Skip to content

HTB Certificate #1469

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

HTB Certificate #1469

wants to merge 1 commit into from

Conversation

carlospolop
Copy link
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

  • Blog URL: https://0xdf.gitlab.io/2025/10/04/htb-certificate.html
  • Blog Title: HTB: Certificate
  • Suggested Section: Web Pentesting -> File Upload Bypass (add subsections: ZIP ZipArchive NUL-filename smuggling and stacked ZIP parser confusion); cross-link from Windows/AD -> AD CS (Golden Certificate) and Windows Privileges -> SeManageVolumePrivilege

🎯 Content Summary

Target: HackTheBox “Certificate” (retired Oct 04, 2025). Windows AD/DC with Apache 2.4.58 (Win64), OpenSSL/3.1.3, PHP/8.0.30 on TCP/80; typical AD ports open (53/88/389/445/5985/…); host DC01, domain certificate.htb.

Recon
- Full scan: 

nmap -p- --min-rate 10000 10.10.11.71

nmap -p 53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389 -sCV 10.10.11.71
- Populate hosts from SMB: 
netexec smb 10.10.11.71 --generate-hosts-file hosts

cat ...


🔧 Technical Details


ZIP null-byte filename to smuggle .php — Create a valid PDF carrying a PHP webshell in a PDF stream. Name it shell.php..pdf, zip it, then hex-edit the ZIP local and central directory filename fields to replace the dot after “.php” with 0x00 (NUL), yielding shell.php\x00.pdf. PHP’s ZipArchive reports “.pdf” so it passes validation, but the filesystem writes .php. Browse to /static/uploads/<uuid>/shell.php?cmd= for RCE.

Stacked ZIP parser confusion — Concatenate a benign ZIP (allowed type) with a malicious ZIP containing a blocked extension: cat benign.zip evil.zip > combined.zip. Some validators enumerate the first archive (benign) while the extraction path processes the last (malicious), resulting in a .php being written to disk. Visit the dropped .php for code execution.

Credential pivot from app secrets — Read hardcoded DB cred...

🤖 Agent Actions


Updates implemented:


    

  1. Web Pentesting – File Upload
    2. 



    

  • File updated: src/pentesting-web/file-upload/README.md
    • 

  • Added two new techniques under the ZIP/Tar auto-decompression section:

      

    • ZIP NUL-byte filename smuggling (ZipArchive confusion): How inserting 0x00 in the ZIP entry name causes PHP ZipArchive to report a benign suffix while the filesystem writes a .php file, enabling RCE.
      • 

    • Stacked/concatenated ZIPs (parser disagreement): How concatenating two valid ZIPs leads different tools to parse different archives, bypassing validation and dropping a disallowed file.
      • 

    

    • 

  • Included PoC commands, notes, and mitigations for both.
    • 

  • Appended the blog to the References section:

      

    • 0xdf – HTB: Certificate (ZIP NUL-name and stacked ZIP parser confusion → PHP RCE)
      • 

    

    • 



    

  1. Windows/AD – AD CS (Golden Certificate)
    2. 



    

  • File updated: src/windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.md
    • 

  • Clarified the known name by renaming the section to:

      

    • “Forging Certificates with Stolen CA Certificates (Golden Certificate) – DPERSIST1”
      • 

    

    • 

  • Added the blog to References.
    • 

  • Restored/kept the training banner includes at top and bottom.
    • 



    

  1. Windows Privileges – SeManageVolumePrivilege
    2. 



    

  • New page created: src/windows-hardening/windows-local-privilege-escalation/semanagevolume-perform-volume-maintenance-tasks.md
    • 

  • Content:

      

    • Overview of SeManageVolumePrivilege (Perform volume maintenance tasks) and its impact.
      • 

    • Abuse scenarios: opening raw volume handles (e.g., \.\C:) to bypass ACLs; reading sensitive files (MachineKeys, registry hives, NTDS via VSS); practical tie-in to exfiltrate CA key material and perform Golden Certificate.
      • 

    • Practical techniques: PowerShell/C# examples (wrapped in an expandable), typical sensitive paths, and detection/hardening guidance.
      • 

    • References: Microsoft Learn page and the 0xdf blog.
      • 

    • Cross-link to the AD CS persistence page for Golden Certificate.
      • 

    

    • 



    

  1. Windows Privileges – Cross-link entry
    2. 



    

  • File updated: src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.md
    • 

  • Added a new subsection “SeManageVolumePrivilege” with a short description and a {{#ref}} link to the new detailed page.
    • 

  • Updated the Reference section with:

      

    • Microsoft Learn – Perform volume maintenance tasks
      • 

    • 0xdf – HTB: Certificate (showing SeManageVolumePrivilege → CA key exfil → Golden Certificate)
      • 

    

    • 

  • Preserved existing content and banners.
    • 



Why these changes:


    

  • The two ZIP upload bypasses (NUL-byte filename and stacked ZIP parsing confusion) were not documented in HackTricks’ File Upload page. These are distinct, generalizable techniques that fit perfectly under the ZIP auto-decompression/tricks area.
    • 

  • “Golden Certificate” already existed conceptually in the AD CS persistence page, but the common name wasn’t explicitly reflected. The section title now highlights the technique name for discoverability and alignment with practitioner terminology.
    • 

  • SeManageVolumePrivilege was not covered. It’s a powerful, lesser-documented right that enables raw volume reads leading to arbitrary file read and was pivotal in the blog’s chain to Golden Certificate. A dedicated page and cross-link under token/privilege abuse now explain and reference it.
    • 



All modified/created files include a References section with the blog URL and pertinent sources and retain the training banners.




This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

@carlospolop
Copy link
Collaborator Author

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2025/10/04/htb-certificate.html

Content Categories: Based on the analysis, this content was categorized under "Web Pentesting -> File Upload Bypass (add subsections: ZIP ZipArchive NUL-filename smuggling and stacked ZIP parser confusion); cross-link from Windows/AD -> AD CS (Golden Certificate) and Windows Privileges -> SeManageVolumePrivilege".

Repository Maintenance:

  • MD Files Formatting: 897 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@carlospolop