:::info Last tested Kali Linux 2025.4 · HexStrike AI (Kali package 2025.4 repo) · May 2026. Results may vary on other versions. :::
Cursor + HexStrike. ADCS ESC8 Attack Chain
Single-Prompt Lab Demonstration — GOAD-Mini Environment
Cursor + HexStrike. ADCS ESC8 Attack Chain (Lab)
Single-Prompt ADCS ESC8 Attack Chain
Abstract
This article documents a single-prompt lab engagement that achieves domain compromise through the ADCS ESC8 vulnerability. Starting from nothing more than an IP address, the AI-orchestrated attack framework executed the entire chain — from reconnaissance to domain compromise — in one session against the GOAD-Mini lab.
Lab result: In this GOAD-Mini run, a single high-level prompt initiated a multi-phase workflow. The outcome demonstrates orchestration capability in a controlled environment, not guaranteed autonomous reliability in production.
If you like this research, buy me a coffee (PayPal) — Keep the lab running
Introduction
Traditional penetration testing requires manual intervention at each step: running tools, interpreting results, making decisions, and troubleshooting failures. This article demonstrates an attack chain driven by a single prompt to execute the complete ADCS ESC8 sequence in a controlled lab environment.
What Makes This Attack Complicated?
- Multi-Stage Attack Chain: 7 distinct phases, each with dependencies
- Blackbox Approach: Starting with zero knowledge (only IP address)
- Automatic Troubleshooting: Handles errors and adapts automatically
- Tool Orchestration: Coordinates multiple security tools seamlessly
- Contextual Sequencing: AI selects the next tool based on prior output
Attack Overview
Target Environment
- Target IP:
192.168.56.10 - Environment: GOAD-Mini (Game of Active Directory)
- Starting Point: IP address only (blackbox)
- End Goal: Full domain compromise with all password hashes
Attack Chain
IP Address (192.168.56.10)
↓
[Phase 1] Reconnaissance
├─ Port Scanning
├─ Service Enumeration
├─ Domain Discovery
└─ ADCS Detection
↓
[Phase 2] Credential Acquisition
├─ Password Spraying
├─ ASREPRoasting
└─ Kerberoasting
↓
[Phase 3] ADCS Enumeration
├─ CA Discovery
├─ Template Enumeration
└─ Vulnerability Verification
↓
[Phase 4] Certificate Request
├─ Authenticate with Low-Privilege Creds
├─ Request Administrator Certificate
└─ Save Certificate (.pfx)
↓
[Phase 5] Certificate Authentication
├─ Use Certificate for PKINIT
├─ Obtain Kerberos TGT
└─ Extract NTLM Hash
↓
[Phase 6] Domain Compromise
├─ DCSync Attack
├─ Extract All Domain Hashes
└─ Verify krbtgt Hash Obtained
↓
[Phase 7] Reporting
├─ Generate Comprehensive Report
├─ Document All Artifacts
└─ Create Proof of Compromise
Single-Prompt Initiation
The Prompt
Perform a blackbox penetration test starting from IP address 192.168.56.10.
Execute the complete ADCS ESC8 attack chain to achieve domain compromise. Use HexStrike MCP
tools and handle all troubleshooting automatically.
Why This Works
- Comprehensive Instructions: The prompt contains all phases, objectives, and troubleshooting steps
- Tool Integration: Leverages HexStrike MCP tools for seamless tool execution
- Error Handling: Includes automatic troubleshooting for common failures
- Adaptive Execution: AI can make decisions based on intermediate results
Phase-by-Phase Execution
Phase 1: Reconnaissance
Objective: Discover the target environment with zero prior knowledge.
Tools Used:
nmap_advanced_scan- Comprehensive port scanningrustscan_fast_scan- Quick port discoveryenum4linux_scan- SMB enumerationsmbmap_scan- Share enumerationnbtscan_netbios- NetBIOS name discoveryhttpx_probe- HTTP service detection
Key Discoveries:
- Domain:
sevenkingdoms.local - NetBIOS:
SEVENKINGDOMS - DC Hostname:
kingslanding.sevenkingdoms.local - ADCS Web Enrollment:
http://192.168.56.10/certsrv/(HTTP - vulnerable!)
