Exploiting ESC1 in AD CS

After confirming that the AD CS instance is vulnerable to ESC1 (Enterprise CA Security Issue 1), we move on to exploitation using Certipy. This attack abuses misconfigured certificate templates that allow low-privileged users or machine accounts to request certificates with privileged user UPNs (User Principal Names). These certificates can then be used for authentication and privilege escalation.

Step 1: Requesting a Certificate as Administrator

We use the certipy req command to request a certificate as the Administrator user while authenticating with the compromised Banking$ machine account.

• -u 'banking$'@retro.vl -p 'banking1234': We authenticate as the Banking$ machine account.
• -c 'retro-DC-CA' -target 'dc.retro.vl': Specifies the Certificate Authority (CA) and domain controller.
• -template 'RetroClients': Requests a certificate using the vulnerable template.
• -upn 'administrator': Sets the UPN to Administrator, essentially tricking the CA into issuing a certificate for a highly privileged account.
• -key-size 4096: Generates a strong RSA key.

If the template is misconfigured and allows us to specify arbitrary UPNs, we successfully obtain a certificate for Administrator.

The output confirms that the certificate was issued and saved as administrator.pfx.

Step 2: Using the Certificate for Authentication

With the certificate in hand, we use Certipy auth to authenticate as Administrator and retrieve their NTLM hash.

• -pfx 'administrator.pfx': Uses the obtained certificate for authentication.
• -username 'administrator' -domain 'retro.vl': Specifies the target user and domain.
• -dc-ip 10.10.124.218: Specifies the domain controller’s IP.

The output confirms that we successfully retrieved a TGT (Ticket Granting Ticket) and the NTLM hash of the Administrator account:

Step 3: Getting a Shell as Administrator

With the Administrator NTLM hash, we use Evil-WinRM to get a fully privileged shell on the domain controller.

And just like that… we’re in!

Navigating to the desktop and reading the root.txt flag confirms full domain compromise!

Final Thoughts

This machine was a great example of how misconfigured AD CS templates can lead to full domain takeover. By abusing ESC1, we were able to escalate from a low-privileged machine account (Banking$) to Administrator—without even needing to crack any hashes!

Key Takeaways:
Always check for AD CS misconfigurations.
ESC1 allows for privilege escalation by requesting certificates with privileged UPNs.
Certipy is an excellent tool for AD CS enumeration and exploitation.

And that’s another VulnLab machine pwned!

References

If you want references for this attack, check out our blog post on it!

Do You Wanna Chat with Maverick?

Don’t forget to follow me on LinkedIn and Twitter, and give me some respect on Hack The Box! i love chatting with like-minded people, sharing knowledge, and learning from everyone. Happy hacking!

Exploiting ESC1 in AD CS

After confirming that the AD CS instance is vulnerable to ESC1 (Enterprise CA Security Issue 1), we move on to exploitation using Certipy. This attack abuses misconfigured certificate templates that allow low-privileged users or machine accounts to request certificates with privileged user UPNs (User Principal Names). These certificates can then be used for authentication and privilege escalation.

Step 1: Requesting a Certificate as Administrator

We use the certipy req command to request a certificate as the Administrator user while authenticating with the compromised Banking$ machine account.

• -u 'banking$'@retro.vl -p 'banking1234': We authenticate as the Banking$ machine account.
• -c 'retro-DC-CA' -target 'dc.retro.vl': Specifies the Certificate Authority (CA) and domain controller.
• -template 'RetroClients': Requests a certificate using the vulnerable template.
• -upn 'administrator': Sets the UPN to Administrator, essentially tricking the CA into issuing a certificate for a highly privileged account.
• -key-size 4096: Generates a strong RSA key.

If the template is misconfigured and allows us to specify arbitrary UPNs, we successfully obtain a certificate for Administrator.

The output confirms that the certificate was issued and saved as administrator.pfx.

Step 2: Using the Certificate for Authentication

With the certificate in hand, we use Certipy auth to authenticate as Administrator and retrieve their NTLM hash.

• -pfx 'administrator.pfx': Uses the obtained certificate for authentication.
• -username 'administrator' -domain 'retro.vl': Specifies the target user and domain.
• -dc-ip 10.10.124.218: Specifies the domain controller’s IP.

The output confirms that we successfully retrieved a TGT (Ticket Granting Ticket) and the NTLM hash of the Administrator account:

Step 3: Getting a Shell as Administrator

With the Administrator NTLM hash, we use Evil-WinRM to get a fully privileged shell on the domain controller.

And just like that… we’re in!

Navigating to the desktop and reading the root.txt flag confirms full domain compromise!

Final Thoughts

This machine was a great example of how misconfigured AD CS templates can lead to full domain takeover. By abusing ESC1, we were able to escalate from a low-privileged machine account (Banking$) to Administrator—without even needing to crack any hashes!

Key Takeaways:
Always check for AD CS misconfigurations.
ESC1 allows for privilege escalation by requesting certificates with privileged UPNs.
Certipy is an excellent tool for AD CS enumeration and exploitation.

And that’s another VulnLab machine pwned!

References

If you want references for this attack, check out our blog post on it!

Do You Wanna Chat with Maverick?

Don’t forget to follow me on LinkedIn and Twitter, and give me some respect on Hack The Box! i love chatting with like-minded people, sharing knowledge, and learning from everyone. Happy hacking!

Exploiting ESC1 in AD CS

After confirming that the AD CS instance is vulnerable to ESC1 (Enterprise CA Security Issue 1), we move on to exploitation using Certipy. This attack abuses misconfigured certificate templates that allow low-privileged users or machine accounts to request certificates with privileged user UPNs (User Principal Names). These certificates can then be used for authentication and privilege escalation.

Step 1: Requesting a Certificate as Administrator

We use the certipy req command to request a certificate as the Administrator user while authenticating with the compromised Banking$ machine account.

• -u 'banking$'@retro.vl -p 'banking1234': We authenticate as the Banking$ machine account.
• -c 'retro-DC-CA' -target 'dc.retro.vl': Specifies the Certificate Authority (CA) and domain controller.
• -template 'RetroClients': Requests a certificate using the vulnerable template.
• -upn 'administrator': Sets the UPN to Administrator, essentially tricking the CA into issuing a certificate for a highly privileged account.
• -key-size 4096: Generates a strong RSA key.

If the template is misconfigured and allows us to specify arbitrary UPNs, we successfully obtain a certificate for Administrator.

The output confirms that the certificate was issued and saved as administrator.pfx.

Step 2: Using the Certificate for Authentication

With the certificate in hand, we use Certipy auth to authenticate as Administrator and retrieve their NTLM hash.

• -pfx 'administrator.pfx': Uses the obtained certificate for authentication.
• -username 'administrator' -domain 'retro.vl': Specifies the target user and domain.
• -dc-ip 10.10.124.218: Specifies the domain controller’s IP.

The output confirms that we successfully retrieved a TGT (Ticket Granting Ticket) and the NTLM hash of the Administrator account:

Step 3: Getting a Shell as Administrator

With the Administrator NTLM hash, we use Evil-WinRM to get a fully privileged shell on the domain controller.

And just like that… we’re in!

Navigating to the desktop and reading the root.txt flag confirms full domain compromise!

Final Thoughts

This machine was a great example of how misconfigured AD CS templates can lead to full domain takeover. By abusing ESC1, we were able to escalate from a low-privileged machine account (Banking$) to Administrator—without even needing to crack any hashes!

