<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>Adcs on appl3b0y</title>
    <link>https://appl3b0y.com/tags/adcs/</link>
    <description>Recent content in Adcs on appl3b0y</description>
    <generator>Hugo</generator>
    <language>en-us</language>
    <lastBuildDate>Tue, 09 Jun 2026 00:00:00 +0000</lastBuildDate>
    <atom:link href="https://appl3b0y.com/tags/adcs/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>Escape</title>
      <link>https://appl3b0y.com/writeups/escape/</link>
      <pubDate>Tue, 09 Jun 2026 00:00:00 +0000</pubDate>
      <guid>https://appl3b0y.com/writeups/escape/</guid>
      <description>&lt;h2 id=&#34;introduction&#34;&gt;Introduction&lt;/h2&gt;&#xA;&lt;p&gt;&lt;strong&gt;Escape&lt;/strong&gt; is a medium-difficulty Windows machine built around a realistic &lt;strong&gt;Active Directory&lt;/strong&gt; attack path. There is no flashy web exploit here: the whole box is about chaining together small pieces of information leaked across an AD environment.&lt;/p&gt;&#xA;&lt;p&gt;The chain looks like this: a document sitting on an anonymous SMB share hands us a low-privilege MSSQL account. From MSSQL we coerce the service account into authenticating back to us and capture its hash. That single credential, sprayed across the domain, gives us a shell. On the host we find a domain user&amp;rsquo;s password hiding in an SQL error log, and finally we abuse a misconfigured &lt;strong&gt;Active Directory Certificate Services (AD CS)&lt;/strong&gt; template (&lt;strong&gt;ESC1&lt;/strong&gt;) to mint a certificate for the Domain Administrator.&lt;/p&gt;</description>
    </item>
  </channel>
</rss>
