Sendai

VulnLab Active Directory Chain — Writeup

Difficulty: Medium | Category: Active Directory | OS: Windows Server 2022

Machine Information

Phase 1: Reconnaissance & Enumeration

1.1 Port Scanning with Nmap

The engagement begins with a comprehensive Nmap scan to fingerprint open ports and running services. The target immediately presents a classic Windows Active Directory Domain Controller profile.

Guest Share Enumeration:

listing shares as anonymous was not allowed, but as guest was allowed

1.2 RID Brute-Force User Enumeration

RID (Relative Identifier) brute-forcing over SMB exploits the SAMR protocol to resolve domain SIDs to account names. Every domain object is assigned a predictable RID starting from 500, allowing full user enumeration without LDAP access.

Over 20 domain accounts and groups were discovered, including:

• Service accounts: sqlsvc (RID 1104), websvc (RID 1105)

• Managed Service Account: mgtsvc$ (RID 1130 — the $ suffix identifies it as a GMSA)

• Regular users: Dorothy.Jones, Kerry.Robinson, Naomi.Gardner, Anthony.Smith, Susan.Harper, Stephen.Simpson, Marie.Gallagher, Kathleen.Kelly, Norman.Baxter, Jason.Brady, Elliot.Yates, Malcolm.Smith, Lisa.Williams, Ross.Sullivan, Clifford.Davey, Declan.Jenkins, Lawrence.Grant, Leslie.Johnson, Megan.Edwards, Thomas.Powell

• Groups: staff (1107), caoperators (1128), admsvc (1129), support (1131) The caoperators group is immediately interesting given the presence of ADCS — this group likely controls certificate template permissions on the CA.

Phase 2: Initial Access via Expired Passwords

2.1 Password Spray with Null/Empty Password

With a complete user list, an empty-password spray is conducted against all accounts. The goal is not to find accounts with blank passwords, but to identify accounts returning STATUS_PASSWORD_MUST_CHANGE — a Windows error indicating the password is expired and must be changed on next login.

Crucially, this status allows an attacker to change the password via SAMR without knowing the old one, since the authentication flow is interrupted before the old password is validated.

2.2 Forced Password Change via impacket-changepasswd

impacket-changepasswd leverages the MS-SAMR protocol to change an account's password. When it detects STATUS_PASSWORD_MUST_CHANGE, it automatically binds as a null session and performs the reset without requiring the current password — a critical feature of this error condition.

2.3 Share Access with New Credentials

Re-enumerating shares with thomas.powell's new credentials reveals significantly expanded access:

• config — READ and WRITE access (previously inaccessible to Guest)

• sendai — READ and WRITE access (company share)

• NETLOGON and SYSVOL — standard domain read access

• Users — READ access Both elliot.yates and thomas.powell have identical share permissions. thomas.powell is used for all subsequent steps.

2.4 Credential Discovery in the config Share

The config share contains a hidden file .sqlconfig (hidden by the Unix-style leading dot convention). This file stores a database connection string with plaintext credentials:

found an interesting file .sqlconfig, Credentials obtained: sqlsvc / SurenessBlob85. While SQL Server port 1433 is not directly exposed, these are valid domain credentials usable for further enumeration and lateral movement.

Phase 3: Privilege Escalation via AD ACL Abuse & GMSA

3.1 Active Directory ACL Analysis (BloodHound)

BloodHound maps Active Directory attack paths by collecting and visualising ACL (Access Control List) relationships between objects. Running the collector with thomas.powell's credentials reveals two critical privilege chains:

Chain 1: thomas.powell → SUPPORT → admsvc

• thomas.powell is a member of the SUPPORT group

• SUPPORT has GenericAll rights over the ADMSVC group

• GenericAll is the most permissive ACE — it grants full control over the target object, including the ability to add and remove members

Chain 2: admsvc → mgtsvc$ GMSA

• The ADMSVC group has ReadGMSAPassword rights over the mgtsvc$ GMSA account

• ReadGMSAPassword allows any member of admsvc to retrieve the current managed password from the msDS-ManagedPassword AD attribute

• GMSA passwords are 256-byte random values managed by the DC, but they can be read as NTLM hashes — enabling Pass-the-Hash attacks

The complete attack chain: thomas.powell controls SUPPORT → abuse GenericAll to join admsvc → read GMSA password of mgtsvc$ → authenticate as mgtsvc$ using the NTLM hash.

3.2 Abusing GenericAll to Add to admsvc

bloodyAD is a Python tool for abusing Active Directory ACLs via LDAP. The GenericAll ACE held by SUPPORT over ADMSVC is abused to add thomas.powell directly to the group:

thomas.powell now inherits the ReadGMSAPassword permission on mgtsvc$ through group membership in admsvc.

3.3 Reading the GMSA Password

Group Managed Service Accounts (GMSAs) are special AD accounts whose 256-bit passwords are automatically rotated by the DC on a schedule. Authorised principals can read the current password via the msDS-ManagedPassword AD attribute. The attribute returns both an NTLM hash and a base64-encoded MSA password blob.