Key Takeaways:
Always check for AD CS misconfigurations.
ESC1 allows for privilege escalation by requesting certificates with privileged UPNs.
Certipy is an excellent tool for AD CS enumeration and exploitation.

And that’s another VulnLab machine pwned!

References

If you want references for this attack, check out our blog post on it!

Do You Wanna Chat with Maverick?

Don’t forget to follow me on LinkedIn and Twitter, and give me some respect on Hack The Box! i love chatting with like-minded people, sharing knowledge, and learning from everyone. Happy hacking!

Exploiting ESC1 in AD CS

After confirming that the AD CS instance is vulnerable to ESC1 (Enterprise CA Security Issue 1), we move on to exploitation using Certipy. This attack abuses misconfigured certificate templates that allow low-privileged users or machine accounts to request certificates with privileged user UPNs (User Principal Names). These certificates can then be used for authentication and privilege escalation.

Step 1: Requesting a Certificate as Administrator

We use the certipy req command to request a certificate as the Administrator user while authenticating with the compromised Banking$ machine account.

• -u 'banking$'@retro.vl -p 'banking1234': We authenticate as the Banking$ machine account.
• -c 'retro-DC-CA' -target 'dc.retro.vl': Specifies the Certificate Authority (CA) and domain controller.
• -template 'RetroClients': Requests a certificate using the vulnerable template.
• -upn 'administrator': Sets the UPN to Administrator, essentially tricking the CA into issuing a certificate for a highly privileged account.
• -key-size 4096: Generates a strong RSA key.

If the template is misconfigured and allows us to specify arbitrary UPNs, we successfully obtain a certificate for Administrator.

The output confirms that the certificate was issued and saved as administrator.pfx.

Step 2: Using the Certificate for Authentication

With the certificate in hand, we use Certipy auth to authenticate as Administrator and retrieve their NTLM hash.

• -pfx 'administrator.pfx': Uses the obtained certificate for authentication.
• -username 'administrator' -domain 'retro.vl': Specifies the target user and domain.
• -dc-ip 10.10.124.218: Specifies the domain controller’s IP.

The output confirms that we successfully retrieved a TGT (Ticket Granting Ticket) and the NTLM hash of the Administrator account:

Step 3: Getting a Shell as Administrator

With the Administrator NTLM hash, we use Evil-WinRM to get a fully privileged shell on the domain controller.

And just like that… we’re in!

Navigating to the desktop and reading the root.txt flag confirms full domain compromise!

Final Thoughts

This machine was a great example of how misconfigured AD CS templates can lead to full domain takeover. By abusing ESC1, we were able to escalate from a low-privileged machine account (Banking$) to Administrator—without even needing to crack any hashes!

Key Takeaways:
Always check for AD CS misconfigurations.
ESC1 allows for privilege escalation by requesting certificates with privileged UPNs.
Certipy is an excellent tool for AD CS enumeration and exploitation.

And that’s another VulnLab machine pwned!

References

If you want references for this attack, check out our blog post on it!

Do You Wanna Chat with Maverick?

Don’t forget to follow me on LinkedIn and Twitter, and give me some respect on Hack The Box! i love chatting with like-minded people, sharing knowledge, and learning from everyone. Happy hacking!

Exploiting ESC1 in AD CS

After confirming that the AD CS instance is vulnerable to ESC1 (Enterprise CA Security Issue 1), we move on to exploitation using Certipy. This attack abuses misconfigured certificate templates that allow low-privileged users or machine accounts to request certificates with privileged user UPNs (User Principal Names). These certificates can then be used for authentication and privilege escalation.

Step 1: Requesting a Certificate as Administrator

We use the certipy req command to request a certificate as the Administrator user while authenticating with the compromised Banking$ machine account.

• -u 'banking$'@retro.vl -p 'banking1234': We authenticate as the Banking$ machine account.
• -c 'retro-DC-CA' -target 'dc.retro.vl': Specifies the Certificate Authority (CA) and domain controller.
• -template 'RetroClients': Requests a certificate using the vulnerable template.
• -upn 'administrator': Sets the UPN to Administrator, essentially tricking the CA into issuing a certificate for a highly privileged account.
• -key-size 4096: Generates a strong RSA key.

If the template is misconfigured and allows us to specify arbitrary UPNs, we successfully obtain a certificate for Administrator.

The output confirms that the certificate was issued and saved as administrator.pfx.

Step 2: Using the Certificate for Authentication

With the certificate in hand, we use Certipy auth to authenticate as Administrator and retrieve their NTLM hash.

• -pfx 'administrator.pfx': Uses the obtained certificate for authentication.
• -username 'administrator' -domain 'retro.vl': Specifies the target user and domain.
• -dc-ip 10.10.124.218: Specifies the domain controller’s IP.

The output confirms that we successfully retrieved a TGT (Ticket Granting Ticket) and the NTLM hash of the Administrator account:

Step 3: Getting a Shell as Administrator

With the Administrator NTLM hash, we use Evil-WinRM to get a fully privileged shell on the domain controller.

And just like that… we’re in!

Navigating to the desktop and reading the root.txt flag confirms full domain compromise!

Final Thoughts

This machine was a great example of how misconfigured AD CS templates can lead to full domain takeover. By abusing ESC1, we were able to escalate from a low-privileged machine account (Banking$) to Administrator—without even needing to crack any hashes!

Key Takeaways:
Always check for AD CS misconfigurations.
ESC1 allows for privilege escalation by requesting certificates with privileged UPNs.
Certipy is an excellent tool for AD CS enumeration and exploitation.

And that’s another VulnLab machine pwned!

References

If you want references for this attack, check out our blog post on it!

Do You Wanna Chat with Maverick?

Don’t forget to follow me on LinkedIn and Twitter, and give me some respect on Hack The Box! i love chatting with like-minded people, sharing knowledge, and learning from everyone. Happy hacking!

Exploiting ESC1 in AD CS

After confirming that the AD CS instance is vulnerable to ESC1 (Enterprise CA Security Issue 1), we move on to exploitation using Certipy. This attack abuses misconfigured certificate templates that allow low-privileged users or machine accounts to request certificates with privileged user UPNs (User Principal Names). These certificates can then be used for authentication and privilege escalation.

Step 1: Requesting a Certificate as Administrator

We use the certipy req command to request a certificate as the Administrator user while authenticating with the compromised Banking$ machine account.

• -u 'banking$'@retro.vl -p 'banking1234': We authenticate as the Banking$ machine account.
• -c 'retro-DC-CA' -target 'dc.retro.vl': Specifies the Certificate Authority (CA) and domain controller.
• -template 'RetroClients': Requests a certificate using the vulnerable template.
• -upn 'administrator': Sets the UPN to Administrator, essentially tricking the CA into issuing a certificate for a highly privileged account.
• -key-size 4096: Generates a strong RSA key.

If the template is misconfigured and allows us to specify arbitrary UPNs, we successfully obtain a certificate for Administrator.

The output confirms that the certificate was issued and saved as administrator.pfx.

Step 2: Using the Certificate for Authentication

With the certificate in hand, we use Certipy auth to authenticate as Administrator and retrieve their NTLM hash.

• -pfx 'administrator.pfx': Uses the obtained certificate for authentication.
• -username 'administrator' -domain 'retro.vl': Specifies the target user and domain.
• -dc-ip 10.10.124.218: Specifies the domain controller’s IP.

The output confirms that we successfully retrieved a TGT (Ticket Granting Ticket) and the NTLM hash of the Administrator account:

Step 3: Getting a Shell as Administrator

With the Administrator NTLM hash, we use Evil-WinRM to get a fully privileged shell on the domain controller.

