A few days ago, the world caught on fire with a new vulnerability in Log4j.  Currently, to see the extent of the attack surface, you can view this list on Github.

CVE-2021-44228

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

The description states:  "You had an engagement a while ago for Fusion Corp. They contacted you saying they've patched everything reported and you can start retesting."

Lately, my focus has been on Active Directory and when I came across this challenge, I found a privilege that I hadn't seen previously.  I don't want to get ahead of myself, so let's dig in:

What is Language Mode and what is ConstrainedLanguage Mode?  "The language mode determines the language elements that are permitted in the session.  The ConstrainedLanguage mode permits all cmdlets and all PowerShell language elements, but it limits permitted types."  So what does that really mean?  It means that in the context of compromising a system, we will be presented with an obstacle that we will need to overcome in order to execute PowerShell.  Below is FullLanguage Mode: