This box (Access) is well known (or atleast should be) in Offsec Proving grounds. I decided to revisit this active directory box as a refresher for the OSCP exam as it contains multiple lateral movement paths. What I am disclosing isn’t new. If you would like to see a full…

This is really just a placeholder for me and future research, but in the meantime enjoy. Just a quick run down of Microsoft resources from all the announcements today: Microsoft Entra expands into Security Service Edge and Azure AD becomes Microsoft Entra ID |… Microsoft Entra is unifying identity and network access with a new Security Service Edge solution and more identity…www.microsoft.com Azure AD is Becoming Microsoft Entra ID Today we announced significant milestones for identity and network access, including the news that Microsoft Azure…techcommunity.microsoft.com

So very recently I wanted to look at token protection mechanisms that Microsoft recently put into preview. You can find documentation on how to build conditional access policies below: Token protection in Azure AD Conditional Access - Microsoft Entra Token protection (sometimes referred to as token binding in the industry) attempts to reduce attacks using token theft…learn.microsoft.com So a few things to take note of and expected limitations at the time of this writing.

Microsoft recently announced it would be officially supporting IPv6 for Azure AD services starting at the end of March 2023. Once this announcement was made this had got me thinking on the implications both from a penetration testing/red team perspective and the effect it will have with ongoing blue…

Want to natively abuse SeBackupPrivilege to a domain controller and backup ntds.dit and extract hashes offline? (using kali) Here are my notes: Modify the contents of /etc/samba/smb.conf to the following: [Global] interfaces = tun0 (modify to vpn adapter only if needed) [smb] comment = Samba path = /tmp/ guest ok = yes read only…

I really enjoyed working on this active directory box as hacking an AD environment with NTLM authentication turned off gives a unique perspective of learning how to troubleshoot native default tools on kali linux. It also gets you more comfortable with impacket usage and how to query ldap with certificates…

TryHackMe | VulnNet: Endgame Hack your way into this simulated vulnerable infrastructure. No puzzles. Enumeration is the key.tryhackme.com This is a small hacking adventure into Vulnnet. I may have gotten more than I bargained for when I choose to hack this box because there were parts of this box I got stuck on and had to take a small hint to carry on. I’ll explain during the walk…

This is a recently retired box that is running Active Directory services and is an excellent study box for the OSCP. So let’s get started. Initial Enumeration: After looking over the initial enumeration this appears to be an active directory box. The common name is discovered on port 5986 as…

It’s my second week back to my home office from being out at Blackhat in Las Vegas all week and I was approached by a handful of people on how does one break into cloud penetration testing? The short answer is it is not as straight forward as it should…