The Recovery Settings helps you configure the restore and recycle options pertaining to the objects in the domain you wish to recover. When deleted user accounts are restored, defined password is set to the user accounts. Helpdesk technician that has not privilege for backup/recovery operations can view the password and then compromise restored user accounts conducting password spraying attack in the Active Directory environment.
Proof of Concept
- Login as a helpdesk technician that has not privilege over backup/recovery.
- Go to the URL https://target/ConfigureRecoverySettings/GET_PASS?req={"domainId"%3A"1"}
- The password of other domains (if it is set) can be viewed changing req parameter value such as {"domainId":"2"}
- We can conduct password spraying to inspect restored account if the password is not changed after the account restoration.
crackmapexec smb <target-DC> -u users.txt -p unsafe.local@2023 --continue-on-success