HackTheBox - Scepter
Key Takeaways
The video demonstrates a cybersecurity attack on a Windows-based system, specifically exploiting vulnerabilities in Active Directory certificate services and using tools like NFS, OpenSSL, and Certipy to gain authenticated user privilege and eventually escalate privileges to gain access to the system.
Full Transcript
What's going on YouTube? This IPS me doing scepter from hack the box which I think does a great job showcasing the ESC14 active directory certificate services attack because it is relatively well hidden. But in order to get credentials to start looking at ADCS, we first discover an NFS server is running on Windows which has some encrypted user certificates. Once cracked, we can build our own certificate that gives us the authenticated user privilege but no shell. If we ran certify here, it shows it is vulnerable to ESC9, but that's a false positive as UPN aren't enabled for this certificate template. Looking at Blood Hound, we discover a path that grants us generic all over a user and another user has an alternate security identity set as an email. So, we can assign ourselves their email address and impersonate them, which is ESC14. As this user, we can do ESC14 again. But the trick here is we have to find another user which we have permission to set their alternate security identity. So we can set it to an email that lets us impersonate them. It's pretty complicated. So let's just jump in. As always, we're going to start off with an end map. So - sc for default scripts, SV enumerate versions vv for double verb boost. This gives us things like the TTL OA output all formats put in the end map directory and call it scepter. And then the IP address, which is 10101.65. This can take some time to run, so I've already ran it. Looking at the results, we see 13 ports open. The first one is DNS on port 53. The banner tells us it's simple DNS plus which is the default for active directory. So I always scroll down to LDAP to confirm yes it is an active directory server. We see also Kerros giving us the server time um some RPC ports that aren't really that important but LDAP is leaking the domain name of the box along with the fully qualified name. So let's go ahead and add things to our host file. So I'm going to copy this. We can do pseudo v etsy host and then we can add 10 10 1165. Put in the domain name, the fully qualified domain name and then just the um host name of the box because Windows typically likes having all three of them. So now I'm just going to search on open. So we can kind of skip all this LDAP certificate stuff because nothing else is really that important to us. So, we also have 445, which is SMB, a Kerros port, AP, um, Windows RPC over HTTP. These are all just default things I'm used to seeing, and I normally, um, ignore them. So, uh, we have 2049, which is the NFS port running on Windows, which is a little bit odd. Um, it's normally on Linux, and I look at the TTL here. If it was Linux, I'd assume it would be like 63, maybe 62 here, because the TTL decrements one by every hop, and we know Windows is the first hop. So if Linux was running on a VM like in HyperV VMware on this machine, its TTL would be decremented by one. It starts at 64, goes down to 63 to talk to the machine, then 62 back to us, right? So I would really expect to see NFS on port 62 if it was running on Linux. Seeing this means NFS is probably running on Windows, which is just odd. Um, let's see what else do we have. It doesn't really look like that much, right? So, more LDAP stuff and I think the higher ports of LDAP are just global catalog, but really we have SMB and we have NFS. Um, I'm going to start with NFS because that's really quick to enumerate. Um, there are no web servers or things like that. So, I'm going to make a directory. I'm just going to call it NFS. And I'm going to run a command show mount. If you don't have this, I want to say it's like the NFS-com package. Sometimes it's like NFS util. Just search for like NFS packages and you'll find it. But we'll do show mount and then the IP address. And I don't understand what I'm seeing here with this um 101040. Um I think this command should show me hosts that have it mounted. And it's saying 1010 1040 has the share mounted on 1010 1165 which I don't think is true. Is it like a show mount command? Maybe that's what I'm thinking. Um show mount 1010 1165. Oh, a rancho mount. Yeah, I have no idea what I'm thinking. Um, if we do dash e, this is going to show all the exports. And the export list is /helpes and everyone has access to this. So, we can mount this directory. So, I'm going to do a pseudo mount- NFS 1010165 uh specify /heldesk and then NFS is the folder I had created. So, now after this mounts, I should be able to run the show mount- a command again. and see I don't I was expecting to see um 10 10 11 something. What was my last show mount dash a show mount? Okay, so it shows that client has it mounted. Um I would really expect to see 101048 colon help desk if I'm remembering this command right. Um, but it's NFS on Windows, so it just may be buggy. Uh, let's go ahead and go into a directory. We get a permission denied. Um, it's mounted to the nobody group. If I do a pseudo su, um, I can then go into it. I don't know if this is because like root squash NFS permission is set on Windows. So, it's treating root as nobody because when that permission bet is set, that's how it maps it, right? It maps the root user to nobody. It also could just be I'm root so I can access anything. Um, I didn't really dig into exactly why I can access these files as root, but NFS generally obeys on the client permission at least when we're mounting in version 3. Doing ALS reveals there are certificates. We have baker.sertbaker.key and a few pfx files. I'm just going to go ahead and copy those all back. And then let's go here and do a lsla root owns them. So, let's just do a ch own ipsack ipsack star.st star to change that. And then we can go back to my user and pfx files. I want to call them like certificate bags. I don't know if that's the correct terminology. It's just um how Windows uh packages up both the key and theert. And they put it in one file. And normally when you export from Windows to get a pfx you have to input a password. So