🎫
Monteverde
  • Monteverde
    • Summary
  • Enumeration
    • TCP
    • UDP
    • Web Services
      • Nikto
      • Dirb Extensions
      • Dirsearch
      • goBuster
      • Robots
      • WhatWeb
    • Other Services
      • Kerberos
      • DNS
      • MSRPC
      • SMB
      • LDAP
    • Authenticated Enumeration
      • Kerberos
      • DNS
      • MSRPC
      • SMB
      • LDAP
  • Exploitation
  • Priv Escalation
  • Notes
Powered by GitBook
On this page

Priv Escalation

PreviousExploitationNextNotes

Last updated 2 years ago

Our current user is part of the Azure Admins group which means that we have rights over ADSync, which means that we can dump credentials using an exe and a dll.

After uploading the exploit to the temp directory and navigating to the desired path nad executing it I was able to get the credentials for the administrator user. 

C:\Program Files\Microsoft Azure AD Sync\Bin> C:\wINDOWS\Temp\AdDecrypt.exe -FullSQL

LogoAzure AD Connect Database Exploit (Priv Esc)VbScrub
LogoGitHub - VbScrub/AdSyncDecryptGitHub