FOCUS MODE
EXTRACT IOC
Interesting Stuff

Sendai Vulnlab – ESC4 & ReadGMSAPassword for AD Domination

Infosecwriteups
Sendai Vulnlab – ESC4 & ReadGMSAPassword for AD Domination
In the latest round of Active Directory exploitation, Maverick dives into the Sendai machine, showcasing vulnerabilities in Active Directory Certificate Services, password management, and SMB enumeration. Through strategic techniques such as password spraying and privilege escalation, an impressive path to Domain Admin is laid out, emphasizing the importance of enumeration and awareness of misconfigurations in AD environments. Affected: Active Directory, Certificate Services, SMB

Keypoints :

  • Maverick targets the Sendai machine, focusing on AD vulnerabilities.
  • Active Directory Certificate Services are highlighted as a source of exploitation.
  • Weak passwords are discovered alongside the potential for immediate exploitation.
  • SMB shares enumeration reveals opportunities for access.
  • Password spraying is employed as a primary attack method.
  • Privilege escalation achieved using BloodHound and modifications to group memberships.
  • Exploitation of ADCS misconfigurations reveals further attack vectors.
  • Full Domain Admin access can be achieved through leveraging ESC4 vulnerabilities.
  • Final demonstration of effective exploitation methods concludes the write-up.

MITRE Techniques :

  • Credential Dumping (T1003) – Procedure includes extracting credentials via enumeration of user accounts, including weak and misconfigured passwords.
  • Exploitation for Client Execution (T1203) – Utilizing vulnerabilities in certificate services to execute unauthorized commands.
  • Account Manipulation (T1098) – Modifying group memberships to escalate privileges and gain unauthorized access.
  • Process Injection (T1055) – Potential exploitation through the injection of malicious payloads during SMB interactions.
  • Application Layer Protocol (T1071) – Using LDAP and SMB protocols to communicate and manipulate servers for unauthorized access.

Indicator of Compromise :

  • [IP Address] 10.10.106.182
  • [Domain] sendai.vl
  • [SMB Share] //dc.sendai.vl/sendai
  • [User] thomas.powell
  • [GMSA Account] mgtsvc$

Full Story: https://infosecwriteups.com/sendai-vulnlab-esc4-readgmsapassword-for-ad-domination-8b2638bf8268?source=rss—-7b722bfd1b8d—4

Tags: EXPLOIT, BROWSER, CRYPTO, TOOL, ACTIVE DIRECTORY, PRIVILEGE, PASSWORD, RECONNAISSANCE