Listen to this Post
Introduction:
Active Directory Certificate Services (ADCS) presents a complex attack surface for penetration testers and a critical hardening area for defenders. The recent HackTheBox machine, Fluffy, showcases the real-world impact of combining NTLM relay techniques with ADCS misconfigurations, specifically leveraging CVE-2025-24071 and ESC16 to achieve full domain compromise.
Learning Objectives:
- Understand the attack chain from initial NetNTLMv2 capture to domain administrator.
- Learn to identify and exploit misconfigured Certificate Templates for privilege escalation (ESC1/ESC16).
- Master the use of key offensive security tools like BloodHound, Certify, and Impacket.
You Should Know:
1. Enumerating Vulnerable Certificate Templates with Certify
The first step is to discover certificate templates that allow enrollment for any user and permit client authentication, which can be leveraged for privilege escalation.
`Certify.exe find /vulnerable`
Step-by-step guide:
This command, executed from a compromised Windows context, queries the Active Directory Certificate Services environment. It lists all certificate templates, filtering for those with dangerous properties. Look for configurations where `ENROLLEE_SUPPLIES_SUBJECT` is enabled and `msPKI-Certificates-Name-Flag` contains `CT_FLAG_SUBJECT_ALT_REQUIRE_UPN` or similar, which are indicators of templates vulnerable to ESC1. The output will provide the exact template name you can abuse.
2. Forcing a NetNTLMv2 Hash with CVE-2025-24071
CVE-2025-24071 is a vulnerability that can be triggered to force a machine account to authenticate to an attacker-controlled server, leaking its NetNTLMv2 hash.
`sudo responder -I tun0 -wv`
Step-by-step guide:
On your Kali machine, run Responder to set up malicious SMB, HTTP, and LDAP servers. The `-I` flag specifies your network interface (e.g., tun0 for VPN), and `-wv` enables verbose mode for WPAD attacks. Once executed, triggering the vulnerability (often via a network path or RPC call) will cause the target host to attempt authentication to your Responder server, capturing the NTLMv2 hash in the `/usr/share/responder/logs/` directory.
3. Relaying the NetNTLMv2 Hash to LDAPS
A captured hash can be relayed to an LDAP service to perform modifications on the target AD object, such as adding an account to the Domain Admins group.
`ntlmrelayx.py -t ldaps:// –escalate-user `
Step-by-step guide:
This Impacket tool listens for incoming authentication attempts and relays them to a target service. The `-t` flag specifies the target Domain Controller’s LDAPS URL. The `–escalate-user` flag will automatically attempt to add the specified standard user account to the Domain Admins group upon a successful relay. Execute this before triggering the hash capture to ensure the relay is ready.
4. Requesting a Certificate for Privilege Escalation
Once you have a user with enrollment rights on a vulnerable template, you can request a certificate that grants alternative identity.
`Certify.exe request /ca:\ /template: /altname:`
Step-by-step guide:
This command constructs a certificate request for the specified vulnerable template (/template:). The critical parameter is /altname:, which allows you to specify the User Principal Name (UPN) of a high-privilege user, such as a domain administrator. Execute this on a compromised Windows host. The tool will output the certificate in base64 format.
- Converting a Certificate to a PFX for Use with Rubeus
The certificate obtained from Certify is in base64 format and must be converted to a PFX file for use with other tools.`openssl pkcs12 -in certificate.pem -keyex -CSP “Microsoft Enhanced Cryptographic Provider v1.0” -export -out cert.pfx`
Step-by-step guide:
- Save the base64 certificate block from Certify into a file (e.g.,
cert.pem). - Run the OpenSSL command above. You will be prompted to set an export password for the PFX file.
- This command converts the PEM file into a PFX (PKCS12) format, which is compatible with Windows tools like Rubeus.
-
Requesting a Kerberos Ticket Granting Ticket (TGT) with Rubeus
The final step is to use the generated PFX certificate to request a Kerberos TGT for the impersonated user.
`Rubeus.exe asktgt /user: /certificate:cert.pfx /password: /ptt`
Step-by-step guide:
Execute this command from your compromised Windows host. Rubeus uses the certificate (/certificate:) to authenticate to the Domain Controller as the user specified in /user:. The `/ptt` (Pass-The-Ticket) flag automatically injects the resulting Kerberos TGT into the current logon session. You will then have a command prompt with the privileges of the impersonated user.
7. BloodHound & SharpHound for ADCS Enumeration
Identifying attack paths often requires a comprehensive map of the AD environment, including ADCS rights.
`SharpHound.exe –collectionmethods All –domain –outputdirectory C:\temp`
Step-by-step guide:
SharpHound is the data collector for BloodHound. Execute this on a domain-joined Windows host. The `–collectionmethods All` flag ensures ADCS objects and certificate templates are included in the data. After collection, zip the output files and import them into the BloodHound GUI. From there, you can pre-built queries or custom Cypher queries to find users who have enrollment rights on dangerous templates or control over CA servers.
What Undercode Say:
- The combination of NTLM relay vulnerabilities and ADCS misconfigurations represents one of the most potent attack chains in modern Windows environments.
- Defense requires a multi-layered approach: disabling NTLM where possible, enforcing SMB signing, and rigorously auditing Certificate Template permissions.
The Fluffy machine is a masterclass in chaining techniques. It demonstrates that while a single vulnerability might only get an attacker a foothold, the true risk lies in the interconnectedness of AD services. A misconfigured Certificate Template, which might be considered a low-priority finding on its own, becomes a critical privilege escalation vector when combined with a separate hash capture flaw like CVE-2025-24071. Defenders must shift from auditing services in isolation to understanding these transactional relationships between components. Proactive hunting for these trust abuses, using tools like BloodHound, is no longer optional for a mature security program.
Prediction:
The exploitation of ADCS will continue to be a primary method for advanced threat actors due to the inherent trust placed in certificates by Microsoft environments. As more organizations patch traditional Kerberos delegation attacks, we predict a significant rise in incidents involving malicious certificate enrollment and Golden Certificate attacks, forcing a widespread re-evaluation of PKI trust models within corporate networks.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: https://lnkd.in/p/dx4gXcx5 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