And just like that… we’re in!

Navigating to the desktop and reading the root.txt flag confirms full domain compromise!

Final Thoughts

This machine was a great example of how misconfigured AD CS templates can lead to full domain takeover. By abusing ESC1, we were able to escalate from a low-privileged machine account (Banking$) to Administrator—without even needing to crack any hashes!

Key Takeaways:
Always check for AD CS misconfigurations.
ESC1 allows for privilege escalation by requesting certificates with privileged UPNs.
Certipy is an excellent tool for AD CS enumeration and exploitation.

And that’s another VulnLab machine pwned!

References

If you want references for this attack, check out our blog post on it!

Do You Wanna Chat with Maverick?

Don’t forget to follow me on LinkedIn and Twitter, and give me some respect on Hack The Box! i love chatting with like-minded people, sharing knowledge, and learning from everyone. Happy hacking!

Exploiting ESC1 in AD CS

After confirming that the AD CS instance is vulnerable to ESC1 (Enterprise CA Security Issue 1), we move on to exploitation using Certipy. This attack abuses misconfigured certificate templates that allow low-privileged users or machine accounts to request certificates with privileged user UPNs (User Principal Names). These certificates can then be used for authentication and privilege escalation.

Step 1: Requesting a Certificate as Administrator

We use the certipy req command to request a certificate as the Administrator user while authenticating with the compromised Banking$ machine account.

• -u 'banking$'@retro.vl -p 'banking1234': We authenticate as the Banking$ machine account.
• -c 'retro-DC-CA' -target 'dc.retro.vl': Specifies the Certificate Authority (CA) and domain controller.
• -template 'RetroClients': Requests a certificate using the vulnerable template.
• -upn 'administrator': Sets the UPN to Administrator, essentially tricking the CA into issuing a certificate for a highly privileged account.
• -key-size 4096: Generates a strong RSA key.

If the template is misconfigured and allows us to specify arbitrary UPNs, we successfully obtain a certificate for Administrator.

The output confirms that the certificate was issued and saved as administrator.pfx.

Step 2: Using the Certificate for Authentication

With the certificate in hand, we use Certipy auth to authenticate as Administrator and retrieve their NTLM hash.

• -pfx 'administrator.pfx': Uses the obtained certificate for authentication.
• -username 'administrator' -domain 'retro.vl': Specifies the target user and domain.
• -dc-ip 10.10.124.218: Specifies the domain controller’s IP.

The output confirms that we successfully retrieved a TGT (Ticket Granting Ticket) and the NTLM hash of the Administrator account:

Step 3: Getting a Shell as Administrator

With the Administrator NTLM hash, we use Evil-WinRM to get a fully privileged shell on the domain controller.

And just like that… we’re in!

Navigating to the desktop and reading the root.txt flag confirms full domain compromise!

Final Thoughts

This machine was a great example of how misconfigured AD CS templates can lead to full domain takeover. By abusing ESC1, we were able to escalate from a low-privileged machine account (Banking$) to Administrator—without even needing to crack any hashes!

Key Takeaways:
Always check for AD CS misconfigurations.
ESC1 allows for privilege escalation by requesting certificates with privileged UPNs.
Certipy is an excellent tool for AD CS enumeration and exploitation.

And that’s another VulnLab machine pwned!

References

If you want references for this attack, check out our blog post on it!

Do You Wanna Chat with Maverick?

Don’t forget to follow me on LinkedIn and Twitter, and give me some respect on Hack The Box! i love chatting with like-minded people, sharing knowledge, and learning from everyone. Happy hacking!

Exploiting ESC1 in AD CS

After confirming that the AD CS instance is vulnerable to ESC1 (Enterprise CA Security Issue 1), we move on to exploitation using Certipy. This attack abuses misconfigured certificate templates that allow low-privileged users or machine accounts to request certificates with privileged user UPNs (User Principal Names). These certificates can then be used for authentication and privilege escalation.

Step 1: Requesting a Certificate as Administrator

We use the certipy req command to request a certificate as the Administrator user while authenticating with the compromised Banking$ machine account.

• -u 'banking$'@retro.vl -p 'banking1234': We authenticate as the Banking$ machine account.
• -c 'retro-DC-CA' -target 'dc.retro.vl': Specifies the Certificate Authority (CA) and domain controller.
• -template 'RetroClients': Requests a certificate using the vulnerable template.
• -upn 'administrator': Sets the UPN to Administrator, essentially tricking the CA into issuing a certificate for a highly privileged account.
• -key-size 4096: Generates a strong RSA key.

If the template is misconfigured and allows us to specify arbitrary UPNs, we successfully obtain a certificate for Administrator.

The output confirms that the certificate was issued and saved as administrator.pfx.

Step 2: Using the Certificate for Authentication

With the certificate in hand, we use Certipy auth to authenticate as Administrator and retrieve their NTLM hash.

• -pfx 'administrator.pfx': Uses the obtained certificate for authentication.
• -username 'administrator' -domain 'retro.vl': Specifies the target user and domain.
• -dc-ip 10.10.124.218: Specifies the domain controller’s IP.

The output confirms that we successfully retrieved a TGT (Ticket Granting Ticket) and the NTLM hash of the Administrator account:

Step 3: Getting a Shell as Administrator

With the Administrator NTLM hash, we use Evil-WinRM to get a fully privileged shell on the domain controller.

And just like that… we’re in!

Navigating to the desktop and reading the root.txt flag confirms full domain compromise!

Final Thoughts

This machine was a great example of how misconfigured AD CS templates can lead to full domain takeover. By abusing ESC1, we were able to escalate from a low-privileged machine account (Banking$) to Administrator—without even needing to crack any hashes!

Key Takeaways:
Always check for AD CS misconfigurations.
ESC1 allows for privilege escalation by requesting certificates with privileged UPNs.
Certipy is an excellent tool for AD CS enumeration and exploitation.

And that’s another VulnLab machine pwned!

References

If you want references for this attack, check out our blog post on it!

Do You Wanna Chat with Maverick?

Don’t forget to follow me on LinkedIn and Twitter, and give me some respect on Hack The Box! i love chatting with like-minded people, sharing knowledge, and learning from everyone. Happy hacking!

Exploiting ESC1 in AD CS

After confirming that the AD CS instance is vulnerable to ESC1 (Enterprise CA Security Issue 1), we move on to exploitation using Certipy. This attack abuses misconfigured certificate templates that allow low-privileged users or machine accounts to request certificates with privileged user UPNs (User Principal Names). These certificates can then be used for authentication and privilege escalation.

Step 1: Requesting a Certificate as Administrator

We use the certipy req command to request a certificate as the Administrator user while authenticating with the compromised Banking$ machine account.

• -u 'banking$'@retro.vl -p 'banking1234': We authenticate as the Banking$ machine account.
• -c 'retro-DC-CA' -target 'dc.retro.vl': Specifies the Certificate Authority (CA) and domain controller.
• -template 'RetroClients': Requests a certificate using the vulnerable template.
• -upn 'administrator': Sets the UPN to Administrator, essentially tricking the CA into issuing a certificate for a highly privileged account.
• -key-size 4096: Generates a strong RSA key.

If the template is misconfigured and allows us to specify arbitrary UPNs, we successfully obtain a certificate for Administrator.

The output confirms that the certificate was issued and saved as administrator.pfx.

