Scepter
Windows
Hard
4.6
MACHINE RATING1271
USER OWNS1099
SYSTEM OWNS19/04/2025
RELEASEDMachine Synopsis
Scepter is a hard difficulty Windows machine that starts with an unauthenticated NFS share, allowing the attacker to download a sensitive PFX certificate file. The attacker then discovers that the compromised user has the `User-Force-Change-Password` ACL, allowing the password for the `A.CARTER` user account to be changed. The user account is a member of `IT SUPPORT,` enabling group members to have `GenericAll` ACL to the `STAFF ACCESS CERTIFICATE` Organisational Unit (OU). The attacker can then fully control all user accounts under the OU. Besides, the attacker discovers that the Certificate Authority is vulnerable to ESC14, explicit weak mapping. The attacker manages to compromise `H.BROWN` by modifying the `mail` LDAP attribute and requesting the StaffAccessCertificate certificate template. The `H.BROWN` user account is a member of the `CMS` group, having privileges to alter the `altSecurityIdentities` LDAP Attribute of any AD object under the `Helpdesk Enrollment Certificate` OU. As the CA is vulnerable to ESC14, the attacker can modify the LDAP attribute (Strong mapping, i.e., `X509IssuerSerialNumber`) and request a certificate as Domain Computer to compromise the `P.ADAMS` user account, who has DCSync privileges, allowing the attacker to compromise the domain. An alternate approach is to exploit the weak mapping `X509RFC822`, then enrolling the certificate template as the `D.BAKER` user account and compromising the `P.ADAMS` user account.
Machine Matrix
