blog. Michael and I were both on a somewhat big internal penetration test (an assumed breach scenario) together and he had managed to get his hands on the credentials to the SA (System Administrator) account on one of the client’s MSSQL databases. Immediately the first thing checked for was the ability to execute commands and lo and behold, we could : ). ...

We all know the classic RID 500 administrator account, the one who’s able to use NTLM authentication even with “Protected user” membership and is your go to during delegation attacks but there’s a kink in this lateral movement free for all; The Domain Controller doesn’t actually work the that way. The Domain Controller functions differently to other computers in that the default local Administrator that exists on other systems by default is not enabled. The default local Administrator on the Domain Controller in fact plays a specific role that it doesn’t on other systems; Its used exclusively for disaster recover. ...