Hercules

Technical Walkthrough

Hercules Walkthrough

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Target: Hercules

IP: <TARGET>

OS/Difficulty: Windows / Insane

Pwnbox: <TARGET> (profex0r)

Attacker VPN IP: pending validation

Started: 2026-05-07T18:19:10Z

Scope: Authorized HackTheBox machine only

Evidence Ledger

Validation Gate

Gate decision: 6+ core anchors matched. Public research is credible enough to use as advisory guidance, but every exploitation step still requires live proof.

Attack Map

Hosts

Services

Credentials

Attack Paths

Trust Edges

None confirmed.

Memory Summary

Platform: HackTheBox

Machine: Hercules

Difficulty/OS: Insane / Windows

Purpose: Sanitized operational memory for future HTB, AD, ASP.NET, document-processing, and ADCS work.

Sanitization policy - Raw flags, reusable <password redacted>, hashes, tickets, PFX material, and Pwnbox credentials are not included here.

Outcome State

• User flag was captured from the live target. The raw flag is intentionally omitted.
• Root was not complete at the time of this summary, but the root path was identified and partially validated.
• The engagement produced high-value negative evidence: many plausible Insane Windows AD branches were closed with live tests instead of assumptions.

High-Level Chain

1. Validation gate matched a Windows AD domain controller with IIS/ASP.NET, LDAP/Kerberos/SMB/WinRM, ADWS, and ADCS-relevant surfaces.
2. The public web application exposed an ASP.NET Forms Authentication flow backed by LDAP.
3. A double-encoded LDAP injection oracle in the login flow was confirmed and used for controlled AD attribute extraction. Broad extraction was noisy; small anti-CSRF-aware probes with cooldowns were more reliable.
4. HadesWeb source artifacts were recovered and decompiled. The source review closed the web branch: only three controllers were present, no hidden privileged routes existed, and the relevant LDAP lookup used sAMAccountName, not cn or name.
5. A large set of AD abuse hypotheses were tested and closed before the correct post-user path was identified.
6. The root path was identified as an ACL-to-ADCS chain: an account with WriteDacl on a migration OU can grant inheritable control over a disabled Smartcard Operators user, enable/reset that user, obtain an enrollment-agent certificate, then use ESC3 on-behalf-of enrollment for an administrator certificate.

Root Path Lesson

The important strategic lesson is that the intended bridge was not the document processor, web app, RBCD, password cracking, or direct GenericWrite abuse. It was an inherited OU DACL path into an ADCS enrollment role.

Validated root-path components:

• WriteDacl on an OU can be enough when the useful target is a child object and the ACE is inheritable.
• After adding the correct inheritable ACE, enabling the disabled user and resetting its password worked.
• The enabled user had the ADCS role needed to enroll an enrollment-agent certificate.
• The remaining blocker was tooling for ESC3 on-behalf-of enrollment, not the attack path.

Tooling lesson:

• When Certipy fails during ESC3 on-behalf-of enrollment with Kerberos/RPC transport errors, do not immediately abandon the path.
• Switch tool family: use Windows-native Certify for request-agent / on-behalf-of enrollment, then Rubeus for certificate-to-TGT, or test the latest Certipy from a clean virtual environment.
• Treat certreq over unstable WinRM as a fallback; it is more brittle than a single-purpose ADCS tool.

Closed Branches and Reusable Reasons

LibreOffice / ODT Document Execution

• ODT files were consumed by a document processor and lock files appeared, proving the processor opened documents.
• Macro/script payloads, LibreLogo, OLE, DDE, external references, XXE-style document tricks, and known LibreOffice document vectors produced no execution and no callbacks.
• Best explanation: headless conversion mode. Headless LibreOffice conversion can open documents without firing interactive document events.
• Future rule: if only lock files appear and all macro/callback canaries fail, close document execution quickly and pivot.

SMB Workflow Canaries

• SCF, desktop.ini, URL shortcut, and script canaries in writable shares produced no SMB or HTTP callbacks.
• This indicates no user or service was browsing the share through Explorer.
• Future rule: use canaries early to prove whether a human/service workflow exists before spending hours on file-trigger payloads.

ASP.NET Source Branch

• Decompiled source is stronger evidence than route fuzzing alone.
• The recovered HadesWeb assembly showed no hidden controllers, no cleanup workflow, no password reset, no AD management function, and no cn/name lookup.
• FormsAuth roles were forgeable from cookie user data, but no privileged app functionality existed to unlock.
• Rule - a forgeable role cookie is only useful if source or live routes prove an authorization boundary worth crossing.

