Need advice

Hello everyone!

I've got a question, but first I'll start off with some backround so it'll give context.

I work as an help desk for 10 month in a fairly large city mucipality (500k citizens).

I've created automation script with Python (fairly extensive) without explicit permission from our cybersecurity team, and all of our help desk team as well as field technicians use it.

Now to my question.

As I do a programming for fun, I investigated some files in my organization, and ran up on specific file which installs programs on users using elevated permissions, it runs from the logon script, example usage would be: call \\path\to\file \\path\to\batch_script\which runs msiexec Issue is, using that I can run ANY program with eleveted permissions, and any user in the domain has access to it, you can easily call it for cmd.exe and get elevated command prompt for example.

And that's not the only issue, I've decompiled it (it's exe written in VB) and found out with fair ease the "strong" User and it's password, as well as a disabled domain administrator's user and password.

I was also able to query for an entire SQL database without providing authentication, the db containd all of the computers MAC addresses, all the softwares distribution versions and packages that are used in the organization and much more info.

Also was able to access the sccm server which have domain management tools installed.

I've reported it to my manager but he doesn't understand much besided help desk related stuff and he has done nothing with it.

Im afraid to report it directly go the cybersecurity team as they might get me in to trouble for digging where I shouldn't and developing scripts and installing tools to develop said scripts without their permissions, also I use the SQL db to pull mac addresses to preform wake on lan as part of my script and don't want it blocked.

Any advice as for how I should go about it would be greatly appreciated! submitted by /u/Vast_Indication_767
[link] [comments]


http://dlvr.it/SyplWp