Ep. 13 – nOAuth Account Misbinding & Assumed-Breach to Domain Admin (Season Finale)

Show Notes

One misbound identity. One exposed internal path. Two routes to total compromise.

In this season finale of Hacked & Secured: Pentest Exploits & Mitigations, we break down two real-world findings that show how small trust assumptions can unravel entire systems:

• nOAuth (SSO account misbinding) — Multi-tenant SSO auto-linked accounts by email instead of a stable subject/issuer identifier. With a crafted identity on a controlled domain, an attacker could land a valid session as another user. 
• From wall socket to Domain Admin — No NAC on the switch enabled quiet network access, followed by username harvesting and a light password spray to a low-priv account. From there: AD enumeration, weak service credentials, and abuse of certificate services to escalate to Domain Admin.

What you’ll learn: how identity claims should be bound in modern SSO, how to harden join and mapping flows, and a practical checklist to shut down common internal escalation paths (NAC, credential hygiene, service principals, AD CS, and monitoring).

Chapters:

00:00 - INTRO

01:27 - FINDING #1 - nOAuth: the email you shouldn’t have trusted

07:22 - FINDING #2 - From one wall socket to Domain Admin

13:43 - OUTRO

Want your pentest discovery featured? Submit your creative findings through the Google Form in the episode description, and we might showcase your finding in an upcoming episode!

🌍 Follow & Connect → LinkedIn, YouTube, Twitter, Instagram
📩 Submit Your Pentest Findings → https://forms.gle/7pPwjdaWnGYpQcA6A
📧 Feedback? Email Us → podcast@quailu.com.au
🔗 Podcast Website → Website Link

Chapters

• 0:00: INTRO
• 1:27: FINDING #1 - nOAuth: the email you shouldn’t have trusted
• 7:22: FINDING #2 - From one wall socket to Domain Admin
• 13:43: OUTRO