Login
Hack The Box: Certificate Machine Walkthrough β Hard Difficulty
Introduction to Certificate:
In this write-up, we will explore the βCertificateβ machine from Hack The Box, categorized as a Hard difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
Objective:
The goal of this walkthrough is to complete the βCertificateβ machine from Hack The Box by achieving the following objectives:
User Flag:
We found a login account (lion.sk) by analyzing network traffic and files, then cracked a captured password hash to get the password. Using that password we remotely logged into the machine as lion.sk and opened the desktop to read the user.txt file, which contained the user flag.
Root Flag:
To get full control (root), we abused the machineβs certificate system that issues digital ID cards. By requesting and extracting certificate material and using a small trick to handle the serverβs clock, we converted those certificate files into administrative credentials. With those elevated credentials we accessed the system as an admin and read the root.txt file for the root flag.
Enumerating the Machine
Reconnaissance:
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
nmap -sC -sV -oA initial 10.10.11.71Nmap Output:
ββ[dark@parrot]β[~/Documents/htb/certificate]
ββββΌ $nmap -sC -sV -oA initial 10.10.11.71
# Nmap 7.94SVN scan initiated Tue Sep 30 21:48:51 2025 as: nmap -sC -sV -oA initial 10.10.11.71
Nmap scan report for 10.10.11.71
Host is up (0.048s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.0.30)
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
|_http-title: Did not follow redirect to http://certificate.htb/
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-10-01 03:49:25Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-10-01T03:50:56+00:00; +2h00m32s from scanner time.
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certificate.htb
| Not valid before: 2024-11-04T03:14:54
|_Not valid after: 2025-11-04T03:14:54
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
Service Info: Hosts: certificate.htb, DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h00m30s, deviation: 2s, median: 2h00m30s
| smb2-security-mode: 3:1:1: Message signing enabled and required
| smb2-time: date: 2025-10-01T03:50:14Analysis:
- 53/tcp β DNS (Simple DNS Plus): name resolution and potential zone/host enumeration.
- 80/tcp β HTTP (Apache/PHP): web app surface for discovery, uploads, and common web vulnerabilities.
- 88/tcp β Kerberos: AD authentication service; useful for ticket attacks and Kerberos enumeration.
- 135/tcp β MSRPC: RPC endpoint for Windows services (potential remote service interfaces).
- 139/tcp β NetBIOS-SSN: legacy SMB session service β useful for NetBIOS/SMB discovery.
- 389/tcp β LDAP: Active Directory directory service (user/group enumeration and queries).
- 445/tcp β SMB (Microsoft-DS): file shares and SMB-based lateral movement/credential theft.
- 464/tcp β kpasswd (Kerberos password change): Kerberos password change service.
- 593/tcp β RPC over HTTP: RPC tunneled over HTTP β can expose various Windows RPC services.
- 636/tcp β LDAPS: Secure LDAP over TLS β AD queries and certificate info via encrypted channel.
- 3268/tcp β Global Catalog (LDAP): AD global catalog queries across the forest (fast user/group lookup).
- 3269/tcp β Global Catalog over TLS: Encrypted global catalog queries for secure AD enumeration.
Web Enumeration:
The websiteβs interface initially appears conventional.
The Account tab contains options for logging in and registering.
Letβs create a new account here.
You can register in the same way as shown above.
The registration was successful.
Therefore, letβs log in using the credentials we created earlier.
Successful access will display an interface similar to the one shown above.
Clicking the course tab displays the interface shown above.
As a result, letβs enrol in the course.
There are many sessions, but the quiz is what caught my attention at the moment.
There is an upload button available in the quizz section.
We are required to upload a report in PDF, DOCX, PPTX, or XLSX format.
After a while, I uploaded a form.pdf file that contained empty content.
Once the file is successfully uploaded, we need to click the βHEREβ link to verify that it has been uploaded into the system.
It worked like a charm.
Exploiting Zip Slip: From Archive to Remote Code Execution
Zip Slip is a critical arbitrary file overwrite vulnerability that can often lead to remote command execution. The flaw impacts thousands of projects, including those from major vendors such as HP, Amazon, Apache, and Pivotal. While this type of vulnerability has existed previously, its prevalence has recently expanded significantly across a wide range of projects and libraries.
Letβs implement a PHP reverse shell to establish a reverse connection back to our host.
Compress the PDF into dark.zip and upload it as a standard archive file.
We also compress the test directory, which includes exploit.php, into a ZIP archive.
Combine the two ZIP archives into a single ZIP file for upload as part of an authorized security assessment in an isolated testing environment.
Initiate the listener.
Upload the shell.zip file to the designated test environment within the authorized, isolated assessment scope.
Access the specified URL within the isolated test environment to observe the applicationβs behavior.
After a short interval, the connection was reestablished.
Among numerous users, the account xamppuser stood out.
Consequently, inspect the certificate.htb directory located under /xampp/htdocs.
I discovered information indicating that we can utilise the MySQL database.
Executing the MySQL command returned no errors, which is a positive sign.
MySQL Reconnaissance and Attack Surface Mapping
As a result, we navigated to /xampp/mysql/bin, used mysql.exe to run SQL commands, and successfully located the database.
The users table drew my attention.
There is a significant amount of information associated with several users.
While scrolling down, we identified a potential user named sara.b.
The hash was collected as shown above.
All the hashes use Blowfish (OpenBSD), WoltLab Burning Board 4.x, and bcrypt algorithms.
When using Hashcat, a specific hash mode is required.
After extended processing, the password for the suspected account sara.b was recovered as Blink182.
Attempting to access the machine using Sara.Bβs credentials.
Unfortunately, Sara.Bβs desktop contains no files.
