Hola friends! Today’s tale of pentest pwnage talks about abusing Exchange and the Azure ADSync account! Links to the discussed things:

• adconnectdump – for all your ADSync account dumping needs!
• Adam Chester PowerShell script to dump MSOL service account
• dacledit.py (part of Impacket) to give myself full write privileges on the MSOL sync account: dacledit.py -action ‘write’ -rights ‘FullControl’ -principal lowpriv -target MSOL-SYNC-ACCOUNT -dc-ip 1.2.3.4 domain.com/EXCHANGEBOX$ -k -no-pass
• Looking to tighten up your Exchange permissions – check out this crazy detailed post

Hey friends, our good buddy Joe “The Machine” Skeen and I are back this week with part 2 (check out part 1!) tackling GOAD SCCM again! Spoiler alert: this time we get DA! YAY!

Definitely check out these handy SCCM resources to help you – whether it be in the lab or IRL (in real life):

• GOAD SCCM walkthrough
• MisconfigurationManager – tremendous resource for enumerating/attacking/privesc-ing within SCCM
• This gist from Adam Chester will help you decrypt SCCM creds stored in SQL

Today we have a smattering of miscellaneous pentest tips to help you pwn all the stuff!

• Selective Snaffling with Snaffler
• The importance of having plenty of dropbox disk space – for redundant remote connectivity and PXE abuse!
• TGTs can be fun for SMB riffling, targeted Snaffling, netexec-ing and Evil-WinRMing!