[opliko]

How would you get a LE cert for a domain you don't control? Your proposed attack is thwarted by ACME challenges.

You could redirect the user to a HTTP site, but 1. that can be defeated by adding the domain to hsts preload list 2. This isn't replacing content of HTTPS site, but replacing HTTPS site with a HTTP one.

To actually pull your attack off, you'd need to add your own root certificate to the client device (which means you either tricked the super into doing it and could've as well tricked them into letting you take control of their device anyway, or actually had control of their device - in both cases MITM is pointless at that point), or trick a CA into issuing you a certificate for a domain you don't own/steal a CA's private keys - both of which are things that can easily kill a CA (see DigiNotar, which stopped existing same month the security breach was reported), and therefore obviously aren't easy to pull off.