3.4 Pass-the-Hash as mgtsvc$ — User Flag

With the NT hash, Pass-the-Hash authentication is used to open a WinRM session as mgtsvc$ via Evil-WinRM. No password cracking is required — Windows authentication protocols accept the hash directly.

Shell obtained. The user flag is retrieved:

Phase 4: Lateral Movement & ADCS ESC4 Exploitation

4.1 Credentials Stored in Windows Service Registry

Windows services store their configuration — including the executable path and command-line arguments — in the registry under HKLM\SYSTEM\CurrentControlSet\Services. It is a common misconfiguration for custom internal services to embed credentials directly in their ImagePath value, making them readable by any user with local registry access (which includes all domain users by default).

Querying all service ImagePath values from the mgtsvc$ shell:

A custom helpdesk.exe service contains hardcoded credentials in its arguments:

Credentials obtained: clifford.davey / RFmoB2WplgE_3p. This is particularly valuable since clifford.davey is likely a member of the caoperators group — which holds ADCS template permissions.

4.2 ADCS Enumeration with Certipy

Active Directory Certificate Services (ADCS) is the Windows PKI implementation. Misconfigurations in certificate templates enable privilege escalation to Domain Admin via certificate request abuse — the ESC (Escalation) attack categories documented by SpecterOps. Certipy is the standard tool for enumerating and exploiting ADCS.

Findings:

• 34 total certificate templates; 12 currently enabled

• 1 certificate authority: sendai-DC-CA

• Vulnerable template identified: SENDAICOMPUTER (ESC4)

ESC4 occurs when an unprivileged user has write permissions over a certificate template's ACL, allowing modification of template attributes to introduce any other ESC condition — most commonly ESC1 (enrollee can supply a Subject Alternative Name containing any UPN, enabling impersonation of any domain account).

4.3 ESC4 Step 1 — Modify the Certificate Template

Certipy's template command modifies the target template to allow arbitrary SAN specification. The -save-old flag preserves the original configuration to SendaiComputer.json for later restoration:

Output: [*] Saved old configuration for 'SENDAICOMPUTER' and [*] Successfully updated 'SendaiComputer'. The template is now in an ESC1-vulnerable state — any enrollee can specify an arbitrary UPN in the certificate's Subject Alternative Name field, effectively impersonating any domain account including Administrator.

4.4 ESC4 Step 2 — Request a Certificate as Administrator

With the template modified, a certificate is requested with the administrator UPN and the domain Administrator's SID. The SID ties the certificate to the correct account object regardless of UPN formatting:

• Request ID: 13

• Certificate UPN: administrator

• Certificate Object SID: S-1-5-21-3085872742-570972823-736764132-500

• Certificate saved to: administrator.pfx

4.5 Certificate Authentication — Obtaining the Administrator NT Hash

The administrator.pfx certificate is used for Kerberos PKINIT (Public Key Cryptography for Initial Authentication) — a Kerberos extension allowing certificate-based TGT issuance. The DC validates the certificate against the CA, maps it to the administrator account via the embedded UPN and SID, and issues a TGT. Certipy then uses the Kerberos U2U (User-to-User) extension to extract the NT hash from the PAC data in the TGT — no password cracking required:

A TGT is obtained for [email protected] and the NT hash is extracted directly.

Phase 5: Domain Administrator — Root Flag

5.1 Pass-the-Hash as Domain Administrator

With the administrator's NT hash, Pass-the-Hash via Evil-WinRM grants a fully privileged Domain Administrator shell:

The root flag is retrieved from the Administrator Desktop:

Attack Path Summary

Defensive Recommendations

1. SMB Guest Authentication Enabled Disable guest authentication via Group Policy (Network access: Do not allow anonymous enumeration of SAM accounts and shares). This prevents RID brute-forcing and unauthenticated share browsing.

2. STATUS_PASSWORD_MUST_CHANGE Exploitation Enforce account lockout policies and require the old password for resets where possible. Investigate why accounts had never-changed passwords and implement password hygiene monitoring.

3. Plaintext Credentials in SMB Shares Never store credentials in configuration files on network shares. Use Windows Credential Manager, LAPS, or Azure Key Vault. Restrict share access to the minimum required principals.

4. Excessive AD ACLs (GenericAll) Audit AD ACLs regularly using BloodHound or similar tooling. Remove GenericAll/GenericWrite ACEs from regular user groups and replace with the minimum required rights.

5. GMSA ReadGMSAPassword Exposure Restrict ReadGMSAPassword to only those service accounts and systems that strictly require it. Audit PrincipalsAllowedToRetrieveManagedPassword on all GMSA objects.

6. Credentials in Windows Service Registry Never store credentials in service ImagePath arguments. Use Group Managed Service Accounts for services requiring domain authentication, or store secrets in Windows Credential Manager with restricted ACLs.

7. ADCS ESC4 — Template Write Permissions Audit certificate template ACLs using Certipy or PSPKIAudit. Remove write permissions from non-administrative accounts on all templates. Enable CA Manager Approval for templates that issue certificates containing SAN fields.