Bloodhound enumeration
We can proceed with further analysis using the BloodHound platform.
Sara.B Enumeration for Lateral Movement
We can observe the WS-01 directory.
There are two different file types present.
The Description.txt file reports an issue with Workstation 01 (WS-01) when accessing the Reports SMB share on DC01. Incorrect credentials correctly trigger a βbad credentialsβ error, but valid credentials cause File Explorer to freeze and crash. This suggests a misconfiguration or fault in how WS-01 handles the SMB share, potentially due to improper permissions or corrupt settings. The behavior indicates a point of interest for further investigation, as valid access attempts lead to system instability instead of normal access.
Download the pcap file to our machine for further analysis.
Wireshark analaysis
There are numerous packets available for further investigation.
Upon careful analysis of packet 917, I extracted the following Kerberos authentication hash: $krb5pa$18$Lion.SK$CERTIFICATE.HTB$23f5159fa1c66ed7b0e561543eba6c010cd31f7e4a4377c2925cf306b98ed1e4f3951a50bc083c9bc0f16f0f586181c9d4ceda3fb5e852f0.
Alternate Certificate Forging via Python Script
Alternatively, we can use a Python script here
Save the hash to hash.txt.
The recovered password is !QAZ2wsx.
This confirms that the account lion.sk can authenticate to WinRM using the password !QAZ2wsx.
We successfully accessed the lion.sk account as expected.
Read the user flag by running the command: type user.txt.
Escalate To Root Privileges Access
Privilege Escalation:
Sara.B is listed as a member of Account Operators and has GenericAll rights over the lion.sk account. In plain terms, that means Sara.B can fully manage the lion.sk user β change its password, modify attributes, add it to groups, or even replace its credentials. Because Account Operators is a powerful builtβin group and GenericAll grants nearβcomplete control over that specific account, this is a highβrisk configuration: an attacker who compromises Sara.B (or abuses her privileges) could take over lion.sk and use it to move laterally or escalate privileges.
Synchronise the system clock with certificate.htb using ntpdate: ntpdate -s certificate.htb
ESC3 Enumeration and CA Configuration Analysis
What is ESC3 Vulnerability?
In a company, employees get digital certificatesβlike special ID cardsβthat prove who they are and what theyβre allowed to do. The ESC3 vulnerability happens when certain certificates allow users to request certificates on behalf of others. This means someone with access to these certificates can pretend to be another person, even someone with higher privileges like an admin.
Because of this, an attacker could use the vulnerability to gain unauthorized access to sensitive systems or data by impersonating trusted users. Itβs like being able to get a fake ID that lets you enter restricted areas.
Fixing this involves limiting who can request these certificates and carefully controlling the permissions tied to them to prevent misuse.
Using lion.sk credentials, Certipy enumerated 35 certificate templates, one CA (Certificate-LTD-CA), 12 enabled templates, and 18 issuance policies. Initial CA config retrieval via RRP failed due to a remote registry issue but succeeded on retry. Web enrollment at DC01.certificate.htb timed out, preventing verification. Certipy saved results in text and JSON formats and suggests using -debug for stack traces. Next steps: review saved outputs and confirm DC01βs network/service availability before retrying.
Certipy flagged the template as ESC3 because it contains the Certificate Request Agent EKU β meaning principals allowed to enrol from this template (here CERTIFICATE.HTB\Domain CRA Managers, and Enterprise Admins listed) can request certificates on behalf of other accounts. In practice, that lets those principals obtain certificates that impersonate higherβprivilege users or services (for example ,issuing a cert for a machine or a user you donβt control), enabling AD CS abuse and potential domain escalation.
Request the certificate and save it as lion.sh.pfx.
Certificate Issued to Ryan.k
Sara.B is a member of Account Operators and has GenericAll permissions on the ryan.k account β in simple terms, Sara.B can fully control ryan.k (reset its password, change attributes, add/remove group membership, or replace credentials). This is high risk: if Sara.B is compromised or abused, an attacker can take over ryan.k and use it for lateral movement or privilege escalation. Recommended actions: limit membership in powerful groups, remove unnecessary GenericAll delegations, and monitor/accountβchange audit logs.
Certipy requested a certificate via RPC (Request ID 22) and successfully obtained a certificate for UPN ryan.k@certificate.htb; the certificate object SID is S-1-5-21-515537669-4223687196-3249690583-1117 and the certificate with its private key was saved to ryan.k.pfx.
Unfortunately, the clock skew is too large.
When using the faketime command, it behaves as expected.
With explicit permission and in a controlled environment, verify whether the extracted hash can authenticate as ryan.k for investigative purposes.
Abusable Rights: SeManageVolumePrivilege
The following privileges are enabled: SeMachineAccountPrivilege β Add workstations to the domain; SeChangeNotifyPrivilege β Bypass traverse checking; SeManageVolumePrivilege β Perform volume maintenance tasks; SeIncreaseWorkingSetPrivilege β Increase a processβs working set.
Letβs create a temporary directory.
While executing the command, we encountered the error Keyset does not exist, indicating the required cryptographic key material is missing or inaccessible.
Therefore, we need to transfer the SeManageVolumeExploit.exe file to the target machine.
It refers to entries that have been modified.
I ran icacls on Windows, and it successfully processed 1 file with 0 failures.
Finally, it worked exactly as I expected.
We can now download the ca.pfx file to our local machine
Certificate Forgery for Domain Auth (Certipy)
We can convert the ca.pfx file into admin.pfx.
Authentication failed because the clock skew is too significant.
After switching to faketime, it worked like a charm.
Read the root flag by running the command: type root.txt.
The post Hack The Box: Certificate Machine Walkthrough β Hard Difficulty appeared first on Threatninja.net.
