Target: Escape (10.10.11.202) OS: Windows Difficulty: Medium Attack Vectors: SMB Enumeration -> MSSQL Lateral Movement -> ADCS Misconfiguration (ESC1) -> Domain Admin.
Press enter or click to view image in full size
Executive Summary
Assessment Date: January 11, 2026 Risk Level: CRITICAL Author: R00t3dbyFa17h/Nicholas Mullenski
Overview
The “Escape” engagement highlighted critical vulnerabilities within the organization’s Active Directory Certificate Services (ADCS) infrastructure. The target environment exposed sensitive information via SMB shares, allowing for initial access to the MSSQL database. Poor log management practices within the database facilitated lateral movement to a domain user.
Key Findings
Information Disclosure: An unsecured SMB share contained internal documentation revealing credentials for the SQL Service account.
Weak Log Management: The MSSQL logs contained cleartext credentials for a domain user (Ryan.Cooper) due to a failed login attempt where the password was inadvertently entered as the username.
ADCS Misconfiguration (ESC1): The Certificate Authority (CA) was configured with a vulnerable certificate template allowing…