Step 2: Using the Certificate for Authentication

With the certificate in hand, we use Certipy auth to authenticate as Administrator and retrieve their NTLM hash.

• -pfx 'administrator.pfx': Uses the obtained certificate for authentication.
• -username 'administrator' -domain 'retro.vl': Specifies the target user and domain.
• -dc-ip 10.10.124.218: Specifies the domain controller’s IP.

The output confirms that we successfully retrieved a TGT (Ticket Granting Ticket) and the NTLM hash of the Administrator account:

Step 3: Getting a Shell as Administrator

With the Administrator NTLM hash, we use Evil-WinRM to get a fully privileged shell on the domain controller.

And just like that… we’re in!

Navigating to the desktop and reading the root.txt flag confirms full domain compromise!

Final Thoughts

This machine was a great example of how misconfigured AD CS templates can lead to full domain takeover. By abusing ESC1, we were able to escalate from a low-privileged machine account (Banking$) to Administrator—without even needing to crack any hashes!

Key Takeaways:
Always check for AD CS misconfigurations.
ESC1 allows for privilege escalation by requesting certificates with privileged UPNs.
Certipy is an excellent tool for AD CS enumeration and exploitation.

And that’s another VulnLab machine pwned!

References

If you want references for this attack, check out our blog post on it!

Do You Wanna Chat with Maverick?

Don’t forget to follow me on LinkedIn and Twitter, and give me some respect on Hack The Box! i love chatting with like-minded people, sharing knowledge, and learning from everyone. Happy hacking!

Exploiting ESC1 in AD CS

After confirming that the AD CS instance is vulnerable to ESC1 (Enterprise CA Security Issue 1), we move on to exploitation using Certipy. This attack abuses misconfigured certificate templates that allow low-privileged users or machine accounts to request certificates with privileged user UPNs (User Principal Names). These certificates can then be used for authentication and privilege escalation.

Step 1: Requesting a Certificate as Administrator

We use the certipy req command to request a certificate as the Administrator user while authenticating with the compromised Banking$ machine account.

• -u 'banking$'@retro.vl -p 'banking1234': We authenticate as the Banking$ machine account.
• -c 'retro-DC-CA' -target 'dc.retro.vl': Specifies the Certificate Authority (CA) and domain controller.
• -template 'RetroClients': Requests a certificate using the vulnerable template.
• -upn 'administrator': Sets the UPN to Administrator, essentially tricking the CA into issuing a certificate for a highly privileged account.
• -key-size 4096: Generates a strong RSA key.

If the template is misconfigured and allows us to specify arbitrary UPNs, we successfully obtain a certificate for Administrator.

The output confirms that the certificate was issued and saved as administrator.pfx.

Step 2: Using the Certificate for Authentication

With the certificate in hand, we use Certipy auth to authenticate as Administrator and retrieve their NTLM hash.

• -pfx 'administrator.pfx': Uses the obtained certificate for authentication.
• -username 'administrator' -domain 'retro.vl': Specifies the target user and domain.
• -dc-ip 10.10.124.218: Specifies the domain controller’s IP.

The output confirms that we successfully retrieved a TGT (Ticket Granting Ticket) and the NTLM hash of the Administrator account:

Step 3: Getting a Shell as Administrator

With the Administrator NTLM hash, we use Evil-WinRM to get a fully privileged shell on the domain controller.

And just like that… we’re in!

Navigating to the desktop and reading the root.txt flag confirms full domain compromise!

Final Thoughts

This machine was a great example of how misconfigured AD CS templates can lead to full domain takeover. By abusing ESC1, we were able to escalate from a low-privileged machine account (Banking$) to Administrator—without even needing to crack any hashes!

Key Takeaways:
Always check for AD CS misconfigurations.
ESC1 allows for privilege escalation by requesting certificates with privileged UPNs.
Certipy is an excellent tool for AD CS enumeration and exploitation.

And that’s another VulnLab machine pwned!

References

If you want references for this attack, check out our blog post on it!

Do You Wanna Chat with Maverick?

Don’t forget to follow me on LinkedIn and Twitter, and give me some respect on Hack The Box! i love chatting with like-minded people, sharing knowledge, and learning from everyone. Happy hacking!

Exploiting ESC1 in AD CS

After confirming that the AD CS instance is vulnerable to ESC1 (Enterprise CA Security Issue 1), we move on to exploitation using Certipy. This attack abuses misconfigured certificate templates that allow low-privileged users or machine accounts to request certificates with privileged user UPNs (User Principal Names). These certificates can then be used for authentication and privilege escalation.

Step 1: Requesting a Certificate as Administrator

We use the certipy req command to request a certificate as the Administrator user while authenticating with the compromised Banking$ machine account.

• -u 'banking$'@retro.vl -p 'banking1234': We authenticate as the Banking$ machine account.
• -c 'retro-DC-CA' -target 'dc.retro.vl': Specifies the Certificate Authority (CA) and domain controller.
• -template 'RetroClients': Requests a certificate using the vulnerable template.
• -upn 'administrator': Sets the UPN to Administrator, essentially tricking the CA into issuing a certificate for a highly privileged account.
• -key-size 4096: Generates a strong RSA key.

If the template is misconfigured and allows us to specify arbitrary UPNs, we successfully obtain a certificate for Administrator.

The output confirms that the certificate was issued and saved as administrator.pfx.

Step 2: Using the Certificate for Authentication

With the certificate in hand, we use Certipy auth to authenticate as Administrator and retrieve their NTLM hash.

• -pfx 'administrator.pfx': Uses the obtained certificate for authentication.
• -username 'administrator' -domain 'retro.vl': Specifies the target user and domain.
• -dc-ip 10.10.124.218: Specifies the domain controller’s IP.

The output confirms that we successfully retrieved a TGT (Ticket Granting Ticket) and the NTLM hash of the Administrator account:

Step 3: Getting a Shell as Administrator

With the Administrator NTLM hash, we use Evil-WinRM to get a fully privileged shell on the domain controller.

And just like that… we’re in!

Navigating to the desktop and reading the root.txt flag confirms full domain compromise!

Final Thoughts

This machine was a great example of how misconfigured AD CS templates can lead to full domain takeover. By abusing ESC1, we were able to escalate from a low-privileged machine account (Banking$) to Administrator—without even needing to crack any hashes!

Key Takeaways:
Always check for AD CS misconfigurations.
ESC1 allows for privilege escalation by requesting certificates with privileged UPNs.
Certipy is an excellent tool for AD CS enumeration and exploitation.

And that’s another VulnLab machine pwned!

References

If you want references for this attack, check out our blog post on it!

Do You Wanna Chat with Maverick?

Don’t forget to follow me on LinkedIn and Twitter, and give me some respect on Hack The Box! i love chatting with like-minded people, sharing knowledge, and learning from everyone. Happy hacking!

Step 2: Using the Certificate for Authentication

With the certificate in hand, we use Certipy auth to authenticate as Administrator and retrieve their NTLM hash.

• -pfx 'administrator.pfx': Uses the obtained certificate for authentication.
• -username 'administrator' -domain 'retro.vl': Specifies the target user and domain.
• -dc-ip 10.10.124.218: Specifies the domain controller’s IP.

The output confirms that we successfully retrieved a TGT (Ticket Granting Ticket) and the NTLM hash of the Administrator account:

Step 3: Getting a Shell as Administrator

With the Administrator NTLM hash, we use Evil-WinRM to get a fully privileged shell on the domain controller.

And just like that… we’re in!

Navigating to the desktop and reading the root.txt flag confirms full domain compromise!

