Hack The Box - HTB Certificate Writeup - Hard - Weekly - May 31, 2025
Hack The Box - Certificate
Challenge: Certificate (Hard - Windows - 40 points)
IP Address: [MACHINE_IP]
Target Domain: certificate.htb
Before the breach, one must simply observe. 'Certificate' unveiled its soul through Nmap's gentle touch: a certificate.htb Active Directory domain, its many gates (Kerberos, LDAP, SMB) hinting at its true nature. The web server on port 80, a mere redirect, echoed this identity. Gobuster, a persistent whisper, charted its digital pathways: /login.php, /register.php for the living, and the curious, silent /db.php. This wasn't just a scan; it was the system revealing its fundamental architecture, its potential vulnerabilities etched into its very being, awaiting patient discernment before action.
This walkthrough details the steps taken to compromise the "Certificate" machine on Hack The Box.
Reconnaissance
Network Scan (Nmap)
An initial Nmap scan was performed to identify open ports and services running on the target machine (<TARGET_IP> refers to [MACHINE_IP]).
nmap -sV -sC -T5 [MACHINE_IP] -v -o nmap_certificate.txt
Results:
The Nmap scan revealed several open ports, indicating a potential Active Directory environment and a web server:
| PORT | STATE | SERVICE | VERSION |
|---|---|---|---|
| 53/tcp | open | domain | Simple DNS Plus |
| 80/tcp | open | http | Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.0.30) |
| 88/tcp | open | kerberos-sec | Microsoft Windows Kerberos |
| 135/tcp | open | msrpc | Microsoft Windows RPC |
| 139/tcp | open | netbios-ssn | Microsoft Windows netbios-ssn |
| 389/tcp | open | ldap | Microsoft Windows Active Directory LDAP (Domain: certificate.htb) |
| 445/tcp | open | microsoft-ds? | |
| 464/tcp | open | kpasswd5? | |
| 593/tcp | open | ncacn_http | Microsoft Windows RPC over HTTP 1.0 |
| 636/tcp | open | ssl/ldap | Microsoft Windows Active Directory LDAP (Domain: certificate.htb) |
| 3268/tcp | open | ldap | Microsoft Windows Active Directory LDAP (Domain: certificate.htb) |
| 3269/tcp | open | ssl/ldap | Microsoft Windows Active Directory LDAP (Domain: certificate.htb) |
| 5985/tcp | open | http | Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |
Key Observations from Nmap:
- Active Directory Services: The presence of ports 53 (DNS), 88 (Kerberos), 135 (MSRPC), 139 (NetBIOS-SSN), 389 (LDAP), 445 (SMB), 464 (kpasswd5), 636 (LDAPS), 3268 (LDAP GC), and 3269 (LDAPS GC) strongly indicates that the target is a Windows Domain Controller for the domain
certificate.htb. - Web Server (Port 80): An Apache httpd 2.4.58 server running on Windows with OpenSSL 3.1.3 and PHP 8.0.30 was identified. It redirects to
http://certificate.htb/. - SSL Certificates: LDAP services on ports 389, 636, 3268, and 3269 use SSL certificates issued by
Certificate-LTD-CAforDC01.certificate.htb. - WinRM (Port 5985): A Microsoft HTTPAPI httpd 2.0 server is running, which is typically used for WinRM.
Web Content Enumeration (Gobuster)
Wappalyzer output for the web server:
A directory brute-force scan was performed on the web server (http://certificate.htb) to discover hidden directories and files.
gobuster dir -u [http://certificate.htb](http://certificate.htb) -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt -t 50 -x php,txt,html,js,json,bak,config -k --random-agent -o certificate_dir.txt
Results:
The Gobuster scan yielded the following interesting paths:
/login.php(Status: 200)/register.php(Status: 200)/upload.php(Status: 302, redirects to login.php)/courses.php(Status: 302, redirects to login.php)/blog.php(Status: 200)/db.php(Status: 200, Size: 0)/about.php(Status: 200)/contacts.php(Status: 200)/index.php(Status: 200)/header.php(Status: 200)/footer.php(Status: 200)/logout.php(Status: 302)/static(Status: 301, redirects to /static/)/webalizer(Status: 403)/phpmyadmin(Status: 403)/licenses(Status: 403)/server-status(Status: 403)/examples(Status: 503)
Key Observations from Gobuster: