┌─[kali@parrot]─[~/HackTheBox/platform/machines/Certified]
└──╼ $nmap -p1-10000 --min-rate 10000 $ip -Pn
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Certified]
└──╼ $nmap -p53,88,135,139,389,445,464,593,636,3268,3269,5985 -sCV $ip -Pn -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-18 00:11:26Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Active Directory LDAP (Domain: certified.htb)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after: 2025-05-13T15:49:36
|_ssl-date: 2025-01-18T00:12:52+00:00; +7h00m05s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-18T00:12:53+00:00; +7h00m05s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after: 2025-05-13T15:49:36
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-18T00:12:52+00:00; +7h00m05s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after: 2025-05-13T15:49:36
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-18T00:12:53+00:00; +7h00m05s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after: 2025-05-13T15:49:36
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Summary
* Open ports: 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389
* UDP open ports: 88 - 123 - 53
* Services: DNS - KERBEROS - LDAP - RPC - SMB - LDAPS - winRM
* Important notes: Domain: certified.htb - DNS:DC01.certified.htb
As is common in Windows pentests, you will start the Certified box with credentials for the following account: Username: judith.mader Password: judith09
To speed the process of typing credentials each time I run a tool, I will export them to variables
In ldap_results/domain_users.html, There are the domain users and I noticed two users that could have high permission. management_svc is a member of Remote Management Users and ca_operator which from its name can interact with ADCS
I will use powerview.py to enumerate the user's privileges from my attacking machine manually
powerview $domain/$user:$pass@dc01
User judith.mader has WriteOwner on management group
I also can confirm it with bloodhound
Management group has GenericWrite on management_svc
BloodHound view:
Mangement_svc has FullControl on Ca_operator
BloodHound View:
Foothold
So the attack path is as follows:
Write Ownership on Management Group
Grant FullControl from this Ownership
Add me (as judith.mader ) to Management Group to inherit its privileges
Abuse GenericWrite to add Shadow Credentials to management_svc and get his hash
Abuse GenericAll from management_svc to add shadow Credentials to ca_operator
Enumerate ADCS using ca_operator for misconfigured templates
