In the previous post (Goad pwning part8) we tried some privilege escalation techniques. Today we will talk about lateral move. Lateral move append when you already pwned a computer and you move fro...

TL;DR; Infos On a recent pentest we faced an interesting scope with full up to date products and without any credentials. After spend some time on bruteforce dns, folders, all the login form ...

In the previous post (Goad pwning part7) we tried some attacks with MSSQL on the domain. This time we will get a web shell on IIS and try some privilege escalation techniques. IIS - webshell T...

In the previous post (Goad pwning part6) we tried some attacks with ADCS activated on the domain. Now let’s take a step back, and go back on the castelblack.north.sevenkingdoms.local to take a look...

In the previous post (Goad pwning part5) we tried some attacks with a user account on the domain. On this part we will try attacks when an ADCS is setup in the domain. First we will use petitpotam ...

In the previous post (Goad pwning part4) we played with relay ntlm. During this article we will continue to discover what can be done using a valid domain account Here we will only try samAccoun...

In the previous post (Goad pwning part3) we start to dig on what to do when you got a user account. Before start exploiting the VMs with a user account, we will just step back to the state (without...

We found some users on Goad pwning part2, now let see what we can do with those creds. User listing When you get an account on an active directory, the first thing to do is always getting th...

We have done some basic reconnaissance on Goad pwning part1, now we will try to enumerate users and start to hunt credentials. Enumerate DC’s anonymously With CME cme smb 192.168.56.11 --users...

The lab is now up and running Goad introduction, let’s do some recon on it. Enumerate Network We will starting the reconnaissance of the Game Of Active Directory environment by searching all the ...