Machine Accounts in Pentest Engagement

In my recent Pentest Engagement, we encountered the small infrastructure with pretty good at patching and implementation of security mechanism like LAPS too. 

Since the assessment was blackbox, we started enumerating ranges and live machine in network. Then we tried the bruteforcing set of local admin credentials usually found in most infrastructures. But no luck, LOGON_FAILURE in all places.

Then suddenly in between the CME hack log we saw Pwn3d!. It was strange initially why local admin credentials worked on only one machine and not other machines (is it LAPS implemented?) 

Next usual step was to RDP of the machine and look for any below possibilities
  1. Credentials or Hashes of any users (Mimikatz)
  2. Impersonation Token (Incognito)
But no luck with either of them and we just have Machine account hashes (ends with $ sign) found using Mimikatz on first compromised machine.

Then after trying all possibilities on compromised machine and googling landed on Adam's post of trying Machine Account along with Mimikatz.

So lets fire up the Mimikatz on the our first compromised machine and disable AV (Misconfiguration :- Local admin was allowed to disable AV). So using Pass-the-hash attack in Mimikatz we got the shell with machines accounts (EPM$) domain privileges and fire all domain level commands. Lets dump all the users in the Active Directory.

So next setup was to bruteforce guessable passwords or combination with company names keeping in mind of Account Lockout Policy. Next path of attack was pretty straightforward.

Password Spraying on Domain Users --> Got access to Credentials of Valid users on domain --> Used Sharphound along with SessionLoop --> Figured out where all privileged accounts and Domain Admins are logged-in --> Mapped the Attack path --> Pwned --> Post Exploitation --> Crown Jewels stolen ;)

This was first time for we fall in such scenario where initial foothold didn't yield any credentials/hashes of domain user. It was later discovered LAPS was implemented in entire infrastructure and one one machine was left over (our first pivot) ;)


  1. Looking for cylindrical printing machine ? Then we are the best for you, who suit your expectations. We have huge experience on this field. We are 100% dedicated to find you cheap cylindrical printing machine.
    You can buy cylindrical printing machine safely here and here are numberius clients buy cylindrical printing machine. We are provide only high perfomence machine only with always customers support.
    If you want to know more, Please check out here : for more information.

  2. Looking for unique sticker designs, and various thank you sticker templates ? Then we are the best for you, who suit your expectations. We have huge experience on this field. We are 100% dedicated to find you cheap top qulaity stickers designs for your business.
    You can buy unique sticker designs here and here are numberius clients buy our products. We are provide only high quality sticker designs for you with always customers support.
    We make excellent custom label roll wholesale and retail service, and according to the requirement of customers make custom label roll printing.
    If you want to know more, Please check out here - clear phone case stickers printable for more information.

  3. I really appreciate your work. I am very impressed by this post. I would like to suggest you that please keep sharing such type of info. Thanks...4 Colour Offset Printing Machine Price

  4. Machine language learning was the toughest subject that I ever read, I'm not afraid to say that I didn't understand the assignments of this subject. But fortunately I got written assistance from PhD Dissertation Writing Services online.


Post a comment

Popular posts