Posts

Exploring A01: Broken Access Control – Insecure Direct Object References (IDOR) Vulnerability

Image
  Insecure Direct Object References (IDOR) is a common security vulnerability that occurs when an application exposes direct access to internal objects, such as files, database records, or other system resources, without proper access control. This can lead to unauthorized users being able to access, modify, or delete sensitive data, potentially causing severe consequences for the system and its users. IDOR vulnerabilities typically arise when developers implement insufficient or improper access controls on resources that are referenced by URL parameters, form fields, or other user-controlled inputs. Attackers can exploit these vulnerabilities by manipulating these inputs to gain unauthorized access to resources that they should not be able to access. LAB Walkthrough Objective: Find the secret PDF and take note of the secret pdf ID! Exploitation Step 1 — Create a PDF (Initial interaction) I created a PDF with the message secret via the app’s upload form. i tried to create a pdf w...
Post a Comment
Read more

Exploring A01: Broken Access Control – GraphQL Introspection Misconfiguration

Image
 While working on A01: Broken Access Control from the OWASP Top 10 , I came across an interesting security misconfiguration involving GraphQL introspection . Objective: Through using the GraphQL introspection feature , discover the user that has the “ isAdmin ” privileges. Background By default, GraphQL does not provide built-in authentication or authorization. This means developers must manually implement proper access controls. If not done correctly, attackers can perform unrestricted queries and access sensitive data. Reconnaissance  Upon visiting the application URL, I found several posts published by two users — this gave me a hint that user data was accessible through GraphQL queries.   Exploitation  To better understand the backend structure, I used the GraphiQL interface to explore available queries. Accessing the endpoint:  i queried  the generic __schema using  The application gives us interesting Types. Let's explore the User Object on...
Post a Comment
Read more

Kerberoasting Attack - Post exploitation attack

Image
Background — high-level explanation  Kerberoasting is an offline password attack that targets service accounts in Active Directory that have Service Principal Names (SPNs). Any domain user can request a Kerberos service ticket (TGS) for a service account. The ticket is encrypted with a key derived from the service account’s password (or key material). An attacker can collect those encrypted tickets and attempt to crack them offline if successful, they recover the service account password and can use it to escalate.  Objective As a domain user, enumerate SPNs, request TGS (service) tickets from the DC, capture the encrypted TGS blobs for the SQL service account, perform offline analysis to assess password strength, and document mitigations. Lab Environment I used the same  Active Directory lab consisting of one Windows Server machine acting as the Domain Controller and two Windows 10 workstations. A dedicated SQL service account was created in Active Directory and assigne...
Post a Comment
Read more

Post-Exploitation: Token Impersonation Lab Report

Image
Author: Basit Hassan  Date: 2025-10-13 Environment: The same AD environment i have been simulating from the begining of this journey. Scope: Scope: Demonstration in a lab environment of token impersonation using Meterpreter incognito. Overview I used the credential of a user I obtained in an earlier post and launched Metasploit’s psexec module against a target in my simulated AD lab. From the psexec exploit I obtained a Meterpreter session on the host. Inside Meterpreter I loaded the incognito extension and ran list_tokens -u to enumerate available user tokens. I identified a privileged token corresponding to an Administrator account and used impersonate_token to assume that context. I then spawned a shell under the impersonated token and verified privileges with whoami , which confirmed LABDOMAIN\\Administrator (sanitized). Walkthrough Launched msfconsole on the attacker VM. Used psexec (via Metasploit) with valid credentials to get a Meterpreter session on the target...
Post a Comment
Read more

Active Directory Post-Compromise Lab – Using CrackMapExec, Hash Dumping, and Pass-the-Hash Authentication

Image
Objective Today’s goal was to perform local enumeration and hash dumping on compromised hosts, then validate admin privileges using CrackMapExec (CME) with dumped credentials. so i simulate a post-compromise scenario in an Active Directory (AD) environment using tools like CrackMapExec , secretsdump.py , and Impacket suite to: Enumerate network systems via SMB Identify valid credentials across multiple hosts Dump local SAM hashes Attempt pass-the-hash authentication and remote command execution  Lab Setup I continued using the same lab environment from the beginning of my Active Directory (AD) journey: 🖥️ Attack Machine – Kali Linux 💻 Windows 10 Workstation (Victim 1) 💻 Windows 10 Workstation (Victim 2) 🖲️ Windows Server (Domain Controller) All machines are part of the same AD lab network.  Step 1: Network Enumeration and Credential Validation After obtaining valid domain credentials, I scanned the subnet using CrackMapExec  to iden...
Post a Comment
Read more

Active Directory Enumeration After Gaining Shell Access via WMIexec (Step-by-Step)

Image
  In this lab, I simulated a real-world post-exploitation scenario after compromising an Active Directory (AD) user account. The goal was to gain shell access on a domain-joined Windows machine and perform Active Directory enumeration using PowerView and Bloodhound  two powerful tools for discovering attack paths and privilege escalation opportunities. Step 1: Gaining Domain Credentials I previously captured NTLMv2 hashes using a responder attack during the network reconnaissance phase. After cracking the hash offline, I obtained valid domain credentials,  With these credentials, I proceeded to attempt remote command execution and shell access. The image of the cracked NTLMv2 hash is in the first blog of the AD Journey. Step 2: Attempting Remote Shell Access My next objective was to use the compromised credentials to gain a shell on a domain-joined target machine . I tested multiple approaches: Attempt 1 – Metasploit smb/psexec   Result: Windows Defen...
Post a Comment
Read more