guessing there's a password there. So I'm going to look at the key. So if we look at baker.key key we have. It's a encrypted private key. So, um we can't just go ahead and use this key. We have to try to crack it. Um we can view information out of the certificate. So, if I look at baker.sert, um we see the email address here and then the certificate information. Um we could also use open SSL x509 in bakerert and then no out text. And this will give us a little bit more information, right? We can see the subject, which is kind of what we saw before. We know the naming convention now is first initial. We see the validity of the so it was generated November 2nd, 2024. It's valid until November 2nd, 2025. It is July 2025. So the certificate is still valid, but we don't have the password to the key, right? Um, we can see the X509 components. And this is going to have just extra information. We see the X509V3 subject alternative name saying this ticket has DBaker@ceptor.htb as the user principal name and also has their email address here. And I think that's all the good information out of the certificate. We could try to view the PKSERT or the PFX. So we'll do open SSL uh PK Whoops. PKCS12 in let's do clark.pfx pfx and then we'll do clerts. I think no keys and we enter import password. It's wrong. So, um, we don't get anywhere here. So, now we want to start cracking these things. So, I'm going to use Pm to John on baker.key and I'm going to put this as baker. PM. Yeah, we'll do baker.pm.hash. That's fine. And there's also a pfx too, John. If we do that on the pfx files, uh, we can get them all there. So, I'm going to call this um, scepter.pfx, I guess, because we have multiple. I'll do hash there. Okay. So, we can do separash. And I copy these over to the Kraken, which is where I run all my cracking out of. Copy into the hashcat hashes directory. and we'll go here. Um, you don't need to have a separate box for cracking. I do it because I'm recording videos and if I run a cracker on this, it may um cause issues, right? Because it's very CPU intensive. I just recommend not running hashcat in a VM because it'll go extremely slow there. So, let's go into hashcat. We can do dot /hashes. Uh, we have to specify hashcat then hashes. And we called this, let's do the pfx first. Um, so we'll do that. And then the word list, we'll do opt word list rocku.ext. And I want to say that began with usernames, right? Um, let's do uh septto pfx hash. Yeah, we have username colon then the password hash. So let's go ahead and add the d- username component to this. And we'll do hashcat. There we go. And see if this cracks. um no matching structure. So at this point I'm going to Google hashcat example hashes. It is in my history and then I like just searching uh pfx and we don't get anything. So maybe hashcat can't crack pfx certificates. Um John probably can. If we do cdop john let's do dot slash john is it word list opt word list rocku.ext text and then let's do hashcat hashes like this. Is this going to work? Awesome. So, it cracked all the asserts as new password. Um, we can now go, I guess, and try to crack the other one, the um PEM. So, let's go back to our hashcat command. And I'm going to change scepter pfx.hash. This was what? baker something. Yeah, baker.pm.hash and we'll see if hashcat can crack this. The reason why I normally default to hashcat over John is because hashcat is better optimized for GPUs and typically goes faster. Um John, because it's less optimized, generally gets a lot more formats. It can crack more things, but it goes slower. Um and we have this not work, so we did not crack it. Um, so just like we did before, let's go ahead and uh view the file. So we'll do view hashes baker pam.ash. It begins with dollar pm dollar. So let's see this. And we have two different formats. We have the private key as shaw one, the private key as shaw 256. I'm going to change it to be a SHA 256. And it looks like all that's changing is that one is becoming a two. So let's just see if um that makes it work again because we used um PM to John, not hashcat to John. So sometimes uh the two John scripts don't export in a format that hashcat likes. Um that could also be with pfx and I just um missed it. And it looks like we have cracked it. So if I do um I think it was in my pot file, it's saying let's just do rmcat.pot file and run it again. So, you know, I'm not cheating and it actually does crack it, right? Uh, there we go. So, there it's cracked. Let's go ahead and do a d-shell. And we can see that password is also new password. So, every certificate we have cracked has the password of new password. So, let's go ahead and run our open SSL command again. Uh, let's do not the PEMS this on clerk. If we do no password um or new password, not no. There we go. It exports it and we can see the username is m.clark. Right. If we want to do view more information like we did last time, we can just do open SSL x509 uh- text no out and then new password. And then we have the same format we saw before, right? So we have M.clark Clark RSA encryption. If we go down, we have the other name, UPN MC clerk@ceptor.htb. Um, oddly enough, the baker one had a email here as well, right? Um, where was that one? Let's do uh was it dash n baker? Yeah. Let's go back here. Yeah. So we als we have two formats here. We have other name as the UPN and email. So these searchs are slightly different between Baker and Clark. Um not really important but just things I look at when I do these types of challenges. And we could also I should put the password on standard in so I don't have to keep typing it. Um see the dates it's valid. So this certificate is still valid. So, with that being said, we should be able to run um certify to authenticate, right? So, I'm going to do certupy- off-park.pfx, I think, dashp for password. Uh, new password and then DCIP 10101.65. Uh, we have something wrong. It's not dash off. It's probably just off. PFX. That argument is wrong. I thought it was PFX. Uh oh, dashp could be anything. Um maybe password. There we go. So, here we go. We're trying to authenticate as M.clark. It's getting the TGT. And um if your machine is um out of time, we have KDR client revoked. Uh I'm going to do a dash debug real quick. That may be what we're