Intrusionz3r0-WriteupsHacktheboxGithubLinkedln

Active Directory Certificate Services

Enumeration

One indicative factor of an ADCS installation is the presence of the built-in Cert Publishers group. This group typically authorizes Certificate Authorities to publish certificates to the directory, often indicating the presence of an ADCS server. That means that the ADCS server will be a member of this group.

Certify.exe typically fetches credentials from the current context session, which can be convenient or problematic based on scenarios requiring specific user privileges.

#Querying Cert Publishers group membership
CS C:\\Tools> net localgroup "Cert Publishers"

# Find vulnerable templates
PS C:\Tools> .\Certify.exe find /vulnerable

#Identify if there are ADCS servers in the Domain 
Intrusionz3r0@htb[/htb]$ netexec ldap 10.129.205.199 -u "blwasp" -p "Password123!" -M adcs

how to Install Certipy-ad

#Certipy
Intrusionz3r0@htb[/htb]$ sudo apt install certipy-ad || pip3 install certipy-ad
Intrusionz3r0@htb[/htb]$ certipy-ad find -u 'raven' -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236 -vulnerable -stdout
LogoSharpCollection/NetFramework_4.7_x64/Certify.exe at master · Flangvik/SharpCollectionGitHub
LogoGitHub - GhostPack/Certify: Active Directory certificate abuse.GitHub

Download BloodHound Forked

Common Error Messages

Error Name
Description

CERTSRV_E_TEMPLATE_DENIED

The permissions on the certificate template do not allow the current user to enroll

KDC_ERR_INCONSISTENT_KEY_PURPOSE

Certificate cannot be used for PKINIT client authentication

KDC_ERROR_CLIENT_NOT_TRUSTED

Reserved for PKINIT. Try to authenticate to another DC

KDC_ERR_PADATA_TYPE_NOSUPP

KDC has no support for padata type. CA might be expired

Abusing Certificate Templates

ESC1

Requirements:

  • Enrollment Rights: LAB.LOCAL\\Domain Users

  • Requires Manager Approval: False.

  • Authorized Signature Required: 0.

  • Client Authentication: True or Extended Key Usage Client Authentication.

  • Enrollee Supplies Subject: True.

Output Example

Linux Exploitation

Windows Exploitation

Now we have two options to use the output provided by Rubeus: we can use the NT Hash with any of our preferred tools or use the TGT base64(ticket.kirbi) to get a session as the Administrator. Let's use the ticket with Rubeus.

Note: If you get an error: The NETBIOS connection with the remote host timed out, just try again.

ESC2

Requirements:

  • Enrollment Rights: LAB.LOCAL\\Domain Users.

  • Requires Manager Approval : False

  • Authorized Signature Required: 0 (no additional approvals required).

  • EKU: Any Purpose

Output example

Linux Exploitation

Windows Exploitation

Now we have two options to use the output provided by Rubeus: we can use the NT Hash with any of our preferred tools or use the TGT base64(ticket.kirbi) to get a session as the Administrator.

ESC3

pkiextendedkeyusage and mspki-certificate-application-policy; if the values of these fields is Certificate Request Agent

it is crucial to request a certificate from a template that allows Client Authentication in its EKUs.

Condition 1:

  • Enrollment Rights: LAB.LOCAL\\Domain Users.

  • Requires Manager Approval : False

  • Authorized Signature Required: 0 (no additional approvals required).

  • The Extended Key Usage includes Certificate Request Agent

Output:

Exploitation on Linux

Exploitation on Windows

To identify condition 1 of the ESC3 vulnerability, pay attention to these two fields:

pkiextendedkeyusage: Certificate Request Agent

mspki-certificate-application-policy: Certificate Request Agent.

ESC9

To successfully abuse this misconfiguration, specific prerequisites must be met:

  1. The StrongCertificateBindingEnforcement registry key should not be set to 2 (by default, it is set to 1), or the CertificateMappingMethods should contain the UPN flag (0x4). Regrettably, as a low-privileged user, accessing and reading the values of these registry keys is typically unattainable.

  2. The certificate template must incorporate the CT_FLAG_NO_SECURITY_EXTENSION flag within the msPKI-Enrollment-Flag value.

  3. The certificate template should explicitly specify client authentication as its purpose.

  4. The attacker must possess at least the GenericWrite privilege against any user account (account A) to compromise the security of any other user account (account B).

Output:

The ESC9 template has the value msPKI-Enrollment-Flag for the CT_FLAG_NO_SECURITY_EXTENSION flag; this is implied from the NoSecurityExtension value of the Enrollment Flag field

Compromise on Linux

Mission:

  • Target: Compromise User3

  • Pivot User with FullControl Permission: User2 (GenericAll)

We can accomplish this using Password Reset or Shadow Credentials. The advantage of using Shadow Credentials is that we do not have to affect the user by changing their password.