Final Thoughts

This machine was a great example of how misconfigured AD CS templates can lead to full domain takeover. By abusing ESC1, we were able to escalate from a low-privileged machine account (Banking$) to Administrator—without even needing to crack any hashes!

Key Takeaways:
Always check for AD CS misconfigurations.
ESC1 allows for privilege escalation by requesting certificates with privileged UPNs.
Certipy is an excellent tool for AD CS enumeration and exploitation.

And that’s another VulnLab machine pwned!

References

If you want references for this attack, check out our blog post on it!

Do You Wanna Chat with Maverick?

Don’t forget to follow me on LinkedIn and Twitter, and give me some respect on Hack The Box! i love chatting with like-minded people, sharing knowledge, and learning from everyone. Happy hacking!

Exploiting ESC1 in AD CS

After confirming that the AD CS instance is vulnerable to ESC1 (Enterprise CA Security Issue 1), we move on to exploitation using Certipy. This attack abuses misconfigured certificate templates that allow low-privileged users or machine accounts to request certificates with privileged user UPNs (User Principal Names). These certificates can then be used for authentication and privilege escalation.

Step 1: Requesting a Certificate as Administrator

We use the certipy req command to request a certificate as the Administrator user while authenticating with the compromised Banking$ machine account.

• -u 'banking$'@retro.vl -p 'banking1234': We authenticate as the Banking$ machine account.
• -c 'retro-DC-CA' -target 'dc.retro.vl': Specifies the Certificate Authority (CA) and domain controller.
• -template 'RetroClients': Requests a certificate using the vulnerable template.
• -upn 'administrator': Sets the UPN to Administrator, essentially tricking the CA into issuing a certificate for a highly privileged account.
• -key-size 4096: Generates a strong RSA key.

If the template is misconfigured and allows us to specify arbitrary UPNs, we successfully obtain a certificate for Administrator.

The output confirms that the certificate was issued and saved as administrator.pfx.

Step 2: Using the Certificate for Authentication

With the certificate in hand, we use Certipy auth to authenticate as Administrator and retrieve their NTLM hash.

• -pfx 'administrator.pfx': Uses the obtained certificate for authentication.
• -username 'administrator' -domain 'retro.vl': Specifies the target user and domain.
• -dc-ip 10.10.124.218: Specifies the domain controller’s IP.

The output confirms that we successfully retrieved a TGT (Ticket Granting Ticket) and the NTLM hash of the Administrator account:

Step 3: Getting a Shell as Administrator

With the Administrator NTLM hash, we use Evil-WinRM to get a fully privileged shell on the domain controller.

And just like that… we’re in!

Navigating to the desktop and reading the root.txt flag confirms full domain compromise!

Final Thoughts

This machine was a great example of how misconfigured AD CS templates can lead to full domain takeover. By abusing ESC1, we were able to escalate from a low-privileged machine account (Banking$) to Administrator—without even needing to crack any hashes!

Key Takeaways:
Always check for AD CS misconfigurations.
ESC1 allows for privilege escalation by requesting certificates with privileged UPNs.
Certipy is an excellent tool for AD CS enumeration and exploitation.

And that’s another VulnLab machine pwned!

References

If you want references for this attack, check out our blog post on it!

Do You Wanna Chat with Maverick?

Don’t forget to follow me on LinkedIn and Twitter, and give me some respect on Hack The Box! i love chatting with like-minded people, sharing knowledge, and learning from everyone. Happy hacking!

Exploiting ESC1 in AD CS

After confirming that the AD CS instance is vulnerable to ESC1 (Enterprise CA Security Issue 1), we move on to exploitation using Certipy. This attack abuses misconfigured certificate templates that allow low-privileged users or machine accounts to request certificates with privileged user UPNs (User Principal Names). These certificates can then be used for authentication and privilege escalation.

Step 1: Requesting a Certificate as Administrator

We use the certipy req command to request a certificate as the Administrator user while authenticating with the compromised Banking$ machine account.

• -u 'banking$'@retro.vl -p 'banking1234': We authenticate as the Banking$ machine account.
• -c 'retro-DC-CA' -target 'dc.retro.vl': Specifies the Certificate Authority (CA) and domain controller.
• -template 'RetroClients': Requests a certificate using the vulnerable template.
• -upn 'administrator': Sets the UPN to Administrator, essentially tricking the CA into issuing a certificate for a highly privileged account.
• -key-size 4096: Generates a strong RSA key.

If the template is misconfigured and allows us to specify arbitrary UPNs, we successfully obtain a certificate for Administrator.

The output confirms that the certificate was issued and saved as administrator.pfx.

Step 2: Using the Certificate for Authentication

With the certificate in hand, we use Certipy auth to authenticate as Administrator and retrieve their NTLM hash.

• -pfx 'administrator.pfx': Uses the obtained certificate for authentication.
• -username 'administrator' -domain 'retro.vl': Specifies the target user and domain.
• -dc-ip 10.10.124.218: Specifies the domain controller’s IP.

The output confirms that we successfully retrieved a TGT (Ticket Granting Ticket) and the NTLM hash of the Administrator account:

Step 3: Getting a Shell as Administrator

With the Administrator NTLM hash, we use Evil-WinRM to get a fully privileged shell on the domain controller.

And just like that… we’re in!

Navigating to the desktop and reading the root.txt flag confirms full domain compromise!

Final Thoughts

This machine was a great example of how misconfigured AD CS templates can lead to full domain takeover. By abusing ESC1, we were able to escalate from a low-privileged machine account (Banking$) to Administrator—without even needing to crack any hashes!

Key Takeaways:
Always check for AD CS misconfigurations.
ESC1 allows for privilege escalation by requesting certificates with privileged UPNs.
Certipy is an excellent tool for AD CS enumeration and exploitation.

And that’s another VulnLab machine pwned!

References

If you want references for this attack, check out our blog post on it!

Do You Wanna Chat with Maverick?

Don’t forget to follow me on LinkedIn and Twitter, and give me some respect on Hack The Box! i love chatting with like-minded people, sharing knowledge, and learning from everyone. Happy hacking!

Exploiting ESC1 in AD CS

After confirming that the AD CS instance is vulnerable to ESC1 (Enterprise CA Security Issue 1), we move on to exploitation using Certipy. This attack abuses misconfigured certificate templates that allow low-privileged users or machine accounts to request certificates with privileged user UPNs (User Principal Names). These certificates can then be used for authentication and privilege escalation.

Step 1: Requesting a Certificate as Administrator

We use the certipy req command to request a certificate as the Administrator user while authenticating with the compromised Banking$ machine account.

• -u 'banking$'@retro.vl -p 'banking1234': We authenticate as the Banking$ machine account.
• -c 'retro-DC-CA' -target 'dc.retro.vl': Specifies the Certificate Authority (CA) and domain controller.
• -template 'RetroClients': Requests a certificate using the vulnerable template.
• -upn 'administrator': Sets the UPN to Administrator, essentially tricking the CA into issuing a certificate for a highly privileged account.
• -key-size 4096: Generates a strong RSA key.

If the template is misconfigured and allows us to specify arbitrary UPNs, we successfully obtain a certificate for Administrator.

The output confirms that the certificate was issued and saved as administrator.pfx.

Step 2: Using the Certificate for Authentication

With the certificate in hand, we use Certipy auth to authenticate as Administrator and retrieve their NTLM hash.

• -pfx 'administrator.pfx': Uses the obtained certificate for authentication.
• -username 'administrator' -domain 'retro.vl': Specifies the target user and domain.
• -dc-ip 10.10.124.218: Specifies the domain controller’s IP.

