Hack The Box - Certificate
Challenge: Certificate (Hard - Windows - 40 points)
IP Address: 10.129.237.200
Target Domain: certificate.htb
Before the breach, one must simply observe. 'Certificate' unveiled its soul through Nmap's gentle touch: a certificate.htb Active Directory domain, its many gates (Kerberos, LDAP, SMB) hinting at its true nature. The web server on port 80, a mere redirect, echoed this identity. Gobuster, a persistent whisper, charted its digital pathways: /login.php, /register.php for the living, and the curious, silent /db.php. This wasn't just a scan; it was the system revealing its fundamental architecture, its potential vulnerabilities etched into its very being, awaiting patient discernment before action.
This walkthrough details the steps taken to compromise the "Certificate" machine on Hack The Box.
Reconnaissance
Network Scan (Nmap)
An initial Nmap scan was performed to identify open ports and services running on the target machine (<TARGET_IP> refers to 10.129.237.200).
nmap -sV -sC -T5 10.129.237.200 -v -o nmap_certificate.txt
Results:
The Nmap scan revealed several open ports, indicating a potential Active Directory environment and a web server:
| PORT | STATE | SERVICE | VERSION |
|---|---|---|---|
| 53/tcp | open | domain | Simple DNS Plus |
| 80/tcp | open | http | Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.0.30) |
| 88/tcp | open | kerberos-sec | Microsoft Windows Kerberos |
| 135/tcp | open | msrpc | Microsoft Windows RPC |
| 139/tcp | open | netbios-ssn | Microsoft Windows netbios-ssn |
| 389/tcp | open | ldap | Microsoft Windows Active Directory LDAP (Domain: certificate.htb) |
| 445/tcp | open | microsoft-ds? | |
| 464/tcp | open | kpasswd5? | |
| 593/tcp | open | ncacn_http | Microsoft Windows RPC over HTTP 1.0 |
| 636/tcp | open | ssl/ldap | Microsoft Windows Active Directory LDAP (Domain: certificate.htb) |
| 3268/tcp | open | ldap | Microsoft Windows Active Directory LDAP (Domain: certificate.htb) |
| 3269/tcp | open | ssl/ldap | Microsoft Windows Active Directory LDAP (Domain: certificate.htb) |
| 5985/tcp | open | http | Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |
Key Observations from Nmap:
- Active Directory Services: The presence of ports 53 (DNS), 88 (Kerberos), 135 (MSRPC), 139 (NetBIOS-SSN), 389 (LDAP), 445 (SMB), 464 (kpasswd5), 636 (LDAPS), 3268 (LDAP GC), and 3269 (LDAPS GC) strongly indicates that the target is a Windows Domain Controller for the domain
certificate.htb. - Web Server (Port 80): An Apache httpd 2.4.58 server running on Windows with OpenSSL 3.1.3 and PHP 8.0.30 was identified. It redirects to
http://certificate.htb/. - SSL Certificates: LDAP services on ports 389, 636, 3268, and 3269 use SSL certificates issued by
Certificate-LTD-CAforDC01.certificate.htb. - WinRM (Port 5985): A Microsoft HTTPAPI httpd 2.0 server is running, which is typically used for WinRM.
Web Content Enumeration (Gobuster)
Wappalyzer output for the web server:
A directory brute-force scan was performed on the web server (http://certificate.htb) to discover hidden directories and files.
gobuster dir -u [http://certificate.htb](http://certificate.htb) -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt -t 50 -x php,txt,html,js,json,bak,config -k --random-agent -o certificate_dir.txt
Results:
The Gobuster scan yielded the following interesting paths:
/login.php(Status: 200)/register.php(Status: 200)/upload.php(Status: 302, redirects to login.php)/courses.php(Status: 302, redirects to login.php)/blog.php(Status: 200)/db.php(Status: 200, Size: 0)/about.php(Status: 200)/contacts.php(Status: 200)/index.php(Status: 200)/header.php(Status: 200)/footer.php(Status: 200)/logout.php(Status: 302)/static(Status: 301, redirects to /static/)/webalizer(Status: 403)/phpmyadmin(Status: 403)/licenses(Status: 403)/server-status(Status: 403)/examples(Status: 503)
Key Observations from Gobuster:
- User Management: The presence of
register.php,login.php,logout.php,upload.php, andcourses.phpsuggests a web application with user authentication and specific functionalities for authenticated users. Theupload.phpandcourses.phppages redirect tologin.php, indicating they require authentication. - Potentially Empty File:
db.phpreturned a 200 OK status but with a size of 0 bytes, which might be a placeholder or an empty configuration file. - Forbidden Directories: Directories like
/webalizer,/phpmyadmin,/licenses, and/server-statusare forbidden (403), indicating they are either protected or not intended for public access.
SMB Enumeration
SMB enumeration was performed using nxc (NetExec) and enum4linux-ng to gather more information about the domain and shares.
nxc smb <TARGET_IP> -u "guest" -p "" --shares
Output:
[*] Initializing SMB protocol database
SMB 10.129.237.200 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:certificate.htb) (signing:True) (SMBv1:False)
SMB 10.129.237.200 445 DC01 [-] certificate.htb\guest: STATUS_ACCOUNT_DISABLED
enum4linux-ng -A <TARGET_IP>
SMB enumeration showed that the domain is certificate.htb and the NetBIOS computer name is DC01. It also confirmed that SMB signing is required and that an unauthenticated null session is allowed for certain RPC checks. However, no accessible shares were found with the guest account. The /upload.php and /register.php pages remained of particular interest.
Initial Foothold - Abusing File Upload
The gobuster results indicated an /upload.php page that redirected to login.php. This prompted registering as a student, signing in, and enrolling in a course to access the upload functionality.
