Vulnlab — Push

<p>Push, a hard rated active directory chain, involved obtaining credentials from FTP, having write access to smb share, placing the configuration and DLL file for abusing&nbsp;<code>clickonce</code>&nbsp;application to gain a shell on&nbsp;<code>MS01</code>, enumerating the domain to find about SCCM agent deployed on system, coercing authentication through client push installation and gaining&nbsp;<code>sccadmin</code>&nbsp;account which is a local admin on the system. As MS01 was a CA server as well, this lead to Golden Certificate to escalate privileges on the domain.</p> <p><a href="https://arz101.medium.com/vulnlab-push-13d1e89878ae"><strong>Click Here</strong></a></p>