I'm expecting. Um is debug go before off. Okay, let's see. Do we get anything? Got error. Client revoked. Send receive. Um, so this is the error we're getting. Kerros client revoked. So, we can't use this certificate. Um, I'm going to go back to my OpenSSL command. Uh, let's do new password. This one is M. Clark. So, I'm going to show something real quick. We'll do V users.ext M.clark. What is the other user? Uh, we want to do Lewis. So what I'm going to use is curbroot to do a user anume and that would tell me the status of the user like if the password's expired, the account's disabled, things like that, right? So we'll do um e. Lewis here and then there's Scott. Let's do Scott. And what is his o.scott and I want to say it was D.Baker before. I think I remember that one. So we can save that and then we can do curbroot um user enume I think it's users.ext and then dash um let's do dash h I forget exactly how I specify the domain controller d-dc uh scepter.htb domain name must not be empty scepter.htb HTB. There we go. We can see three users are locked out. Um, I want to say they should be disabled, but it's just saying locked out here. So, I'm guessing they are locked out. Um, but that's why we can't access them. Uh, I really thought it was disabled. Let's just try that again real quick. Yep. Okay. So, they're all locked out. The only valid one is DBaker. So, I'm not going to bother using certificates from M. Clark Ocott E. Lewis. I'm going to focus on DBaker. The issue I have though is in order to authenticate, I need to get in PFX format and I only have the key and the C. So, we're going to use um certify again. So, I'm going to do uh well, OpenSSL to create the PFX. So, let's do open SSL uh pkcs12-export and we'll do in keybaker.key-in uh baker.sert and dash outbaker.pfx. Um I'm going to do dbaker.pfx so it simulates how all the other ones are. Uh new password is baker's key. And I'm not going to put an export password. But now since we have the pfx we can just run that certify command again. So we'll do certify off pfx d.baker.pfx and then dcip 1010 1165. If I can spell certify correctly we can see it getting tgt. And once it does we should be able to authenticate as dbaker right. Um it is taking a time. There we go. And if this doesn't work, you may have like an time issue. Um, so I recommend doing NTP date 101 1165 and um updating, right? So if we do pseudo NTP date like that, it will sync your time to the domain controller. So if that command doesn't work, if you ever get like clock skew errors, um, I'd highly recommend fixing the time of your system. Um, so let's see. certify. We have now a DBaker CC cache if we wanted to. We could uh did it give it to us real quick? Hold on, let me check. Um, it did give us the NLM hash. So, we could also store this real quick. Um, vcredentials.ext. I'm going to say dbaker and I'll put that there. And note NLM. Okay. So, I don't need that. We can always use the CC cache file as authentication. So um if I do like um let's use rust hound and before we do we have to use net exec to create a kerros file um or yeah let's do net exec smb uh dco1 scepter htb is it what generate kb5 file what is this command generate kb5 file file name. So let's do scepter.karb comp. And then what this is going to allow us to do if we look at it kb comp, it's just the uh kobb comp to configure our Linux machine to talk to active directory. So, I'll do a pseudo cp scepter kobb comp to etsy uh kobb5.com and we can run rustound. And the reason why I'm using kerros for rustound is because rustound doesn't support um pass the hash authentication. So, we can't authenticate with hashes in rustound. However, we can get a certificate and then use kerros with rustound. So there's my workaround for using um hashes. So we'll do d.baker.cc cache and then rusttown-ce CE tell it kobros collect all and this is case sensitive. If it's a lowercase ace, it errors out or lowercase a it errors out. I'll show you real quick. Uh D for domain scepter htb. Uh F is I forget what it is, but it's going to be where it talks to. I forget what it stands for. Scepter HDB is zip. So you can see um it's erroring out because it wants all with a capital A. And there we go. Rust Hound is running. So it's going to run all the LDAP queries and give us something we can put into Blood Hound. There we go. It's done. So let's go. cd opt uh blood hound server docker compose up. I probably should have did dash d so it goes in the background but um this should be fine. Local host 8088. There we go. Uh let's go administration upload files and let's see just drag and drop it. There we go. Upload. Close. And it's ingesting. Refresh. Still ingesting. Um, I'm going to give it like five seconds and probably pause the video and just wait till it is complete. Let's see. So, yeah, I'm going to pause the video and we'll come back when this has been ingested. So, we have a error message actually. Um, one file failed to ingest as JSON content. So, what I'm going to do is pass these all manually um because I don't know what one failed and I don't know if all the data is there. So, um, just going to create a directory ph and then let's go in there. We'll do sevenzip x dot dot slash where is the file. There we go. So, now we have all the JSON files. I wonder if I can catar pipe standard alpha devnull and then jq dot. Uh, let's do jq dot like this. No errors. I was hoping jq would tell me what JSON file was um bad, right? Uh, let's see real quick. Don't know if my logic there is good. So, I'm going to do test.json v test.json. Let's break this JSON. I just deleted a random character. That should be enough to break it. So if I cat test.json, I'll just run the same command I did before. Yeah. So if we have invalid JSON on one of the files, I know that will work. Um, so I'm not sure why Blood Hound didn't like this. Uh, but I'm just going to upload all these individually because that way if it does have an error, it should tell me which file. And emphasis around should my logic's not always um fully accurate, right? But we now up Oh, it just uploaded them all individually. I was hoping it would like create 10 entries on this table. Um, so I'm going to pause the video. We'll come back when this probably says partially complete. So, yep, we got the same exact thing. So, we could upload these one at a time. Um, but I think that would just take too long. I'm just going to like go with it and see what data we have. So, if I go over to explore, um, let's see. We have DBaker. It does show up in here. So, we have some Blood Hound data, which is good. Um, I'm going to add DBaker to owned. And then we're going to go over to cipher. And then we're going to do shortest path from owned principles or owned objects, I guess it's called. And we can see a path here. So, DBaker can force a password change on a Carter. and a Carter is a member of IT support which has generic all over this staff access certificate. Um so if we click on staff access certificate we can see there's one user DBaker which is a little bit odd. Um but what this path tells us we can do is gain essentially generic all over DBaker through a Carter. So we could use DBaker change a Carter's password. A Carter has generic all over this OU that um Dbake is a member of. So essentially a Carter can take over DBaker. So it's like we take over a Carter then use a Carter to take over herself. And what that gives us is generic all over our user which enables us to manipulate more privileges or not privileges um more attributes in active directory right but we don't know what attribute to edit but that's just what this path allows us to do. Um, if I look at DBaker, we could also show outbound object control and we can see DBaker is also a member of staff and staff can enroll this staff access certificate. We also have a few default certificates here that domain users can do and we see change password over a carter. So if I look at what a Carter can do. Uh, let's go back to outbound control. Hey Carter, very similar to DBaker but cannot enroll this certificate right the enroll certificate's not there generic all over this access is so we kind of want to look at that certificate that DBaker has um if you go to like the certificate ones look at um certificate with no enrollment or no security extensions you can see staff access certificate is here and this is normally ESC9 vulnerability um which is going to be uh not applicable here and we'll get into that in a minute and probably dive more at the very end of this video. But at this point, I'm guessing there's going to be something certificate related and my blood hound isn't showing me. But I can run a different tool certify to look at certificates, right? And I'm running certify as um DBaker because DBaker is the one that can enroll the certificate. If I um change the password to a Carter and ran um certify probably wouldn't show the same thing because a Carter can't enroll all these certificates that DBaker can. So let's do um certify find-varnable. User is going to be D.Baker. And I'm going to go ahead and put his hash here. Um let's credentials. We could also use the um CC cache file for authentication. Um but we can also do passwords. So we can do dash hashes and then we want DC IP 10 10 1165 and pipe it to standard out. Um I think there's different formats like standard out JSON things like that. Since we're looking at the data, not a program, we definitely want standard out, right? And there we go. It's starting to work. and it shouldn't take too long. Um, there we go. It says it's vulnerable to ESC9. Um, if you want to see ESC9 exploited, check out the certified machine. Um, the reason why I think this is not vulnerable, and again, I'll dive into the end of the video when we can like get remote desktop and show the guey. Is where is it? The certificate name flag um needs to have UPN, the user principle name. We're only doing alt require email here. And we have required DNSC SEN and subject require email. So because UPN's not here, uh we can't do ESC9. So it's not actually vulnerable. Um we're going to do ESC14, which is similar to it, but takes advantage of the email functionality. Um so let's see, where was that? We have this subject alt require email. And this is going to be a hard one to find. One of the users has a X509 attribute of this in their account and Blood Hound and a lot of the tools I used to using don't show this. They probably could show it. It's probably just not coded. I don't know how like common this type of thing is, but you could find it two ways. I'm going to show the first way which is just going to be um net exec. So if we did um netexec ld scepter.htb HTB DBaker. Um, hash. Do I still have that on my clipboard? I do not. Let's grab his hash. And I don't like this way because I'm going to have to go through every user individually, right? So, we put this hash. Um, and then what's next? We want d-query sam account name is equal to, and this is in parentheses. Um, we'll do ourel and doing the second double quote here is going to get me every attribute. And I think most people when they saw the box, they looked through all these um attributes doing it one by one looking at them. Uh, we could go with a different user. Let's see. U search. Let's just do domain users. I probably could use JQ and do it this that way too, right? But there's only nine members. Um, we have DBaker there, M. Clark, Erskott, E. Lewis. We knew these accounts were locked out. So, you have P. Adams, H. Brown, and A. Carter, right? If I look at let's do H Brown and go through these member of let's see login hours password last set user principal name there we go we have an alt security identities and it has this email address here. So what that's saying is certificates with this email address can authenticate as H Brown. A better way I think to search that if you knew from the certify output um again like where it says here this alt require email if you're like oh I know what that field maps to an active directory which I did not when I saw the box. I'm assuming most people don't, but you could just query LDAP for that, right? We could search for all accounts and pull only that attribute. And let's see if we scroll up. There we go. The one that has the yellow text, we see it there, right? So that's the key piece to find that seeing this attribute is set for H Brown because what we can do if we go back to um what is show path from owned right visit active directory owned objects there we go so we can use debate maker change a Carter's password, give Ourel