HackTheBox - Scepter Writeup
Sypnosis Scepter is a Hard Windows machine from HackTheBox featuring an exposed NFS share that contains user certificate files, which after being cracked, allow for initial access and a series of chained Active Directory Certificate Services (ADCS) abuses (ESC9 and ESC14) to pivot through multiple user accounts, ultimately gaining DCSync rights for full domain compromise. + − ⌂ [https://i.ibb.co/JjzkJ3NR/user-removebg-preview.png]Scan for Services [https://i.ibb.co/LzdxQFPv/computer-removebg-preview.png]Enumerate NFS Share [https://i.ibb.co/Kckn13Nh/database-removebg-preview.png]Crack Certificate Passwords [https://i.ibb.co/JR4shsmH/login-removebg-preview.png]Authenticate as User 'd.baker' [https://i.ibb.co/0ybfPw9J/password-removebg-preview.png]Abuse 'ForceChangePassword' to become 'a.carter' [https://i.ibb.co/HDPF8ZMm/website-removebg-preview-1.png]Abuse ADCS (ESC9) to become 'h.brown' [https://i.ibb.co/Gwv4v4g/shell-exploit-removebg-preview.png]Capture User Flag [https://i.ibb.co/HDPF8ZMm/website-removebg-preview-1.png]Abuse ADCS (ESC14) to become 'p.adams' [https://i.ibb.co/Kckn13Nh/database-removebg-preview.png]Abuse DCSync rights to dump all hashes [https://i.ibb.co/679DN5x7/rooted-removebg-preview.png]Use Administrator hash to get Root Shell Skills Required Active Directory (AD) Enumeration NFS Enumeration Password Cracking (John the Ripper) AD Certificate Services (ADCS) Abuse Familiarity with BloodHound, Certipy, Impacket, and BloodyAD 1. Reconnaissance (TA0043) The reconnaissance phase involves actively scanning the target to identify services and potential vulnerabilities. ...