The output confirms that we successfully retrieved a TGT (Ticket Granting Ticket) and the NTLM hash of the Administrator account:

Step 3: Getting a Shell as Administrator

With the Administrator NTLM hash, we use Evil-WinRM to get a fully privileged shell on the domain controller.

And just like that… we’re in!

Navigating to the desktop and reading the root.txt flag confirms full domain compromise!

Final Thoughts

This machine was a great example of how misconfigured AD CS templates can lead to full domain takeover. By abusing ESC1, we were able to escalate from a low-privileged machine account (Banking$) to Administrator—without even needing to crack any hashes!

Key Takeaways:
Always check for AD CS misconfigurations.
ESC1 allows for privilege escalation by requesting certificates with privileged UPNs.
Certipy is an excellent tool for AD CS enumeration and exploitation.

And that’s another VulnLab machine pwned!

References

If you want references for this attack, check out our blog post on it!

Do You Wanna Chat with Maverick?

Don’t forget to follow me on LinkedIn and Twitter, and give me some respect on Hack The Box! i love chatting with like-minded people, sharing knowledge, and learning from everyone. Happy hacking!

Exploiting ESC1 in AD CS

After confirming that the AD CS instance is vulnerable to ESC1 (Enterprise CA Security Issue 1), we move on to exploitation using Certipy. This attack abuses misconfigured certificate templates that allow low-privileged users or machine accounts to request certificates with privileged user UPNs (User Principal Names). These certificates can then be used for authentication and privilege escalation.

Step 1: Requesting a Certificate as Administrator

We use the certipy req command to request a certificate as the Administrator user while authenticating with the compromised Banking$ machine account.

• -u 'banking$'@retro.vl -p 'banking1234': We authenticate as the Banking$ machine account.
• -c 'retro-DC-CA' -target 'dc.retro.vl': Specifies the Certificate Authority (CA) and domain controller.
• -template 'RetroClients': Requests a certificate using the vulnerable template.
• -upn 'administrator': Sets the UPN to Administrator, essentially tricking the CA into issuing a certificate for a highly privileged account.
• -key-size 4096: Generates a strong RSA key.

If the template is misconfigured and allows us to specify arbitrary UPNs, we successfully obtain a certificate for Administrator.

The output confirms that the certificate was issued and saved as administrator.pfx.

Step 2: Using the Certificate for Authentication

With the certificate in hand, we use Certipy auth to authenticate as Administrator and retrieve their NTLM hash.

• -pfx 'administrator.pfx': Uses the obtained certificate for authentication.
• -username 'administrator' -domain 'retro.vl': Specifies the target user and domain.
• -dc-ip 10.10.124.218: Specifies the domain controller’s IP.

The output confirms that we successfully retrieved a TGT (Ticket Granting Ticket) and the NTLM hash of the Administrator account:

Step 3: Getting a Shell as Administrator

With the Administrator NTLM hash, we use Evil-WinRM to get a fully privileged shell on the domain controller.

And just like that… we’re in!

Navigating to the desktop and reading the root.txt flag confirms full domain compromise!

Final Thoughts

This machine was a great example of how misconfigured AD CS templates can lead to full domain takeover. By abusing ESC1, we were able to escalate from a low-privileged machine account (Banking$) to Administrator—without even needing to crack any hashes!

Key Takeaways:
Always check for AD CS misconfigurations.
ESC1 allows for privilege escalation by requesting certificates with privileged UPNs.
Certipy is an excellent tool for AD CS enumeration and exploitation.

And that’s another VulnLab machine pwned!

References

If you want references for this attack, check out our blog post on it!

Do You Wanna Chat with Maverick?

Don’t forget to follow me on LinkedIn and Twitter, and give me some respect on Hack The Box! i love chatting with like-minded people, sharing knowledge, and learning from everyone. Happy hacking!

Exploiting ESC1 in AD CS

After confirming that the AD CS instance is vulnerable to ESC1 (Enterprise CA Security Issue 1), we move on to exploitation using Certipy. This attack abuses misconfigured certificate templates that allow low-privileged users or machine accounts to request certificates with privileged user UPNs (User Principal Names). These certificates can then be used for authentication and privilege escalation.

Step 1: Requesting a Certificate as Administrator

We use the certipy req command to request a certificate as the Administrator user while authenticating with the compromised Banking$ machine account.

• -u 'banking$'@retro.vl -p 'banking1234': We authenticate as the Banking$ machine account.
• -c 'retro-DC-CA' -target 'dc.retro.vl': Specifies the Certificate Authority (CA) and domain controller.
• -template 'RetroClients': Requests a certificate using the vulnerable template.
• -upn 'administrator': Sets the UPN to Administrator, essentially tricking the CA into issuing a certificate for a highly privileged account.
• -key-size 4096: Generates a strong RSA key.

If the template is misconfigured and allows us to specify arbitrary UPNs, we successfully obtain a certificate for Administrator.

The output confirms that the certificate was issued and saved as administrator.pfx.

Step 2: Using the Certificate for Authentication

With the certificate in hand, we use Certipy auth to authenticate as Administrator and retrieve their NTLM hash.

• -pfx 'administrator.pfx': Uses the obtained certificate for authentication.
• -username 'administrator' -domain 'retro.vl': Specifies the target user and domain.
• -dc-ip 10.10.124.218: Specifies the domain controller’s IP.

The output confirms that we successfully retrieved a TGT (Ticket Granting Ticket) and the NTLM hash of the Administrator account:

Step 3: Getting a Shell as Administrator

With the Administrator NTLM hash, we use Evil-WinRM to get a fully privileged shell on the domain controller.

And just like that… we’re in!

Navigating to the desktop and reading the root.txt flag confirms full domain compromise!

Final Thoughts

This machine was a great example of how misconfigured AD CS templates can lead to full domain takeover. By abusing ESC1, we were able to escalate from a low-privileged machine account (Banking$) to Administrator—without even needing to crack any hashes!

Key Takeaways:
Always check for AD CS misconfigurations.
ESC1 allows for privilege escalation by requesting certificates with privileged UPNs.
Certipy is an excellent tool for AD CS enumeration and exploitation.

And that’s another VulnLab machine pwned!

References

If you want references for this attack, check out our blog post on it!

Do You Wanna Chat with Maverick?

Don’t forget to follow me on LinkedIn and Twitter, and give me some respect on Hack The Box! i love chatting with like-minded people, sharing knowledge, and learning from everyone. Happy hacking!

Exploiting ESC1 in AD CS

After confirming that the AD CS instance is vulnerable to ESC1 (Enterprise CA Security Issue 1), we move on to exploitation using Certipy. This attack abuses misconfigured certificate templates that allow low-privileged users or machine accounts to request certificates with privileged user UPNs (User Principal Names). These certificates can then be used for authentication and privilege escalation.

Step 1: Requesting a Certificate as Administrator

We use the certipy req command to request a certificate as the Administrator user while authenticating with the compromised Banking$ machine account.

• -u 'banking$'@retro.vl -p 'banking1234': We authenticate as the Banking$ machine account.
• -c 'retro-DC-CA' -target 'dc.retro.vl': Specifies the Certificate Authority (CA) and domain controller.
• -template 'RetroClients': Requests a certificate using the vulnerable template.
• -upn 'administrator': Sets the UPN to Administrator, essentially tricking the CA into issuing a certificate for a highly privileged account.
• -key-size 4096: Generates a strong RSA key.

