Official Certified Discussion

Relatively easy machine with straightforward walk through from bloodhound + the name of the machine is disclosing more than required :slight_smile:

If you need help you can DM me as well.

facing problem while running pywhisker , i have added the judith.mader to management group and confirms it as well , but getting error on running pywhisker

ā”Œā”€ā”€(kalić‰ækali)-[~/Downloads/pywhisker]
ā””ā”€$ python pywhisker.py -d ā€œcertified.htbā€ -u ā€œjudith.maderā€ -p ā€œjudith09ā€ --target ā€œmanagement_svcā€ --action ā€œaddā€
[] Searching for the target account
[
] Target user found: CN=management service,CN=Users,DC=certified,DC=htb
[] Generating certificate
[
] Certificate generated
[] Generating KeyCredential
[
] KeyCredential generated with DeviceID: 73da3289-4de4-4b45-52d4-0f8f94d07365
[*] Updating the msDS-KeyCredentialLink attribute of management_svc
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[!] module ā€˜OpenSSL.cryptoā€™ has no attribute ā€˜PKCS12ā€™

Im having problems with the last part, certipy is showing me this: Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate. Which means smth like the ca is not enabled, can anyone help? Thx

As many mentioned Pywhisker is kinda broken after python 3.12 in kali.
There are other tools that can help you adding the attribute on example is Bloodyad

After obtaining the hash for ma**vc, I am unsure what to do I have looked at Bloodhound many times still unable to find anything. There is only 1 connection between that user and the DC which seems like I cannot exploit as ma**vc is not a privileged user on the DC?

Oh, I have actually also gotten the has of the c**op** r account but I didnā€™t think it was able to do anything based on the bloodhound enumeration

Thank you so much for the hints, I have finally solved it!

FINALLY rooted. brain off, running tool after tool. stumbled upon hacktricks and a certain tool. And one of the exploits worked for the priv esc part. Thought it wasnā€™t for an hour, and then ran with ā€˜sudoā€™ and voila! Feel so dumb 態態態

Certified pwned

Hello to all
I am stuck at the starting point I know what is the input vector, but before that the user judith must be part of the group M******?, I have tried to add it to the group with net rpc group addmem but as output of the command I get a message of Could not add judith.mader to M**********: NT_STATUS_ACCESS_DENIED.

Any hint would be very helpful.

Judith needs to be owner of that group and needs to have the necessary permission over that group (like GenericAll) to add itself as member and to finally gain access via shadow credentials to a specific service.

Use a tool of your choice (eg BloodyAD) and carefully do each step as I have described.

net rpc group addmem is obviously right, even if you are the owner of that group you have not the right permissions yet.

2 Likes

Thank you very much for the hints, they were a great help! :nerd_face: :+1:

Hello, I see your message and Iā€™m a bit lost so I hope you can help me. Iā€™m using bloodhound and I see that judith has ā€œWriteOwnerā€ rights on the Management group. I guess thatā€™s what Iā€™m supposed to use but I canā€™t.

Hi, during few of the last steps I see an error message:

ā€œ[-] Name mismatch between certificate and user ā€˜administratorā€™ā€

Any hint what am I missing?

Thanks

Hint for future me: remember about the dates! :wink:

Pwnd!

How did you fixed that?

$ sudo ntpdate ā€¦and here youā€™ll start this adventure;)

Good luck!

How are people actually doing the Bloodhound collection?

Everyone seems to say you use the intial creds to collect Bloodhound data and follow that path.

But I cannot log in anywhere to ingest Bloodhound data.

Can anyone give me a hint on this?

I had the same issueā€¦ Take a look at this site: GitHub - yovelo98/OSCP-Cheatsheet: My Notes For OSCP - filter for bloodhound

I used the command i found in another machineā€™s discussion: