Official Certified Discussion

Try sudo ntpdate-debian FQDN and it worked for me over the rest.

Hi Viperr ,
I’m getting that same error, Can you tell me ho did you solve it ?

I get the following error when running certipy with TGT in ma**vc.

[-] Got error: Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)

How do I specify the SPN?

run certipy find without the --vulnerable (I think?) flag, and look at the templates you can work with, there’s one for user authentication. That did work for me but not sure if thats the intended way.

thanks it didn’t show up for me for some reason

Is it the User template (template 33). It didn’t work for me?

Done !

This site might be of help for root Certificate templates | The Hacker Recipes

feel free to dm for help

Root! Thanks @JoeyOnline !

1 Like

Relatively easy machine with straightforward walk through from bloodhound + the name of the machine is disclosing more than required :slight_smile:

If you need help you can DM me as well.

facing problem while running pywhisker , i have added the judith.mader to management group and confirms it as well , but getting error on running pywhisker

┌──(kali㉿kali)-[~/Downloads/pywhisker]
└─$ python pywhisker.py -d “certified.htb” -u “judith.mader” -p “judith09” --target “management_svc” --action “add”
[] Searching for the target account
[
] Target user found: CN=management service,CN=Users,DC=certified,DC=htb
[] Generating certificate
[
] Certificate generated
[] Generating KeyCredential
[
] KeyCredential generated with DeviceID: 73da3289-4de4-4b45-52d4-0f8f94d07365
[*] Updating the msDS-KeyCredentialLink attribute of management_svc
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[!] module ‘OpenSSL.crypto’ has no attribute ‘PKCS12’

Im having problems with the last part, certipy is showing me this: Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate. Which means smth like the ca is not enabled, can anyone help? Thx

As many mentioned Pywhisker is kinda broken after python 3.12 in kali.
There are other tools that can help you adding the attribute on example is Bloodyad

After obtaining the hash for ma**vc, I am unsure what to do I have looked at Bloodhound many times still unable to find anything. There is only 1 connection between that user and the DC which seems like I cannot exploit as ma**vc is not a privileged user on the DC?

Now that you have the hash for the ma*sv account, check out their ‘First Degree Object Control’ in Bloodhound as this may reveal some other users that we may want to exploit!

Oh, I have actually also gotten the has of the c**op** r account but I didn’t think it was able to do anything based on the bloodhound enumeration

That’s correct, now that you own the c*op account, I would suggest checking for any vulnerable templates that they may be enrolled into! Feel free to send me a DM if you get stuck :slight_smile:

Thank you so much for the hints, I have finally solved it!

1 Like

FINALLY rooted. brain off, running tool after tool. stumbled upon hacktricks and a certain tool. And one of the exploits worked for the priv esc part. Thought it wasn’t for an hour, and then ran with ‘sudo’ and voila! Feel so dumb ㅋㅋㅋ