?

Certified HTB - Writeup

i really like this machine because it is VERY straightforward, as in, pretty much most of what you have to do is spelt out in the bloodhound you do at the start

h

as judith, you have the WriteOwner principal towards management@certified.htb, which lets you get management_svc through GenericWrite abuse

bloodhound basically tells you everything you have to do - impacket-owneredit to change the owner

h h

and impacket-dacledit to modify the DACL:

h h

then you can use samba to add judith to the group on linux h

after that, you can use pywhisker to generate a pfx file for management_svc and gettgtpkinit to grab the AS-REP key and tgt:

h h

then, grab the hash and use it to grab a shell!

h h

if you look at management_svc's first degree object controls, you can see it has GenericAll rights over ca_operator

h

just change the password:

h

this serves as great reference for the following steps

this to find the certificate template: h

this to update the account UPN and generate a certificate for administrator: h

then grab the admin hash and ps-exec in! h h