• Search for:

    Tag Archives: Certipy

    1. Home  - 
    2. Posts tagged "Certipy"
    22 Nov, 2025
    Hack The Box: Mirage Machine Walkthrough – Hard Difficulity
    Hard Machine , , , , , , , , , , , , , ,

    Compromising the Mirage domain started with a simple clue hidden in an exposed NFS share. Inside a PDF report was a missing DNS record—just enough to pivot. By hijacking the DNS entry, I intercepted NATS JetStream traffic and captured real authentication logs, including valid credentials. After fixing the system time and obtaining a Kerberos TGT, I gained my first foothold on the domain controller and captured the user flag.

    From there, the path to domain dominance unfolded through Active Directory weaknesses. An SPN ticket leak led to a cracked password, which opened the door to BloodHound reconnaissance and more credentials. I reset a disabled user’s password, extracted a service account’s managed password, and used Certipy to transform certificate abuse into full machine-level impersonation. With Resource-Based Constrained Delegation enabled, I forged Kerberos tickets, dumped every domain hash, and finally authenticated as Administrator—securing the root flag.

    #CyberSecurity #PenetrationTesting #Kerberos #ActiveDirectory #RedTeam #HackTheBox #Infosec #PrivilegeEscalation …

    Learn MoreHack The Box: Mirage Machine Walkthrough – Hard Difficulity

    11 Oct, 2025
    Hack The Box: Tombwatcher Machine Walkthrough – Medium Difficulty
    Medium Machine , , , , , , , , ,

    I cracked a Kerberos TGS for Alfred (password: basketballl), used BloodHound-guided enumeration and account takeover to obtain John’s machine credentials and retrieved the user flag (type user.txt); then I abused a misconfigured certificate template (ESC15) with Certipy to request an Administrator certificate, obtained a TGT (administrator.ccache), extracted the Administrator NT hash and used it to access the DC and read the root flag (type root.txt).

    #HackTheBox #RedTeam #ActiveDirectory #Kerberos #CertAuth #BloodHound #OffensiveSecurity #Infosec #PrivilegeEscalation …

    Learn MoreHack The Box: Tombwatcher Machine Walkthrough – Medium Difficulty

    4 Oct, 2025
    Hack The Box: Certificate Machine Walkthrough – Hard Difficulty
    Hard Machine , , , , , , , , , , , , , , ,

    I recently completed the “Certificate” challenge on Hack The Box: after extracting and cracking a captured authentication hash I gained access to a user account (lion.sk) and retrieved the user flag, then progressed to full system compromise by responsibly exploiting weak certificate‑based authentication controls—obtaining and converting certificate material into elevated credentials to capture the root flag. The exercise reinforced how misconfigurations in certificate services and poor time synchronization can create powerful escalation paths, and highlighted the importance of least‑privilege, strict enrollment policies, and monitoring certificate issuance. Great hands‑on reminder that defensive hygiene around PKI and identity services matters.

    #CyberSecurity #HTB #Infosec #ADCS #Certificates #PrivilegeEscalation #RedTeam #Pentesting …

    Learn MoreHack The Box: Certificate Machine Walkthrough – Hard Difficulty

    19 Jul, 2025
    Hack The Box: Scepter Machine Walkthrough – Hard Difficulty
    Hard Machine , , , , , , , , , , , , , , ,

    I conquered the “Scepter” machine on Hack The Box, a challenging Active Directory exploit! Initially, I cracked weak .pfx certificate passwords using pfx2john and rockyou.txt. After syncing time, I extracted D.BAKER’s NTLM hash via Certipy and used BloodHound to reveal A.CARTER’s password reset privileges, exploiting ESC9 to capture the user flag. Subsequently, H.BROWN’s access to P.ADAMS’s altSecurityIdentities enabled an ESC14 attack, forging a certificate for passwordless authentication. Consequently, P.ADAMS’s DCSync rights allowed domain hash extraction, securing the root flag via Evil-WinRM.

    #Cybersecurity #HackTheBox #ActiveDirectory #PrivilegeEscalation #CTF #EthicalHacking …

    Learn MoreHack The Box: Scepter Machine Walkthrough – Hard Difficulty

    28 Jun, 2025
    Hack The Box: Haze Machine Walkthrough – Hard Difficulty
    Hard Machine , , , , , , , , , , , , , , ,

    New Write-Up Published: Haze [Medium | Windows | Active Directory] – Hack The Box

    Just released a walkthrough for Haze, a medium-difficulty Windows machine on Hack The Box. Initial access was obtained by exploiting CVE-2024-36991, a local file inclusion vulnerability in Splunk, to extract LDAP credentials. This enabled a Shadow Credentials attack using PyWhisker and Certipy, allowing lateral movement to a high-privileged domain user. For privilege escalation, I utilized Splunk admin access to deploy a reverse shell via a crafted app package. Upon gaining shell access, I escalated privileges to NT SYSTEM by abusing SeImpersonatePrivilege with SweetPotato. This box offers great insight into chained Active Directory abuse and Splunk misconfigurations.