access to um staff access certificates and then when we have that generic call, we can use a Carter's account to give DBaker H Brown's email address. Then when we register a certificate, our certificate's going to have DBaker's UPN and H Brown's email. And because it has H Brown's email and H Brown has that alt security identity set, we can authenticate as H Brown. So, it's a little bit of a complicated attack. So, I'm going to put it here because I like just walking through. So, the first thing we're going to do is um reset. Where's the user password? A Carter password. Then we're going to have as a Carter. What we want to do is um take over the staff. We'll take over. I'll just say DBaker and then a Carter add X509 all to email to DB Baker and then we can register as H Brown or probably log in right so that is going to be the attack path. So to start this off let's use net exec to change the password. So we do nxc SMB scepter htb u um d.baker and then we want to get the credential. So, we can grab this and let's see dash h the hash um m change password o user a carter and the new pass I'll do as please subscribe. Bang. So, let's see. We have now logged in and we have changed a Carter's password. So the next step to do is um take over this account. So let's do bloody ad uh-host dco1 scepter htb scepter.htb users a carter. The password was please subscribe. And we're going to add generic all. And we want to give it this OU object information. Distinguish name. Copy. There's the OU and we give it to A Carter. Okay, Aarter now has generic all over that OU. So we should be able to use bloody AD again to um set the password. So I can do this set object D.Baker mail and the value is going to be H. brown at scepter.htb and this was that x509 alternate attribute. Right? So we have dbaker's mail has been updated. So now I'm going to use certifi request username dbaker scepter.htb hashes. I have to put the clipboard back. uh this pane copy and the reason why I always do a colon the hash because the format is lm hash colon nlm hash lm hash isn't used anymore but you still just do the colon to um tell it it's an ntlm hash. So, we'll do target DC01 scepter HDB. The CA um the default CA name, let's see, that would probably be uh what is it? Is it here? It's in the soda pi output. Do we run it here CA? There we go. Scepter DC1 CA. This is what we want like that. And what else do we need? Uh the template and that was staff access certificate. I think it's certificate. It's either certificate or certificates. Uh let's go with not that D. Baker, look here. Uh, outbound object control enroll staff access certificate. Okay, so we have that. We'll do DCIP 1010 1165. And I'm gonna hope that permission bit is still set. The like auto cleanup scripts could have went off and changed all the permissions back because I took a little while to do all this. Um, we'll see. Uh, sure. Let's overwrite the certificate. Okay. So, now we can do a um what was that OpenSSL command we did? Uh, what pain was that? That was not that. I bet if I did a search on pipe opensl There we go. We have it doing with Clark. Uh it was what? D.Baker password. We didn't specify a password. There we go. And it's still set. So if we look in the certificate, this is going to be um DBaker certificate, right? We see CN DBaker, but the email address is set as h browns.htb. We can see alternate subject name is H Brown. So what that's going to allow us to do is now request a um ticket as H Brown. So let's go ahead and do that. Uh we'll do certify request- usernamed d.baker scepter.htb. Oh no, we want off. Um do off pfx dbaker.pfx dcip 1010 1165 domain scepter.htb and the username we want to auth is is h brown. So there we go. We see certify is using the user principle name of h brown at septceptor.htb HTB and because our certificate has that email and H Brown's um account is configured to allow that email to authenticate, we get his hash. So let's go ahead and add this hash to our credentials uh vcredentials.ext H Brown. And I guess I should specify NLM as well. And let's take a look at what H Brown can do. So if I look here, let's go H. Brown, I could add to owned principles. Let's do that real quick. And then if we do outbound object control, we don't see that much. We can enroll a few certificates. So nothing really um stands out. If I look at member of, we can see remote management. So, I can use WinRM. Uh, help desk admin. Don't know what that is. Uh, CMS, don't know what that is. Protected users, so I won't be able to um use NLM authentication there. And domain users, but the remote access uh remote management gives us WinRM access. So, we could um log into the box, right? So if I wanted to, we could do evil winrm. Uh we have to use kb 5cc name I think is equal to do I have it? Yep. Let's see. Dash k- I 10 10 1165. Is that enough? Um missing argument IP. Let's see. Is it not dash k? No, I don't think so. User. Let's see. Dash realm. Let's do scepter HTB. I'm missing a flag, I think. So, let's see. I don't see any kerros. Um, let's see if we do IC as DC1 scepter HTB. Let's see if this works. That does. Um, Kobos is very very picky about host names and stuff because that's how it identifies um who things are and stuff. So, uh, with Kobos generally don't use IP addresses, use uh, host names. But as this shell, we can go to the, uh, desktop and then we could get user.ext. text. Um, but there's not much else we can do, right? And this next step is also a little bit tricky to find. Um, the easiest thing I think to do like when Blood Hound and everything is giving you issues and you can't find much is to run bloody AD get Writable. Um, you could also like run um, PowerShell Empires, find interesting domain ACL, things like that, but I'm going to run bloody AD. So, we're going to do carb 5ccc name is equal to h brown like this. Then bloody ad. And uh we can get rid of these notes cuz we're no longer doing that. Uh let's see. Bloody AD. What after this? uh host DC1 scepter HTB - D scepter HDB then - K get writable and we can see we can write over P atoms this isn't telling us what we can write um but we could just try it and try to write the email address to P Adams and then if we have an email address on P Adams then we can give it to DB Baker and that would let