Priv Escalation

Our current user is part of the Azure Admins group which means that we have rights over ADSync, which means that we can dump credentials using an exe and a dll.

Azure AD Connect Database Exploit (Priv Esc)VbScrub

GitHub - VbScrub/AdSyncDecryptGitHub

After uploading the exploit to the temp directory and navigating to the desired path nad executing it I was able to get the credentials for the administrator user.

C:\Program Files\Microsoft Azure AD Sync\Bin> C:\wINDOWS\Temp\AdDecrypt.exe -FullSQL