Help determining if ESC8 vulnerability is false positive?

[7MinSec]

Hello!

On a test I've found a config reporting vulnerable to ESC8. I setup certipy relay -target vulnca.domain.com when I try to coerce from a DC with coerce -u user -p pass -t ip.of.a.dc -l my.attacking.kali.ip my smb.log is filled with entries like:

Received connection from DOMAIN/DC$ at DC01$, connection will be relayed after re-authentication

Any ideas of what's going on here? Not sure what to try next.

[fgeek]

In ESC8 you should be relaying to the ADCS CA server, not DC. Remember to define the affected template. It should work with hostname instead of IP, but try both if one does not work.

https://github.com/ly4k/Certipy?tab=readme-ov-file#esc8

[7MinSec]

Ah geez thank you...I think I was up too late working on this and not defining targets right. I'll give it another dance once I've had some sleep :-)

[7MinSec]

OK I got things reconfigured and the relay is happening but not successful. I got a second opinion through ntlmrelayx and I'm getting "No NTLM challenge returned from server" so I'm thinking they've hardened the config?