Skip to content

fix: improve acl vuln routing and certipy_shadow hash handling#283

Merged
l50 merged 1 commit into
feat/more-attack-covfrom
feat/dreadgoad-certipy-shadow-password
May 12, 2026
Merged

fix: improve acl vuln routing and certipy_shadow hash handling#283
l50 merged 1 commit into
feat/more-attack-covfrom
feat/dreadgoad-certipy-shadow-password

Conversation

@l50
Copy link
Copy Markdown
Contributor

@l50 l50 commented May 12, 2026
edited
Loading

Key Changes:

  • Refined dispatcher logic to correctly route ACL-based vulnerabilities to the acl worker instead of defaulting to privesc
  • Added robust detection for ACL-style vuln types to support correct worker selection
  • Improved certipy_shadow tool to ignore empty-string hashes, preventing failures
  • Enhanced documentation and validation for certipy_shadow input handling

Added:

  • ACL-style vuln detection - Introduced is_acl_style_vuln_type function in task_builders.rs to identify and route ACL-based vulnerabilities to the appropriate worker
  • Unit tests for ACL vuln type detection - Ensured correct matching and rejection for bare and prefixed ACL types in task_builders.rs
  • Unit tests for certipy_shadow hash handling - Verified that empty-string hashes are ignored and password fallback works in adcs.rs

Changed:

  • Vulnerability routing in dispatcher - Updated logic in Dispatcher::submit_exploit_task to use the new ACL detection and route vulnerabilities with ACL primitives to the acl worker when recommended_agent is empty
  • certipy_shadow argument handling - Modified adcs.rs to treat empty-string hashes as missing, ensuring Certipy does not receive invalid hash arguments and the password fallback is used correctly
  • Tool definition documentation - Clarified input schema and parameter requirements for certipy_shadow in the tool registry to prevent misuse of password and hashes fields

Removed:

  • Legacy default behavior that always routed empty recommended_agent exploits to the privesc worker, which led to toolset mismatches for ACL-based vulnerabilities

@l50
fix: handle empty-string hashes in certipy_shadow to ensure password …
afc7c17 
…fallback

**Added:**

- Added tests to verify that an empty-string `hashes` is treated as missing, ensuring the password fallback logic works correctly in `certipy_shadow`

**Changed:**

- Updated `certipy_shadow` to filter out empty-string `hashes` values so that Certipy does not receive invalid empty hash arguments and the password branch executes as expected
- Clarified documentation and schema for `password` and `hashes` fields in the tool definition, specifying that exactly one must be provided and empty strings must be omitted
@l50 l50 changed the base branch from main to feat/more-attack-cov May 12, 2026 22:42
@l50 l50 changed the title feat: add full automation for red team post-exploitation and exploitation breadth fix: handle empty string hashes in certipy_shadow to prevent invalid certipy calls May 12, 2026
@l50 l50 merged commit 83e0444 into feat/more-attack-cov May 12, 2026
3 checks passed
@l50 l50 deleted the feat/dreadgoad-certipy-shadow-password branch May 12, 2026 22:49
@l50 l50 changed the title fix: handle empty string hashes in certipy_shadow to prevent invalid certipy calls fix: improve acl vuln routing and certipy_shadow hash handling May 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@l50