GenericWrite and AD Rights

• GenericWrite did not imply ForceChangePassword. Resetting unicodePwd requires the ForceChangePassword extended right.
• GenericWrite did not allow setting constrained delegation attributes in this case.
• Some tool output that looked like broad WRITE was only limited name/RDN-style write capability.
• Future rule: verify AD rights with the exact attribute or extended-right write needed; do not trust generic labels from one tool.

RBCD Between User Accounts

• User-to-user RBCD could mechanically produce a delegated ticket, but the ticket was encrypted with the controlled user's key, not the DC service key.
• The result failed against DC services.
• Future rule: RBCD is only useful when the target service account actually backs the service you need, such as a computer account for CIFS/LDAP/HTTP on that host.

KCD

• Attempts to set msDS-AllowedToDelegateTo and related delegation flags failed with insufficient rights or invalid syntax.
• Future rule: do not conflate write access to ordinary user attributes with delegation control.

ADCS Direct Enrollment and UPN Spoofing

• Direct enrollment into privileged templates was denied until the Smartcard Operators path was unlocked.
• UPN spoofing plus certificate enrollment worked mechanically, but strong certificate binding mapped the certificate back to the requester because the SID extension was present.
• No useful template had the no-security-extension behavior required for the common ESC9-style bypass.
• Future rule: if SID extension strong mapping is enforced, UPN spoofing is not enough. Look for role/template abuse, enrollment agent paths, CA policy weaknesses, or actual SID-less templates.

ESC14 / Signature Chain

• Template signature requirements were checked and did not create a useful chain.
• Future rule: only pursue ESC14-style paths when a template actually requires authorized signatures and a controlled certificate can satisfy that requirement.

Kerberoast / Password Spray

• Targeted Kerberoasting and password/hash spraying against high-value accounts failed with standard wordlists and custom guesses.
• Future rule: on Insane boxes, cracking/spraying is a hypothesis, not a default sink. Timebox it and move back to graph-backed privilege paths.

Machine Account Creation

• Machine account creation was blocked by quota even when OU-level create-child looked promising.
• Future rule: confirm MachineAccountQuota and live computer creation before planning RBCD around new machine accounts.

IIS Kerberos and Client Cert Auth

• IIS did not advertise Negotiate and did not request client certificates.
• Future rule: RBCD/PKI web-auth pivots need live auth surface proof. Check WWW-Authenticate and TLS client certificate request behavior before assuming they exist.

Harness / Workflow Lessons

• The v3 harness was valuable once it forced branch closure: checkpoint packet, RAG queries, retrieval tags, and evaluator pass justified asking for a targeted hint.
• The hint threshold was appropriate after many closed branches with evidence and no remaining ranked hypothesis.
• The correct use of LightRAG here is not to ask for the exact box answer; it is to retrieve prior patterns and then mark results as MATCHED, MISSING, or GENERIC.
• Keep active workspace as source of truth. RAG is advisory memory and should not override live evidence.

Future Query Triggers

Use this summary when a future target includes any of these patterns:

• ASP.NET FormsAuth plus LDAP-backed login or LDAP injection oracle.
• HadesWeb-style source disclosure or recovered .dll / .pdb from IIS.
• Writable SMB share with document processor but no callbacks.
• LibreOffice lock files without macro execution.
• AD rights where GenericWrite, limited WRITE, or WriteDacl appear ambiguous.
• OU WriteDacl with disabled child users or privileged role groups.
• ADCS ESC3 / enrollment-agent path with Certipy transport failures.
• UPN spoofing blocked by SID extension strong certificate mapping.
• User-to-user RBCD producing a ticket that fails against DC services.

New Session Findings (Multi-Agent Collaboration)

OU Object Move via Raw LDAP ModifyDN

• Technique: bob.w (Recruitment Managers) has CreateChild/DeleteChild on multiple OUs. Used raw ASN.1 BER-encoded LDAP ModifyDN to move stephen.m from Security Department OU to Web Department OU.
• Effect: natalie.a's inherited GenericWrite (scoped to Web Department OU) now applies to stephen.m.
• Tool gap: No standard Linux offensive tool (bloodyAD, impacket, certipy, ldap3 with GSSAPI) supports Kerberos-authenticated LDAP ModifyDN. Required building the ModifyDN request as raw BER bytes and sending through impacket's LDAPConnection socket.
• BER encoding: Application tag 12 (0x6C), with entry DN, new RDN, deleteoldrdn boolean, and context-tagged [0] newSuperior.

bob.w Writable Scope Was Larger Than Initially Known

• bloodyAD get writable as bob.w revealed WRITE on ALL Security Department users (auditor, mark.s, stephen.m, vincent.g, nate.h, elijah.m, angelo.o) AND all Engineering Department users. Previous analysis only checked natalie.a's scope.
• The WRITE was limited to name/cn WriteProperty only (not GenericWrite) — shadow creds, RBCD, SPN, and attribute writes all denied on these users.
• The CreateChild/DeleteChild on OUs was the actual useful right, enabling the OU move technique.