us authenticate as P atoms. Right? If you wanted to, you could go back and run uh what is it? DSACL's and then uh CN. Where is P Adams? Here. Let's get his full thing. P Adams. Where is this? Distinguish name is what I want. So we could run this dsaccl's command and this will list everything right and if we look let's see we want to look at like right specifically there's probably better ways to filter this um allow that is not exactly what I wanted this command should have had more information. Oh, it aborted. Um, Evo when RM crashed. It does that occasionally. Let's try this again. Run this. Okay, we see the command completed successfully. There is a lot more lines to this. Um, so now if I just search like right, we can see um things we have. So, this is TPM enforcement attribute. Let's see. I probably should just search for like alt or something. But that's showing the permissions on everything. If I look because I'm in this CMS group, there's a special access on H Brown for all security identities to give me right access. So, this is the dsaccl command showing you specifically what you have. But again, um, if you just ran the git writable on bloody ad, it's not a big leap to say, "Oh, I can write to, um, P Adams. I wonder if I can write the alternate security name and then authenticate as um, that user." Right? So, we're gonna pretty much do the same thing we did from DB Baker to H Brown, except this time we're going to put a X509 alternate security attribute on P. Adams and then change uh DBaker's email to be whatever we set and then log in. So, let's go ahead and do that. So we'll do um let's see we have this bloody ad command and we'll say set object padoms alt security identities I think that's it dashv and then x509 what is it. X509. This is what I want. The colon RFC. I don't know if that's um specific. I haven't really tested it without setting it this exact format, but uh normally Windows is picky about those things. And I'm gonna set it to IPSAC. It doesn't matter what it is. Um it should probably be P. Adams to stand out more, but I just want to show that um Active Directory only looks at this email and allows anyone like that type of thing, right? So there we go. We have PtoM security identity has been set. So let's see. Um did I do it here? I did. So Bloody AD host scepter a Carter, please subscribe. And I'm going to change dbakers to be IPSC. And this failed because invalid credentials. Um so I'm going to rerun all the steps I did before here. So if we go to vnotes, um we want to use that net exec to change the password. And then after we change the password, we're going to um want to add the generic all and using controlr and then typing things I typed before to reverse search my history. Right? So we add a generic all. Then the next thing we want to do is um set that thing and not there. H brown. No. Um, I may just have to type out this next command. If we hit up enough, we probably find it. See, that's certifiy host. Was it here? Yeah. So, here we are setting um DBaker's mail to be IPSAC acceptor.htb htb and we have um ipsseack at scepter.htb for p adamoms. So now we just want to do that request um d user h. I guess we should run certify. I don't see it in my um thing. So, we'll do certify O PFX. Uh, I have to generate a new one. Um, I have to get a new um certificate, I think, because our current PFX file only has um H Browns. So, let's do certify request username dbaker scepter.htb hashes. Uh we can exit this so I can cat credentials easily. Put that in. Uh after the hash we want to do target DC1 scepter HDB CA was it? Scepter DC1 CA template staff access certificate DCIP 10165. So this should request a certificate. Come on. It's thinking about it. Already exist. Yes, it wrote it. Um, which pane did I do that on? right here. So now if I look at my certificate, I have the subject alternative name as ipsc at acceptor.htb. That is what we want. So now I should be able to use certify to o. So we'll do certifi pfx dbaker.pfx dcip 1010 1165 domain of scepter htb username uh ptoms and there we go we got the hash for poms. So now we have ptosams as owned. If we do cipher uh this is is this shortest path from earned already? Uh we are a member of replication operators which is going to give us the ability to DC sync. I'm surprised it's not showing that in blood hound. Uh maybe that's why like we had the partial import or something. But P atoms should be able to get to administrator pathf finding. Let's do P atoms destination node administrator. Does it see anything? I don't think so. But let's go ahead and do this. So I'm going to do a secrets dump. Uh scepter.htb HDB P atoms at dco1 scepter HDB- k uh no pass and we'll do kob 5cc name is equal to p atomscc cache the reason why um where is it the replication operator can dc sync because that's saying um they can replicate um active directory I believe so there we go we have all the hashes here. Um, let's see. Administrators credential. Let's just try a PS exec with this. So, we can copy psexc.py uh-hashes. Paste that in. Administrator at scepter.htb requesting a share. Uploading. Starting the service. And there we go. So we can go users administrator and then desktop and getroot.ext. So that is how you solve the box. But I do want to take a step back and let us um enable remote desktop log to the box and look at that um making it vulnerable to ESC9. So what I'm going to do is paste something I have in a notepad. This is just something I save because it enables remote desktop in one command. So now um I could just log into the box. I don't remember the password of administrator. So I'm just going to change it to please subscribe and then a bang. Um I forgot the user. So let's add net user administrator. So we can do net user administrator. There we go. So now I should be able to xfree RDP into this box. So we'll do slashv the IP address um slash u the username of administrator and slashp please subscribe and I always like putting this in single quotes because I never know how bash is going to interpret that exclamation point right so this will give me RDP which makes it very easy to just um browse the box as an admin and I'm going to go into the certificate authority and we're going to look at the permissions of this certificate. Right? So, we