If the template is misconfigured and allows us to specify arbitrary UPNs, we successfully obtain a certificate for Administrator.

The output confirms that the certificate was issued and saved as administrator.pfx.

Step 2: Using the Certificate for Authentication

With the certificate in hand, we use Certipy auth to authenticate as Administrator and retrieve their NTLM hash.

• -pfx 'administrator.pfx': Uses the obtained certificate for authentication.
• -username 'administrator' -domain 'retro.vl': Specifies the target user and domain.
• -dc-ip 10.10.124.218: Specifies the domain controller’s IP.

The output confirms that we successfully retrieved a TGT (Ticket Granting Ticket) and the NTLM hash of the Administrator account:

Step 3: Getting a Shell as Administrator

With the Administrator NTLM hash, we use Evil-WinRM to get a fully privileged shell on the domain controller.

And just like that… we’re in!

Navigating to the desktop and reading the root.txt flag confirms full domain compromise!

Final Thoughts

This machine was a great example of how misconfigured AD CS templates can lead to full domain takeover. By abusing ESC1, we were able to escalate from a low-privileged machine account (Banking$) to Administrator—without even needing to crack any hashes!

Key Takeaways:
Always check for AD CS misconfigurations.
ESC1 allows for privilege escalation by requesting certificates with privileged UPNs.
Certipy is an excellent tool for AD CS enumeration and exploitation.

And that’s another VulnLab machine pwned!

References

If you want references for this attack, check out our blog post on it!

Do You Wanna Chat with Maverick?

Don’t forget to follow me on LinkedIn and Twitter, and give me some respect on Hack The Box! i love chatting with like-minded people, sharing knowledge, and learning from everyone. Happy hacking!

Exploiting ESC1 in AD CS

After confirming that the AD CS instance is vulnerable to ESC1 (Enterprise CA Security Issue 1), we move on to exploitation using Certipy. This attack abuses misconfigured certificate templates that allow low-privileged users or machine accounts to request certificates with privileged user UPNs (User Principal Names). These certificates can then be used for authentication and privilege escalation.

Step 1: Requesting a Certificate as Administrator

We use the certipy req command to request a certificate as the Administrator user while authenticating with the compromised Banking$ machine account.

• -u 'banking$'@retro.vl -p 'banking1234': We authenticate as the Banking$ machine account.
• -c 'retro-DC-CA' -target 'dc.retro.vl': Specifies the Certificate Authority (CA) and domain controller.
• -template 'RetroClients': Requests a certificate using the vulnerable template.
• -upn 'administrator': Sets the UPN to Administrator, essentially tricking the CA into issuing a certificate for a highly privileged account.
• -key-size 4096: Generates a strong RSA key.

If the template is misconfigured and allows us to specify arbitrary UPNs, we successfully obtain a certificate for Administrator.

The output confirms that the certificate was issued and saved as administrator.pfx.

Step 2: Using the Certificate for Authentication

With the certificate in hand, we use Certipy auth to authenticate as Administrator and retrieve their NTLM hash.

• -pfx 'administrator.pfx': Uses the obtained certificate for authentication.
• -username 'administrator' -domain 'retro.vl': Specifies the target user and domain.
• -dc-ip 10.10.124.218: Specifies the domain controller’s IP.

The output confirms that we successfully retrieved a TGT (Ticket Granting Ticket) and the NTLM hash of the Administrator account:

Step 3: Getting a Shell as Administrator

With the Administrator NTLM hash, we use Evil-WinRM to get a fully privileged shell on the domain controller.

And just like that… we’re in!

Navigating to the desktop and reading the root.txt flag confirms full domain compromise!

Final Thoughts

This machine was a great example of how misconfigured AD CS templates can lead to full domain takeover. By abusing ESC1, we were able to escalate from a low-privileged machine account (Banking$) to Administrator—without even needing to crack any hashes!

Key Takeaways:
Always check for AD CS misconfigurations.
ESC1 allows for privilege escalation by requesting certificates with privileged UPNs.
Certipy is an excellent tool for AD CS enumeration and exploitation.

And that’s another VulnLab machine pwned!

References

If you want references for this attack, check out our blog post on it!

Do You Wanna Chat with Maverick?

Don’t forget to follow me on LinkedIn and Twitter, and give me some respect on Hack The Box! i love chatting with like-minded people, sharing knowledge, and learning from everyone. Happy hacking!

Exploiting ESC1 in AD CS

After confirming that the AD CS instance is vulnerable to ESC1 (Enterprise CA Security Issue 1), we move on to exploitation using Certipy. This attack abuses misconfigured certificate templates that allow low-privileged users or machine accounts to request certificates with privileged user UPNs (User Principal Names). These certificates can then be used for authentication and privilege escalation.

Step 1: Requesting a Certificate as Administrator

We use the certipy req command to request a certificate as the Administrator user while authenticating with the compromised Banking$ machine account.

• -u 'banking$'@retro.vl -p 'banking1234': We authenticate as the Banking$ machine account.
• -c 'retro-DC-CA' -target 'dc.retro.vl': Specifies the Certificate Authority (CA) and domain controller.
• -template 'RetroClients': Requests a certificate using the vulnerable template.
• -upn 'administrator': Sets the UPN to Administrator, essentially tricking the CA into issuing a certificate for a highly privileged account.
• -key-size 4096: Generates a strong RSA key.

If the template is misconfigured and allows us to specify arbitrary UPNs, we successfully obtain a certificate for Administrator.

The output confirms that the certificate was issued and saved as administrator.pfx.

Step 2: Using the Certificate for Authentication

With the certificate in hand, we use Certipy auth to authenticate as Administrator and retrieve their NTLM hash.

• -pfx 'administrator.pfx': Uses the obtained certificate for authentication.
• -username 'administrator' -domain 'retro.vl': Specifies the target user and domain.
• -dc-ip 10.10.124.218: Specifies the domain controller’s IP.

The output confirms that we successfully retrieved a TGT (Ticket Granting Ticket) and the NTLM hash of the Administrator account:

Step 3: Getting a Shell as Administrator

With the Administrator NTLM hash, we use Evil-WinRM to get a fully privileged shell on the domain controller.

And just like that… we’re in!

Navigating to the desktop and reading the root.txt flag confirms full domain compromise!

Final Thoughts

This machine was a great example of how misconfigured AD CS templates can lead to full domain takeover. By abusing ESC1, we were able to escalate from a low-privileged machine account (Banking$) to Administrator—without even needing to crack any hashes!

Key Takeaways:
Always check for AD CS misconfigurations.
ESC1 allows for privilege escalation by requesting certificates with privileged UPNs.
Certipy is an excellent tool for AD CS enumeration and exploitation.

And that’s another VulnLab machine pwned!

References

If you want references for this attack, check out our blog post on it!

Do You Wanna Chat with Maverick?

Don’t forget to follow me on LinkedIn and Twitter, and give me some respect on Hack The Box! i love chatting with like-minded people, sharing knowledge, and learning from everyone. Happy hacking!

Exploiting ESC1 in AD CS

After confirming that the AD CS instance is vulnerable to ESC1 (Enterprise CA Security Issue 1), we move on to exploitation using Certipy. This attack abuses misconfigured certificate templates that allow low-privileged users or machine accounts to request certificates with privileged user UPNs (User Principal Names). These certificates can then be used for authentication and privilege escalation.

Step 1: Requesting a Certificate as Administrator

We use the certipy req command to request a certificate as the Administrator user while authenticating with the compromised Banking$ machine account.

