Entra ID privilege escalation via applications.myOrganization/allProperties/update
Walkthrough of a privilege escalation in Microsoft Entra ID that abuses the seemingly scoped permission microsoft.directory/applications.myOrganization/ allProperties/update. A victim with a single custom-role action injects a client secret into a single-tenant application that already holds RoleManagement.ReadWrite.Directory, signs in as the service principal and assigns itself Global Administrator.
Busqueda is an easy Hack The Box machine where initial access is obtained through arbitrary code execution in a vulnerable web application. Privilege escalation is achieved by accessing Gitea, analyzing the source of a script executable as root and abusing file permissions to set bash with the SUID bit.
Write-up of Administrator, a medium-difficulty Windows machine centered on Active Directory abuse. Improper ACL permissions, credential reuse and Kerberoasting chain together into full domain compromise.