have to click manage on certificate templates and that will pop up this screen and we want to go to the what is it staff access certificate the subject name and this is going to be the values. So, let's look at what this looks like in certupy. So let's just do a -varnable and this will be the output we saw earlier and I had mentioned um something missing right. So this command will take probably about 15 more seconds to run. Hopefully a little bit shorter. I don't know what's taking it so long. There we go. And soon as it gets this configuration it's pretty quick. So vulnerable to ESC9 because the template has no security extension. I think that's just meaning it's not validating information a lot. I don't know exactly what it means but um the certificate name flag this is what those checkboxes is the alt require email DNSCN subject require email we have DNSCN right there this is probably the alt one of alt require email and then require email right for ESC9 you want UPN and those two not checked so first let's just try to do um ESC9 without any modif ifications. So, we confirm um it fails, right? So, let's go ahead and um not that one. Was it equal please subscribe? There we go. So, we have to change the password for a Carter. And then after we do this, we want to make give Ourel generic all. So, we'll do is it generic all? There we go. So, now we're giving Ourel generic all. And here's where we do something slightly different. Instead of setting the alt email, which we did before, we're going to use certify account. Hey, Carter, please subscribe DC IP of 1010 1165. And we're going to set the user principle name to administrator for the target user DB Baker. And then after this um we just have to request a new user a new certificate. I bet if I do request uh this looks fine. DBaker target. Yep, that is all still the same. And we're going to attempt to request a certificate. And I think it's going to fail because the UPN does not match and it's causing all sorts of chaos, right? Um subject email required. So that does not work. So, if I go back and just add this UPN flag, let's do the -ashvulnerable again and we're going to see um the changes in that one field that we were looking at. Um where is it? It's down here. There we go. We have require UPN, but we still have these emails. And if I try this again, we're going to request a certificate. It fails. Um, if I unselect both of these, click apply. We do this requesting. It's taking its time. Moment of truth. Come on. I know it's thinking. There we go. We have the administrator.pfx. So, now we should be able to do was it like dash in? Uh, this should be fine. I'm going to do dbaker.pfx. PFX type that less and let's see what does the certificate look like. Um we administrator.pfx hold on um terminal is weird. I'm still not typing. There we go. Uh, we want administrator.pfx. Here we go. So, let's see. What does this certificate say? Um, scepter. That's fine. Modulus x509. Alt name UPN administrator. So, I don't even think Baker is in this. Okay. subject CN is Baker but the UPN was specified as administrator right so let's see if we can authorpfx I guess I can do username administrator let's see name mismatch between certificate and user verify that username administrator matches the UPN PN if I don't specify that. So I think we screwed something up and I don't know exactly what. Um certificate and user administrator let's go back to the certify command. Uh where is this? Sometimes administrator has weird privileges, right? Let's now update this to be um was it P Adams or something? Uh that's H Brown. Let's do P. Adams. See if I can take over this user. Let's do the request. username hashes target. That's fine. This should save the certificate as Ps if it behaves like it did the administrator one. Okay. So, let's go off specify Paddoms.pfx PFX verify that the name matches the certificate. Huh, I'm doing something wrong or it's just completely not vulnerable. Uh, let's do administrator at scepter.htb. Let's request this. Overwrite it. Sure. And let's specify administrator. So something is wrong. I don't know exactly what I am doing wrong, but I think I'm going to wrap the video. I mainly wanted to show passing that one error message. Um, what if we do fully distinguish name? I don't think that's going to matter. Uh, I can't imagine that doing anything, but you never know. We wrote it off. No. Uh, there's probably some other thing coming into play. Let's see. Off PFX. Let's change this UPN back to just administrator. request. Yes. So, um I'm going to wrap up the video here. Um if there's more video content, I decided to go back and find out what the issue was. But most likely, um I'm doing something wrong or the box just isn't vulnerable at all. I mainly just wanted to show like you can go ahead and add act um add remote desktop go play with boxes on your own and whatnot. So yeah, hope you guys enjoyed that. Even though I didn't get root through ESC9 after modifying it, I'm sure it's just me doing something silly. So with that being said, hope you guys enjoyed it. Take care and I'll see you all next time. Okay, so I got it working. Um, we want to do the certify account to set the UPN to be administrator. And then we're going to request a certificate. And I remove the email from here. I don't know if that matters. I don't think it does. Um, but we request the certificate. We'll overwrite it. And now when we try to off, we're going to get this error message, right? But what we want to do is go back to this update command and then change the UPN to be administrator at um scepter.htb. It's weird that like it says verify the username administrator matches the UPN administrator. Don't understand that. But now that we did the second update on administrator after requesting the certificate to have the email address, this all should work. I don't know exactly why that's the case. I may have actually explained why in certified when I did more research on ESC9 of what's going on under the hood. If I had to guess, um, when we have the UPN set as administrator before, maybe it's creating some weird like duplicate thing because there's two UPN of administrator. It's it's something weird. So, I was just doing ESC9 wrong um, in the past. Uh, it goes to show you can't do