• -u 'banking$'@retro.vl -p 'banking1234': We authenticate as the Banking$ machine account.
• -c 'retro-DC-CA' -target 'dc.retro.vl': Specifies the Certificate Authority (CA) and domain controller.
• -template 'RetroClients': Requests a certificate using the vulnerable template.
• -upn 'administrator': Sets the UPN to Administrator, essentially tricking the CA into issuing a certificate for a highly privileged account.
• -key-size 4096: Generates a strong RSA key.

If the template is misconfigured and allows us to specify arbitrary UPNs, we successfully obtain a certificate for Administrator.

The output confirms that the certificate was issued and saved as administrator.pfx.

Step 2: Using the Certificate for Authentication

With the certificate in hand, we use Certipy auth to authenticate as Administrator and retrieve their NTLM hash.

• -pfx 'administrator.pfx': Uses the obtained certificate for authentication.
• -username 'administrator' -domain 'retro.vl': Specifies the target user and domain.
• -dc-ip 10.10.124.218: Specifies the domain controller’s IP.

The output confirms that we successfully retrieved a TGT (Ticket Granting Ticket) and the NTLM hash of the Administrator account:

Step 3: Getting a Shell as Administrator

With the Administrator NTLM hash, we use Evil-WinRM to get a fully privileged shell on the domain controller.

And just like that… we’re in!

Navigating to the desktop and reading the root.txt flag confirms full domain compromise!

Final Thoughts

This machine was a great example of how misconfigured AD CS templates can lead to full domain takeover. By abusing ESC1, we were able to escalate from a low-privileged machine account (Banking$) to Administrator—without even needing to crack any hashes!

Key Takeaways:
Always check for AD CS misconfigurations.
ESC1 allows for privilege escalation by requesting certificates with privileged UPNs.
Certipy is an excellent tool for AD CS enumeration and exploitation.

And that’s another VulnLab machine pwned!

References

If you want references for this attack, check out our blog post on it!

Do You Wanna Chat with Maverick?

Don’t forget to follow me on LinkedIn and Twitter, and give me some respect on Hack The Box! i love chatting with like-minded people, sharing knowledge, and learning from everyone. Happy hacking!

Exploiting ESC1 in AD CS

After confirming that the AD CS instance is vulnerable to ESC1 (Enterprise CA Security Issue 1), we move on to exploitation using Certipy. This attack abuses misconfigured certificate templates that allow low-privileged users or machine accounts to request certificates with privileged user UPNs (User Principal Names). These certificates can then be used for authentication and privilege escalation.

Step 1: Requesting a Certificate as Administrator

We use the certipy req command to request a certificate as the Administrator user while authenticating with the compromised Banking$ machine account.

• -u 'banking$'@retro.vl -p 'banking1234': We authenticate as the Banking$ machine account.
• -c 'retro-DC-CA' -target 'dc.retro.vl': Specifies the Certificate Authority (CA) and domain controller.
• -template 'RetroClients': Requests a certificate using the vulnerable template.
• -upn 'administrator': Sets the UPN to Administrator, essentially tricking the CA into issuing a certificate for a highly privileged account.
• -key-size 4096: Generates a strong RSA key.

If the template is misconfigured and allows us to specify arbitrary UPNs, we successfully obtain a certificate for Administrator.

The output confirms that the certificate was issued and saved as administrator.pfx.

Step 2: Using the Certificate for Authentication

With the certificate in hand, we use Certipy auth to authenticate as Administrator and retrieve their NTLM hash.

• -pfx 'administrator.pfx': Uses the obtained certificate for authentication.
• -username 'administrator' -domain 'retro.vl': Specifies the target user and domain.
• -dc-ip 10.10.124.218: Specifies the domain controller’s IP.

The output confirms that we successfully retrieved a TGT (Ticket Granting Ticket) and the NTLM hash of the Administrator account:

Step 3: Getting a Shell as Administrator

With the Administrator NTLM hash, we use Evil-WinRM to get a fully privileged shell on the domain controller.

And just like that… we’re in!

Navigating to the desktop and reading the root.txt flag confirms full domain compromise!

Final Thoughts

This machine was a great example of how misconfigured AD CS templates can lead to full domain takeover. By abusing ESC1, we were able to escalate from a low-privileged machine account (Banking$) to Administrator—without even needing to crack any hashes!

Key Takeaways:
Always check for AD CS misconfigurations.
ESC1 allows for privilege escalation by requesting certificates with privileged UPNs.
Certipy is an excellent tool for AD CS enumeration and exploitation.

And that’s another VulnLab machine pwned!

References

If you want references for this attack, check out our blog post on it!

Do You Wanna Chat with Maverick?

Don’t forget to follow me on LinkedIn and Twitter, and give me some respect on Hack The Box! i love chatting with like-minded people, sharing knowledge, and learning from everyone. Happy hacking!

Exploiting ESC1 in AD CS

After confirming that the AD CS instance is vulnerable to ESC1 (Enterprise CA Security Issue 1), we move on to exploitation using Certipy. This attack abuses misconfigured certificate templates that allow low-privileged users or machine accounts to request certificates with privileged user UPNs (User Principal Names). These certificates can then be used for authentication and privilege escalation.

Step 1: Requesting a Certificate as Administrator

We use the certipy req command to request a certificate as the Administrator user while authenticating with the compromised Banking$ machine account.

• -u 'banking$'@retro.vl -p 'banking1234': We authenticate as the Banking$ machine account.
• -c 'retro-DC-CA' -target 'dc.retro.vl': Specifies the Certificate Authority (CA) and domain controller.
• -template 'RetroClients': Requests a certificate using the vulnerable template.
• -upn 'administrator': Sets the UPN to Administrator, essentially tricking the CA into issuing a certificate for a highly privileged account.
• -key-size 4096: Generates a strong RSA key.

If the template is misconfigured and allows us to specify arbitrary UPNs, we successfully obtain a certificate for Administrator.

The output confirms that the certificate was issued and saved as administrator.pfx.

Step 2: Using the Certificate for Authentication

With the certificate in hand, we use Certipy auth to authenticate as Administrator and retrieve their NTLM hash.

• -pfx 'administrator.pfx': Uses the obtained certificate for authentication.
• -username 'administrator' -domain 'retro.vl': Specifies the target user and domain.
• -dc-ip 10.10.124.218: Specifies the domain controller’s IP.

The output confirms that we successfully retrieved a TGT (Ticket Granting Ticket) and the NTLM hash of the Administrator account:

Step 3: Getting a Shell as Administrator

With the Administrator NTLM hash, we use Evil-WinRM to get a fully privileged shell on the domain controller.

And just like that… we’re in!

Navigating to the desktop and reading the root.txt flag confirms full domain compromise!

Final Thoughts

This machine was a great example of how misconfigured AD CS templates can lead to full domain takeover. By abusing ESC1, we were able to escalate from a low-privileged machine account (Banking$) to Administrator—without even needing to crack any hashes!

Key Takeaways:
Always check for AD CS misconfigurations.
ESC1 allows for privilege escalation by requesting certificates with privileged UPNs.
Certipy is an excellent tool for AD CS enumeration and exploitation.

And that’s another VulnLab machine pwned!

References

If you want references for this attack, check out our blog post on it!

Do You Wanna Chat with Maverick?

Don’t forget to follow me on LinkedIn and Twitter, and give me some respect on Hack The Box! i love chatting with like-minded people, sharing knowledge, and learning from everyone. Happy hacking!