Cleanup Timer Details

• Cleanup script runs every ~10 minutes on the DC.
• Resets: dsacls ACEs on Forest Migration OU, disables fernando.r, resets his password.
• Minimum password age policy: ~3 minutes between password changes. Must wait after cleanup before resetting fernando.r's password.
• Race condition: entire chain (dsacls → enable → wait 3 min → password reset → TGT → cert enrollment) must complete within ~10 minutes.

certreq Native Workflow

• certreq -new requires explicit ProviderName + ProviderType in INF to avoid interactive CSP dialog, plus Silent = TRUE and UserProtected = FALSE.
• certreq -sign with -cert <thumbprint> signs a PKCS10 request with the enrollment agent cert, creating a CMC on-behalf-of request.
• certreq -sign consistently crashes evil-winrm (malloc_consolidate). Requires stable interactive session (RDP/VNC).
• certutil -sign without -cert flag tries to open GUI cert picker, which fails via WinRM.

User/UserSignature Templates Enrollable by Domain Users

• Both templates have Enrollment Rights: Domain Users — hidden from certipy's initial output.
• Both have Client Authentication EKU.
• User template requires SubjectRequireEmail (Administrator has no email → enrollment fails).
• SmartcardUser requires SubjectRequireEmail too.
• SmartcardLogon does NOT require email but wasn't listed by Certify.exe enum-templates as available.

ADCS SID Extension Strong Binding

• All certificates issued by <secret redacted> embed OID <TARGET>.<TARGET>.2 with the requester's SID.
• certipy auth with -domain -username flag gets client-side "Object SID mismatch" check.
• PKINITtools gettgtpkinit.py bypasses client-side check but KDC returns <secret redacted> when SID doesn't match target.
• Shadow credential PKINIT always authenticates as the Key Credential owner regardless of UPN change.

Recommended Operator Behavior Next Time

• Build a graph of exact rights and object containment before spending time on payloads.
• For every AD edge, test the exact target operation, not just whether a tool labels an edge as writable.
• Use source-code decompilation to close web hypotheses early when assemblies are recovered.
• Canary workflow assumptions before developing document payloads.
• Separate strategic failure from tooling failure. If the graph and privileges prove the path, rotate tools before pivoting strategies.
• For ESC3, prioritize Certify plus Rubeus when Certipy on-behalf-of enrollment is unreliable.

ESC3 On-Behalf-Of Tooling Failure Map (Hercules-Specific)

This section documents the exact tooling failures encountered during ESC3 on-behalf-of enrollment when NTLM is globally blocked and the only session available is evil-winrm.

Known Failures

• certipy req -on-behalf-of with Kerberos: <secret redacted> (0x80010117) — Certipy RPC transport bug; fixed in later git commits. Always install certipy from git HEAD on Kerberos-only targets.
• certipy req -hashes: invalid_checksum when NTLM is blocked globally.
• Certify.exe via evil-winrm: malloc_consolidate crashes on SmartcardUser template and on certreq -sign. evil-winrm is not a stable host for memory-intensive certificate operations.
• certreq -new via evil-winrm: hangs on CSP interactive prompt. Requires Silent=TRUE + explicit ProviderName + ProviderType in INF file. Even with correct INF, certreq -sign crashes evil-winrm.
• certutil -sign without -cert flag: opens GUI cert picker, fails non-interactively.

Tooling Rotation Order for ESC3 on NTLM-blocked targets

1. Latest certipy from git HEAD (-on-behalf-of, Kerberos only, from Pwnbox — no Windows session needed)
2. pyForgeCert (Python-native CMC from Pwnbox — no Windows session needed)
3. Enable RDP via short WinRM commands → certreq -sign interactively in RDP session
4. wmiexec instead of evil-winrm for certreq staging (different memory profile, may avoid malloc crash)

Race Condition Pattern (Cleanup Timer)

• If a cleanup script resets target account state every N minutes, pre-stage ALL commands before starting the chain.
• Identify minimum password age policy before attempting password resets — waiting time must be factored into the race window.
• Measure cleanup cadence with at least two observations before committing to a timed chain.