everything off of memory. Uh there's always like those small weird steps, but that is going to be it. Um I can show I guess it failing if we just start off with the UPN is at let's do scepter.htb. We'll request a new certificate and this hopefully will fail. And this is how I do a lot of my learning. Like I do one thing, it's weird, it doesn't make sense. And then I just keep trying other ways and seeing if everything keeps failing, right? So all I did was put the UPN as the full UPN here. And you'd think this would work because we did the UPN as not the full one and then generated the certificate. Then we changed the UPN to be the full email and that didn't work. Right? So here we're ering administrator matches this UPN. So I wonder if I take this off, does this work? So can we go the other way? Start with the email and then go down. Uh, looks like we can. Um, so the last question is let's do UPN. Let's set it to be um does not we'll set it to administrator real quick. And then let's request a certificate. And I'm going to say UPN of IPSAC now. And now does the O work. It looks like it does. So I think all you have to do after you change the UPN of I think I know what's going on now. Um we change the UPN to our UPN to be administrator, right? And then we request a certificate. Our certificate says um maybe DBaker UPN of administrator and then when we're trying to use it, our account is coming up first because we also have the UPN of administrator and then that's where it's failing. So when we changed it away from being administrator, then the only other administrator left in Active Directory must be the default domain administrator. And that's why it works. At least that's my guess at what happened under the hood here. Um, but yeah, now that's going to be the box. Hope you guys enjoyed it. Take care and I will see you all next
Original Description
00:00 - Introduction
01:00 - Start of nmap
03:20 - Looking at the NFS Mount on Windows, then downloading the certificates
06:00 - Examining the certificates, dumping information to look at username and expiration. Then cracking PEM and PFX
13:50 - Using certipy to auth with the certificate, discovering some accounts are locked out
17:30 - Building a PFX File from the key and pem, then logging in and running RustHound with Kerberos since we only have NTLM Hash
24:40 - Looking at Bloodhound Data and seeing D.Baker can reset A.Carter's password who can take over D.Baker
27:50 - Running Certipy to look at certificates as D.Baker
30:45 - Examining LDAP to discover H.Brown has an Alternate Security Identity set
32:30 - Performing ESC14 by exploiting a chain to give ourself GenericAll then setting our email to H.Browns so we can impersonate h.brown
41:30 - Using WinRM with Kerberos to login as h.brown
42:40 - Using BloodyAD to show writable objects as h.brown to see they can write something to p.adams
43:58 - Running DSACLS to discover exactly what h.brown can write to see it is the Alternate Security Identity, setting it to be an email and then impersonating p.adams via ESC14
52:15 - Running SecretsDump to become administrator and grab the flag
53:24 - Beyond Root, enabling Remote Desktop so we can look at the Certificate Configuration and see why it isn't vulnerable to ESC9
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from IppSec · IppSec · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
HHC2016 - Analytics
IppSec
HackTheBox - October
IppSec
HackTheBox - Arctic
IppSec
HackTheBox - Brainfuck
IppSec
HackTheBox - Bank
IppSec
HackTheBox - Joker
IppSec
HackTheBox - Lazy
IppSec
Camp CTF 2015 - Bitterman
IppSec
HackTheBox - Devel
IppSec
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
HackTheBox - Granny and Grandpa
IppSec
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
HackTheBox - Optimum
IppSec
HackTheBox - Charon
IppSec
HackTheBox - Sneaky
IppSec
HackTheBox - Holiday
IppSec
HackTheBox - Europa
IppSec
Introduction to tmux
IppSec
HackTheBox - Blocky
IppSec
HackTheBox - Nineveh
IppSec
HackTheBox - Jail
IppSec
HackTheBox - Blue
IppSec
HackTheBox - Calamity
IppSec
HackTheBox - Shrek
IppSec
HackTheBox - Mirai
IppSec
HackTheBox - Shocker
IppSec
HackTheBox - Mantis
IppSec
HackTheBox - Node
IppSec
HackTheBox - Kotarak
IppSec
HackTheBox - Enterprise
IppSec
HackTheBox - Sense
IppSec
HackTheBox - Minion
IppSec
VulnHub - Sokar
IppSec
VulnHub - Pinkys Palace v2
IppSec
HackTheBox - Inception
IppSec
Vulnhub - Trollcave 1.2
IppSec
HackTheBox - Ariekei
IppSec
HackTheBox - Flux Capacitor
IppSec
HackTheBox - Jeeves
IppSec
HackTheBox - Tally
IppSec
HackTheBox - CrimeStoppers
IppSec
HackTheBox - Fulcrum
IppSec
HackTheBox - Chatterbox
IppSec
HackTheBox - Falafel
IppSec
How To Create Empire Modules
IppSec
HackTheBox - Nightmare
IppSec
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
HackTheBox - Bart
IppSec
HackTheBox - Aragog
IppSec
HackTheBox - Valentine
IppSec
HackTheBox - Silo
IppSec
HackTheBox - Rabbit
IppSec
HackTheBox - Celestial
IppSec
HackTheBox - Stratosphere
IppSec
HackTheBox - Poison
IppSec
HackTheBox - Canape
IppSec
HackTheBox - Olympus
IppSec
HackTheBox - Sunday
IppSec
HackTheBox - Fighter
IppSec
HackTheBox - Bounty
IppSec
More on: Security Basics
View skill →Related AI Lessons
Chapters (15)
Introduction
1:00
Start of nmap
3:20
Looking at the NFS Mount on Windows, then downloading the certificates
6:00
Examining the certificates, dumping information to look at username and expira
13:50
Using certipy to auth with the certificate, discovering some accounts are lock
17:30
Building a PFX File from the key and pem, then logging in and running RustHoun
24:40
Looking at Bloodhound Data and seeing D.Baker can reset A.Carter's password wh
27:50
Running Certipy to look at certificates as D.Baker
30:45
Examining LDAP to discover H.Brown has an Alternate Security Identity set
32:30
Performing ESC14 by exploiting a chain to give ourself GenericAll then setting
41:30
Using WinRM with Kerberos to login as h.brown
42:40
Using BloodyAD to show writable objects as h.brown to see they can write somet
43:58
Running DSACLS to discover exactly what h.brown can write to see it is the Alt
52:15
Running SecretsDump to become administrator and grab the flag
53:24
Beyond Root, enabling Remote Desktop so we can look at the Certificate Configu
🎓
Tutor Explanation
DeepCamp AI