Automation Features:
- Automatically identifies Windows Domain Controller
- Extracts domain information from enumeration results
- Detects ADCS Web Enrollment endpoint
Phase 2: Credential Acquisition
Objective: Obtain low-privilege domain credentials.
Tools Used:
hydra_attack- Password sprayingnetexec_scan- Credential validation
Attack Strategy:
- Extract usernames from Phase 1 enumeration
- Attempt password spraying with common passwords
- Try:
Password123!,Summer2023!,Password1,admin
Results:
- Credentials Obtained:
TestUser:Password123! - Access Level: Low-privilege domain user
Automation Features:
- Automatically tries multiple password combinations
- Validates credentials before proceeding
- Documents all discovered credentials
Phase 3: ADCS Enumeration
Objective: Enumerate ADCS configuration and identify vulnerabilities.
Tools Used:
dirsearch_scan- ADCS endpoint discoveryexecute_python_script- Certipy enumeration
Enumeration Commands:
certipy find -u TestUser@sevenkingdoms.local -p 'Password123!' \
-dc-ip 192.168.56.10
Key Findings:
- CA Name:
SEVENKINGDOMS-CA - Vulnerable Templates: ESC1, ESC8
- ESC8 Confirmed: HTTP Web Enrollment accessible
- Template Count: 34 templates discovered
Automation Features:
- Automatically parses certipy output
- Identifies vulnerable templates
- Verifies ESC8 vulnerability exists
Phase 4: Certificate Request
Objective: Obtain certificate for Administrator account.
Tools Used:
execute_python_script- Certipy certificate request
Attack Command:
certipy req -u TestUser@sevenkingdoms.local -p 'Password123!' \
-target http://192.168.56.10 \
-ca SEVENKINGDOMS-CA \
-template ESC1 \
-upn Administrator@sevenkingdoms.local \
-out administrator.pfx
Results:
- Certificate Obtained:
administrator.pfx - Status: ✓ Success
- Template Used: ESC1 (vulnerable template)
Automation Features:
- Automatically selects vulnerable template
- Handles certificate request errors
- Verifies certificate file creation
Phase 5: Certificate Authentication
Objective: Use certificate for Kerberos authentication.
Tools Used:
execute_python_script- Certipy authentication
Attack Command:
certipy auth -pfx administrator.pfx -dc-ip 192.168.56.10
Results:
- Kerberos TGT:
administrator.ccache(obtained) - NTLM Hash:
c66d72021a2d4744409969a581a1705e(extracted) - Status: ✓ Authentication successful
Automation Features:
- Automatically uses certificate for PKINIT
- Extracts NTLM hash from authentication
- Saves credential cache for next phase
Phase 6: Domain Compromise (DCSync)
Objective: Extract all domain credentials.
Tools Used:
execute_python_script- Impacket secretsdump
Attack Command:
export KRB5CCNAME=administrator.ccache
secretsdump.py -k -no-pass Administrator@sevenkingdoms.local@192.168.56.10
Results:
- Total Hashes Extracted: 27 user accounts
- krbtgt Hash: Extracted (enables Golden Ticket attacks)
- Domain Compromise: ✓ Complete
Sample Hashes:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c66d72021a2d4744409969a581a1705e:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:8dCT-DJjgScp...:::
TestUser:1001:aad3b435b51404eeaad3b435b51404ee:...:::
Automation Features:
- Automatically sets Kerberos environment variables
- Performs DCSync attack
- Extracts and documents all hashes
- Verifies krbtgt hash obtained
Phase 7: Reporting
Objective: Generate comprehensive report with all artifacts.
