Top 10 stupidest ways we’ve got domain admin

We asked our crew for the stupidest ways they have ever got domain admin.
This is what they said:

1. Simple discovery by trying available creds. Local admin was the same as domain admin for servers, some workstations, cisco access points, and more.
2. It was ‘password’, despite all domain admins having unique, complex creds and granular permissions, the core domain admin password had been overlooked.
3. Found a file share with blank password, containing a creds list, as well other juicy data; C-level staff’s digital signatures, HR files, and Finance spreadsheets including payroll.
4. Password vault backup on the IT share was contained in the sysadmin’s old PST backup.
5. IT service provider had used the same password for all the admin and domain admin accounts.
6. Domain admin password was blank.
7. Windows SQL server that is running with domain admin service account and the administrative database account “sa” has a blank password.
8. Found a splunk interface (splunk == central log aggregation and
   analysis) that did not require authentication, which exposed a domain account (user+pass) setup to integrate the product with the domain’s authentication server (AD/LDAP/Domain controller). Turns out that that account was a domain administrator.
9. Every service user in the domain had the same (l33t speak) password. Some of these were in the domain admin group. (found the base password in the system documentation on a public drive.) Also, guessed the password as “Password1”.
10. Password cached in a logon field for Splunk. I proxied the web page on submit and grabbed the admin password.

…but 10 doesn’t do it justice, so here are a few more that made us laugh or cry:

• Windows 2000 server vulnerable to MS08-067 and had full rights to add domain admins to the domain: “Oh, that’s being de-commissioned in a few weeks”. D’oh!
• HP Data Protector running on IT support desktops… Got root via a DP exploit and dumped Kerberos passwords using mimikatz. Bingo! The machine was in use by a domain admin and I now had their password.
• Found a .gitconfig file on c:\. It was configured to use the internal web proxy, which needed domain credentials. You can guess the rest.
• Backup of DC VM on open share on the network. You could download the backup and extract the password hashes which happened to be in LM format.