We run phishing campaigns for awareness training but we also use phishing as an attack vector.  In some instances, if we phished credentials, we would call that a success and move on.  In other cases, we would want to actually breach the environment through phishing.  If we look at MITRE, we're going to see a lot of different techniques using attachments, Word and Excel are popular.  I'm going to use an HTA file which can be constructed without the need for Microsoft Office.

A few days ago, the world caught on fire with a new vulnerability in Log4j.  Currently, to see the extent of the attack surface, you can view this list on Github.

CVE-2021-44228

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

The description states:  "You had an engagement a while ago for Fusion Corp. They contacted you saying they've patched everything reported and you can start retesting."

Lately, my focus has been on Active Directory and when I came across this challenge, I found a privilege that I hadn't seen previously.  I don't want to get ahead of myself, so let's dig in: