Enumeration

• nmap scan:
  
• Let’s start by using the credentials provided by the challenge
  
• BloodHound extract :
  

Road to user flag

• In BloodHound we can see that judith has WriteOwner permissions against the Management group
  
• To abuse this ACL, we first need to set ourself as owner of the Management group:
  
• Then we can give us FullControl over this group:
  
• And now we can add ourself to the Management group:
  
• This group has GenericWrite over management_svc:
  
• We can abuse this by using shadow credentials:
  
• Then we can get the user flag:
  
• management_svc has a GenericAll over ca_operator:
  
• To abuse it we can just change the password of ca_operator:
  

ESC9 abuse

• CA Operator probably has some permissions in ADCS, so we enumerate them with the following command:

1

certipy find -u '[email protected]' -p Jawad2Bagnolet -vulnerable -stdout

• According to THR, these are the requirements to perform ESC9:

  • StrongCertificateBindingEnforcement not set to 2 (default: 1) or CertificateMappingMethods contains UPN flag (0x4)
  • The template contains the CT_FLAG_NO_SECURITY_EXTENSION flag in the msPKI-Enrollment-Flag value
  • The template specifies client authentication
  • GenericWrite right against any account A to compromise any account B

• We start by changing ca_operator’s UPN to the user we want to compromise: Administrator
  

• Now we can request a certificate for Administrator
  

• Before authenticating with the certificate, we reset ca_operator’s UPN:
  

• And now we can use UnPAC the hash to get the NT hash of Administrator: