ESC1

Synopsis: # Shibuya, a challenging hard-rated HTB x Vulnlab Active Directory box, requires a multi-stage attack chain involving credential harvesting, session hijacking, and a critical Active Directory Certificate Services (ADCS) misconfiguration. The initial foothold is gained by enumerating domain users via Kerberos and discovering a weak password for one user. This access is quickly leveraged to find a service account’s plaintext password stored in its user description, granting access to a critical SMB share. Inside the share, a Windows Imaging (.wim) file contains cached domain credentials for another user. By extracting the necessary registry hives from this image, a hash is recovered and used to reset the user’s password, enabling lateral movement to an interactive shell on the domain controller via SSH. Privilege escalation is a two-step process: first, a Cross-Session Relay attack is performed to capture and crack the hash of a high-privileged user with an active session. With these new credentials, the final pivot is made by exploiting a vulnerable ADCS certificate template (ESC1) to request a certificate as a domain administrator, ultimately yielding the administrator’s NT hash and achieving full domain compromise.

Synopsis: # The Retro machine from HTB x Vulnlab was a Windows Active Directory Domain Controller. Initial access was gained by leveraging anonymous SMB enumeration and weak credentials for a ‘trainee’ user. Post-exploitation involved discovering clues in text files, leading to the compromise of a machine account (‘BANKING$’) by guessing its password and then resetting it. This access was then pivotal for privilege escalation via an Active Directory Certificate Services (AD CS) misconfiguration (ESC1), allowing the attacker to request a certificate as the Domain Administrator, ultimately leading to full administrative control over the domain controller.