WinRM Stability Pattern

• evil-winrm malloc_consolidate crashes occur on commands that involve large memory operations (certreq, certain PowerShell crypto operations).
• Use wmiexec.py for individual commands when evil-winrm is unstable.
• Keep each WinRM command short and stateless — avoid piping or chaining complex operations in one call.
• For stable interactive sessions on NTLM-blocked targets: enable RDP via short registry + firewall commands over WinRM, then use xfreerdp with Kerberos.

Current Engagement State (Root Not Yet Captured)

• User flag: captured.
• Root path: validated. The path is correct; only tooling execution remains.
• Enrollment agent cert: obtained and stored in loot/.
• Remaining step: ESC3 on-behalf-of Administrator cert → PKINIT → root flag.
• Recommended next tool: latest certipy from git HEAD, then pyForgeCert if that fails.
• All 17 dead-end branches documented in dead-ends.md — do not revisit.

Session Resume

Last updated: 2026-05-08T01:49:06Z

Current Access

• No target shell yet.
• Pwnbox validated: <TARGET>, VPN <TARGET>.
• Target validated as dc.hercules.htb / hercules.htb, Windows AD DC, IIS/ASP.NET web surface.
• Target IP has changed from <TARGET> to <TARGET>; revalidate core anchors before resuming exploitation.
• /Login double-encoded LDAP injection oracle is confirmed. The active extraction target is the description attribute. The current credential-like prefix is stored in loot/oracle-current-prefix.txt.

Session Registry

Next Three Actions

1. Rebuild Pwnbox workspace at /home/profex0r/HTB/<TARGET>-Hercules and set /etc/hosts to <TARGET> hercules.htb dc.hercules.htb.
2. Validate target anchors on new IP, then resume targeted description extraction from loot/oracle-current-prefix.txt; do not restart broad enumeration or fast single-session scripts.
3. Identify the owning account for the recovered value, test authentication quietly, then collect LDAP/BloodHound/Certipy evidence if credentials work.

Blockers

• The target web login oracle slows down under broad scans. Use small targeted probes with cooldowns.

Cleanup

• None yet.

Notes

State-Mutating Actions

No state-mutating actions performed yet.

Exploit Iterations

Dead Ends

Document Macro/Script Execution

• Hypothesis: LibreOffice opens ODTs → macro/script → code execution as natalie.a
• Tested: 16+ payloads: Basic macros, Python macros, Shell(), SimpleFileAccess, SystemShellExecute, LibreLogo, <secret redacted>, <secret redacted>, <secret redacted>, OLE Package, XXE, text:section-source, DDE/DDEAUTO, draw:plugin, draw:applet, .uno:RunMacro, settings.xml MacroExecutionMode override
• Why it failed: Headless mode — no events, macros, or interactive features fire
• Revisit if: Processor mode changes from headless to interactive

Outbound Callbacks from Document Processor

• Hypothesis: ODT with external references triggers HTTP/SMB callback
• Tested: HTTP image, SMB/UNC image, DOCX attached template, floating frame
• Why it failed: All outbound connections blocked from the processor
• Revisit if: Network policy changes

KCD (Constrained Delegation)

• Hypothesis: GenericWrite → set msDS-AllowedToDelegateTo + UAC delegation flag → impersonate to DC
• Tested: bloodyAD set on bob.w for both attributes
• Why it failed: insufficientAccessRights on msDS-AllowedToDelegateTo; invalidAttributeSyntax on UAC delegation
• Revisit if: Never — GenericWrite confirmed not sufficient for these attributes

RBCD to DC

• Hypothesis: Set msDS-AllowedToActOnBehalfOfOtherIdentity on controlled user → S4U → DC access
• Tested: RBCD on bob.w with web_admin as delegatee; S4U2Self+Proxy with -force-forwardable; got administrator.ccache
• Why it failed: Ticket encrypted with bob.w's key, not DC's. <secret redacted> for all DC services. Confirmed no IIS Negotiate auth.
• Revisit if: A service account running under a controlled user is discovered

ADCS Enrollment (Direct)

• Hypothesis: Enroll in SmartcardLogon/SmartcardUser/EnrollmentAgent template
• Tested: certipy req as natalie.a for SmartcardLogon
• Why it failed: <secret redacted> — only Smartcard Operators/Domain Admins can enroll
• Revisit if: We gain Smartcard Operators membership