    #HackTheBox #RedTeam #ActiveDirectory #Splunk #CVE202436991 #ShadowCredentials #PrivilegeEscalation #SweetPotato #CTF #InfoSec #WriteUp #CyberSecurity …

    Learn MoreHack The Box: Haze Machine Walkthrough – Hard Difficulty

    14 Jun, 2025
    Hack The Box: Inflitrator Machine Walkthrough – Insane Difficulity
    Insane Machine , , , , , , , , , , , , , , , , , ,

    Successfully completed a two-stage Active Directory exploitation scenario involving both user access and privilege escalation. The first stage focused on identifying accounts that did not require Kerberos pre-authentication (AS-REP Roasting), allowing extraction and cracking of a user password hash to gain remote access and retrieve the user flag. In the second stage, a misconfigured certificate template (ESC4 vulnerability) within Active Directory Certificate Services was exploited to request a certificate impersonating a privileged user. This enabled full administrative access and retrieval of the root flag.

    #CyberSecurity #ActiveDirectory #RedTeam #Kerberos #PrivilegeEscalation #ASREP #ADCS #ESC4 #PenetrationTesting #Infosec #HackTheBox #WindowsSecurity #CTF
    Successfully completed a two-stage Active Directory exploitation scenario involving both user access and privilege escalation. The first stage focused on identifying accounts that did not require Kerberos pre-authentication (AS-REP Roasting), allowing extraction and cracking of a user password hash to gain remote access and retrieve the user flag. In the second stage, a misconfigured certificate template (ESC4 vulnerability) within Active Directory Certificate Services was exploited to request a certificate impersonating a privileged user. This enabled full administrative access and retrieval of the root flag.

    #CyberSecurity #ActiveDirectory #RedTeam #Kerberos #PrivilegeEscalation #ASREP #ADCS #ESC4 #PenetrationTesting #Infosec #HackTheBox #WindowsSecurity #CTF

    Learn MoreHack The Box: Inflitrator Machine Walkthrough – Insane Difficulity

    24 May, 2025
    Hack The Box: EscapeTwo Machine Walkthrough – Easy Difficulty
    Easy Machine , , , , , , , , , , , , ,

    🔒 My Write-Up for the EscapeTwo Machine on Hack The Box 🔍

    I’m excited to share my detailed write-up for solving the beginner-friendly “EscapeTwo” machine on Hack The Box, showcasing skills in network enumeration and privilege escalation. First, to capture the user flag, I scanned for open ports, accessed SMB shares, uncovered a password, and leveraged the Ryan account’s elevated permissions to retrieve the flag remotely. Next, for the root flag, I escalated privileges by exploiting an Active Directory misconfiguration. Then, using the Ryan account, I employed tools to identify and modify permissions, thereby gaining control over a privileged account. With this control, I acquired a certificate, subsequently authenticated as an administrator, and finally captured the root flag. This challenge strengthened my expertise in Active Directory security and penetration testing. Check out the full write-up for a deep dive!

    #Cybersecurity #HackTheBox #EthicalHacking #PenetrationTesting #ActiveDirectory …

    Learn MoreHack The Box: EscapeTwo Machine Walkthrough – Easy Difficulty

    15 Mar, 2025
    Hack The Box: Certified Machine Walkthrough – Medium Difficulty
    Medium Machine , , , , , , , , , , , ,

    Access is gained using Judith Mader’s credentials, allowing enumeration of network resources. CrackMapExec identifies key accounts like management_svc and ca_operator. Privilege escalation is performed using a Shadow Credentials attack with Certipy, taking control of management_svc. With valid credentials, Evil-WinRM establishes a remote session, leading to the user flag.

    For root access, the attack exploits Active Directory Certificate Services by modifying ca_operator’s User Principal Name (UPN) to Administrator, enabling a privileged certificate request. A vulnerable ESC9 certificate is issued without linking back to ca_operator, effectively granting Administrator access. The UPN is restored to avoid detection, and authentication via Kerberos retrieves the NT hash of the Administrator account. Full system control is confirmed by obtaining the root flag.

    #HackTheBox #Pentesting #ActiveDirectory #PrivilegeEscalation #CyberSecurity #EthicalHacking …

    Learn MoreHack The Box: Certified Machine Walkthrough – Medium Difficulty

    16 Dec, 2023
    Hack The Box: Coder Machine Walkthrough – Insane Difficulty
    Insane Machine , , , , , , , , , , ,

    In this post, I would like to share a walkthrough of the Coder Machine from Hack the Box This room will be considered an Insane machine on Hack the Box What will you gain from the Coder machine? For the user

    Continue ReadingHack The Box: Coder Machine Walkthrough – Insane Difficulty