Machine Synopsis

`Certificate` is a hard Windows Active Directory machine that starts with an E-learning platform. The web application is vulnerable to `Null-Byte Injection` in its file upload feature, allowing a `PHP` reverse shell to be executed for initial access as `xamppuser`. Database credentials are retrieved, enabling lateral movement to the `Sara.B` user. Further enumeration uncovers a network capture file that leaks `Lion.SK’s` credentials. Using these, Active Directory Certificate Services (`ADCS`) is enumerated, and a vulnerable template is exploited to request certificates on behalf of other users. A certificate for the `Ryan.K` user is then obtained, whose `SeManageVolumePrivilege` is leveraged to gain a shell as `NT AUTHORITY\NETWORK SERVICE`. Finally, `SeImpersonatePrivilege` is used to escalate to `NT AUTHORITY\SYSTEM`, dump `ntds.dit` and `registry` hives, and extract the Administrator’s `NTLM` hash, ultimately allowing access as the `Administrator`.