In this topic, we’re going to learn about digital certificates and then look at a hands-on labs which uses the CertUtil programme in Windows. The lab in this topic is challenging, so we’ve provided additional guidance at the foot of this topic page. If you need additional support, you can use Slack to get help.
Immersive Lab: CertUtil
CertUtil is a Windows utility program used to dump and display certification authority (CA) configuration information. In this lab we will demonstrate how this Windows system utility is used as a vehicle in malware code to retrieve payloads and execute them on unsuspecting victims.
Get started by reading the Info tab and learning more about digital certificates and the CertUtil programme.
You’re asked to encode a text file using Base64. The non-encoded file is called ‘file1.txt’ and you need to create an encoded version of this file called ‘file2.txt’. To do this, we recommend using PowerShell.
Open Powershell by using the search bar in the bottom left corner. Use the ‘pwd’, ‘ls’, and ‘cd’ commands to navigate to the ‘desktop’ directory. This will be similar to using the Linux command line.
Once your working directory is the desktop directory, you will now use the certutil programme. As mentioned in the info tab in teh lab, the format for using the certutil programme is as follows;
certutil.exe [Options] [InFile] [OutFile]
In this situation, the option we want to use is ‘-encode’. the Infile is ‘file1.txt’ and the OutFile is ‘file2.txt’
After you’ve executed the correct command, you will have produced a file called file2.txt which will appear on the desktop.
Task two will require the same as task 1, but you will use the -decode option when running the command.
You have looked at file permissiosn and owners in a previous lesson, but you can also use Powershell to reveal the owner of a file. You can use the get-acl command (get access control list). Try typing get-acl followed by the file name to reveal the owner and other security information.