Tools Used:
create_file- Report generation
Report Contents:
- Executive Summary
- Phase-by-phase execution details
- All discovered information
- Vulnerabilities found
- Credentials extracted
- Proof of compromise
- All artifacts (certificates, hashes, logs)
Artifacts Generated:
administrator.pfx- Certificate fileadministrator.ccache- Kerberos credential cacheadministrator.hash- NTLM hashsecretsdump.txt- All domain hashesattack_report.md- Comprehensive reportattack.log- Complete execution log
Automation Features
1. Automatic Troubleshooting
The framework handles common errors automatically:
- Port Scan Fails: Tries alternative scan methods
- SMB Enumeration Fails: Attempts with different credentials
- Certificate Request Fails: Tries alternative templates
- Authentication Fails: Retries with different methods
- DCSync Fails: Verifies Kerberos and retries
2. Intelligent Decision Making
The AI makes decisions based on results:
- Domain Discovery: Automatically extracts domain from enumeration
- Template Selection: Chooses vulnerable templates automatically
- Credential Validation: Tests credentials before using them
- Error Recovery: Adapts strategy based on failures
3. Comprehensive Logging
Every action is logged:
- Tool execution commands
- Outputs and results
- Errors and troubleshooting steps
- Decision points and rationale
Results Summary
Attack Timeline
Key Achievements
- ✅ Zero Knowledge Start: Began with only IP address
- ✅ Full Domain Compromise: Extracted all 27 user hashes
- ✅ krbtgt Hash: Obtained (enables Golden Ticket)
- ✅ Complete Automation: Single prompt execution
- ✅ Comprehensive Reporting: Full documentation generated
Technical Deep Dive
Why This Attack is Complicated
- Multi-Tool Orchestration: Coordinates 10+ different security tools
- Dependency Management: Each phase depends on previous results
- Error Handling: Automatically recovers from failures
- Data Parsing: Extracts structured data from unstructured outputs
- Decision Logic: Makes intelligent choices based on context
Attack Complexity Metrics
- Tools Used: 15+
- Phases: 7
- Decision Points: 20+
- Error Scenarios Handled: 10+
- Artifacts Generated: 10+
Defense and Mitigation
Immediate Actions
- Disable HTTP Web Enrollment: Force HTTPS only
- Enable SMB Signing: Prevent NTLM relay
- Restrict Certificate Templates: Remove vulnerable templates
- Monitor Certificate Requests: Alert on suspicious requests
- Implement Certificate Pinning: Prevent certificate abuse
Long-Term Security
- Regular ADCS Audits: Review template permissions
- Network Segmentation: Isolate ADCS servers
- Privileged Access Management: Limit certificate enrollment
- Security Monitoring: Detect ESC8 attack patterns
- Staff Training: Educate on ADCS security
Detection and Monitoring
Indicators of Compromise (IOCs)
- Certificate Requests:
- Unusual certificate requests for privileged accounts
- Certificate requests from non-standard IPs
- Multiple certificate requests in short time
2. Authentication Patterns:
- PKINIT authentication from unexpected sources
- Certificate-based authentication anomalies
- DCSync attempts from non-DC systems
3. Network Traffic:
- NTLM relay to ADCS HTTP endpoints
- Unusual SMB authentication patterns
- Certificate enrollment over HTTP
Detection Queries
Windows Event Log:
Event ID 4886 - Certificate Request
Event ID 4887 - Certificate Request Disposition
Event ID 4624 - Successful Logon (PKINIT)
Event ID 4662 - DCSync Operation
SIEM Queries:
- Certificate requests for Administrator account
- HTTP requests to /certsrv/ from non-DC IPs
- NTLM authentication to ADCS endpoints
Conclusion
This lab-observed ADCS ESC8 attack demonstrates:
- The Power of AI-Driven Pentesting: Single prompt achieves complete attack chain
- The Severity of ESC8: One misconfiguration leads to full domain compromise
- The Need for Automation: Manual testing cannot match AI speed and consistency
- The Importance of Defense: Proper ADCS configuration is critical
Key Takeaways
- ✅ ESC8 is Critical: HTTP Web Enrollment is a severe vulnerability
- ✅ Orchestration Works: AI can sequence complex attack chains in a prepared lab environment
- ✅ Defense is Possible: Proper configuration prevents this attack
- ✅ Monitoring is Essential: Detect and respond to certificate-based attacks
References
- Certified Pre-Owned Research — SpecterOps
- ADCS ESC8 Vulnerability — Certipy Documentation
- GOAD Lab Environment — Game of Active Directory
Andrey Pautov
If you like this research, buy me a coffee (PayPal) — Keep the lab running
Known Limitations
caution
- Results are specific to the lab configuration used; outcomes will differ on hardened or patched targets.
- AI tool selection is heuristic — novel service configurations may require re-prompting or manual follow-up.
- All walkthroughs ran in an isolated VirtualBox/VMware network, not a production environment.
- Timing and success rates vary with host CPU, RAM, and network latency.
- Some tool outputs are truncated in the screenshots; full output was reviewed live during the session.
By Andrey Pautov on January 29, 2026.
Exported from Medium on May 15, 2026.