ESC8 NTLM Relay to ADCS

• Hypothesis: Relay NTLM auth to ADCS web enrollment
• Tested: Previous LLM confirmed NTLM relay returns <secret redacted>
• Why it failed: NTLM restricted on target
• Revisit if: NTLM restriction is lifted

ESC9/ESC10 UPN Spoofing

• Hypothesis: Change UPN → enroll cert with spoofed UPN → PKINIT as target
• Tested: Changed bob.w UPN to <email redacted>; enrolled cert (SUCCESS); PKINIT via PKINITtools and certipy
• Why it failed: SID extension (OID <TARGET>.<TARGET>.2) in cert enforces strong binding. <secret redacted>. Certipy: "Object SID mismatch"
• Revisit if: <secret redacted> is found on a template (ESC9) or CA disables SID extension (ESC16)

ESC14 Signature Chain

• Hypothesis: UserSignature cert satisfies issuance requirement for another template
• Tested: Checked Authorized Signatures Required on ALL 18 enabled templates
• Why it failed: ALL templates have AuthorizedSignaturesRequired=0 — no template requires signatures
• Revisit if: Never

ForceChangePassword via GenericWrite

• Hypothesis: GenericWrite includes ResetPassword extended right → change auditor's password
• Tested: bloodyAD set password (LDAP REPLACE) on harris.d (known GenericWrite target) AND auditor (bob.w WRITE target), with and without -s (SSL)
• Why it failed: GenericWrite ≠ ForceChangePassword. Separate ACEs. LDAP REPLACE denied for both.
• Revisit if: Never — confirmed architectural limitation

Shadow Credentials on Non-Web-Dept Users

• Hypothesis: bob.w WRITE on auditor includes msDS-KeyCredentialLink
• Tested: certipy shadow auto on auditor, mark.s, stephen.m via bob.w
• Why it failed: <secret redacted> — bob.w WRITE is only WriteProperty on name/cn, not GenericWrite
• Revisit if: Never

Password Spraying

• Hypothesis: Shared NT hash or known <password redacted> reused by high-value targets
• Tested: 3 NT hashes + 2 plaintext <password redacted> sprayed against 14 targets (ashley.b, auditor, all helpdesk, admin, IIS accounts)
• Why it failed: All <secret redacted> — no password reuse
• Revisit if: New credentials discovered

Kerberoast (Targeted)

• Hypothesis: Crack controlled users' <password redacted> via TGS tickets → spray plaintext
• Tested: Set SPNs on all 5 Web Dept users, captured 5 TGS tickets, cracked with rockyou + best64 rules + hashcat + custom wordlist
• Why it failed: 0/5 cracked — <password redacted> resist standard wordlists
• Revisit if: Better wordlist or specific password pattern discovered

Machine Account Creation

• Hypothesis: OU-level CreateChild bypasses MachineAccountQuota=0
• Tested: bloodyAD add computer + impacket-addcomputer in Web Dept and Security Dept OUs
• Why it failed: <secret redacted> regardless of OU CreateChild
• Revisit if: Never

IIS Kerberos/Negotiate Auth

• Hypothesis: Web app accepts Kerberos auth → RBCD ticket usable against HTTP service
• Tested: curl with --negotiate on all endpoints; checked all response headers
• Why it failed: No WWW-Authenticate/Negotiate header on any endpoint. FormsAuth only.
• Revisit if: Never

Client Certificate Auth

• Hypothesis: IIS requests client certificates → use enrolled cert for auth
• Tested: openssl s_client on 443 and 5986
• Why it failed: "No client certificate CA names sent" — not configured
• Revisit if: Never

SMB Workflow Canaries

• Hypothesis: SCF/desktop.ini/URL/aCleanup.ps1 in Reports triggers callback from browsing user
• Tested: Planted @canary.scf, desktop.ini, canary.url, aCleanup.ps1 in Reports; monitored SMB+HTTP for 3+ minutes
• Why it failed: Zero callbacks. Only LibreOffice headless opened the ODT. No user/service browses Reports.
• Revisit if: Evidence of a folder-browsing user/service appears

cn/name Rename as Web App Primitive

• Hypothesis: Renaming Security Dept user CN influences web app LDAP lookup
• Tested: DLL strings analysis confirms only sAMAccountName in LDAP filter. No cn/name lookup in code.
• Why it failed: App uses sAMAccountName exclusively. cn/name change has no app-side effect.
• Revisit if: Second DLL or IIS module discovered that uses cn