[*] Certificate has no object SID indicate that no objectSID is provided, and thus, no strong mapping will be performed. which means we successfully obtained a certificate for user3.

Compromise on Windows

Mission:

  • Target: Compromise User3

  • Pivot User with FullControl Permission: User2

Now we have to identify our pivot user with FullControl (GenericAll). You can use Bloodhound or PowerView.

Now you have to get a session as you pivot user and request the certificate.

ESC10

Case 1: StrongCertificateBindingEnforcement is 0x0

To successfully abuse this misconfiguration, specific prerequisites must be met:

  1. The StrongCertificateBindingEnforcement registry key is set to 0, indicating that no strong mapping is performed. It's important to note that this value will only be considered if the April 2023 updates have yet to be installed.

  2. At least one template specifies that client authentication is enabled (e.g., the built-in User template).

  3. We have at least GenericWrite rights for account A, allowing us to compromise account B.

In case we don't know if the registry key StrongCertificateBindingEnforcement is set 0x0 or not, we need to try the attack to identify if it is vulnerable or not.

Case 2: CertificateMappingMethods is 0x4

To successfully carry out this privilege escalation tactic, specific prerequisites must be met:

  1. The CertificateMappingMethods registry key is set to 0x4, indicating no strong mapping.

  2. At least one template is enabled for client authentication (e.g., the built-in User template).

  3. We have at least GenericWrite rights for any account A, allowing us to compromise any account B that does not already have a UPN set (e.g., machine accounts or built-in Administrator accounts). This is important to avoid constraint violation errors on the UPN.

Schannel authentication does not support authenticate via PKINIT We need to authenticate via Schannel. use -ldap-shell

Certipy permits authentication with Schannel and opens an LDAP shell to conduct some attacks using LDAP. For example, it is possible to create a new computer account and then use it to take over any other machine by configuring a Resource-Based Constrained Delegation.

Abusing CA Configuration

ESC6

To successfully abuse this misconfiguration, specific prerequisites must be met:

  • User Specified SAN : Enabled

Output:

Exploitation on Linux

Exploitation on Windows

Look for:

Abusing Access Control

ESC4

To make a template vulnerable, the following attributes need to be modified with the specified values:

  • Grant Enrollment rights for the vulnerable template.

  • Disable the PEND_ALL_REQUESTS flag in mspki-enrollment-flag to deactivate Manager Approval.

  • Set the mspki-ra-signature attribute to 0 to disable the Authorized Signature requirement.

  • Enable the ENROLLEE_SUPPLIES_SUBJECT flag in mspki-certificate-name-flag to allow requesting users to specify another privileged account name as a SAN.

  • Set the mspki-certificate-application-policy to a certificate purpose for authentication:

    • Client Authentication (OID: 1.3.6.1.5.5.7.3.2)

    • Smart Card Logon (OID: 1.3.6.1.4.1.311.20.2.2)

    • PKINIT Client Authentication (OID: 1.3.6.1.5.2.3.4)

    • Any Purpose (OID: 2.5.29.37.0)

    • No Extended Key Usage (EKU)

Logo[MS-CRTD]: msPKI-Enrollment-Flag AttributeMicrosoftLearn
Logo[MS-CRTD]: msPKI-Certificate-Name-Flag AttributeMicrosoftLearn
LogoCertificate-Enrollment extended right - Win32 appsMicrosoftLearn

Abuse on Linux

Abuse on Windows

Certificate-Enrollment extended right = 0e10c968-78fb-11d2-90d4-00c04f79dc55

ESC5 (Compromise CA Server)

Compromising the CA server provides the ability to control PKI and maintain long-term access to the domain.

Certify.exe, in contrast to certipy, indicates that users belonging to BUILTIN\Administrators (local administrators) possess ManageCA and ManageCertificates privileges on the ADCS server. This presents an opportunity to exploit ESC4, ESC7, and potentially manipulate additional components of the ADCS service, enabling us to escalate privileges within the domain.

We need rights over and account with the next permissions:

  • The CA server’s AD computer object (i.e., compromise through S4U2Self or S4U2Proxy).

  • The CA server’s RPC/DCOM server.

  • Any descendant AD object or container in the container CN=Public Key Services,CN=Services,CN=Configuration,DC=<COMPANY>,DC=<COM> (e.g., the Certificate Templates container, Certification Authorities container, the NTAuthCertificates object, the Enrollment Services Container, etc.

Abuse from Linux

Abuse from Windows

ESC7

ESC7 occurs when a user has either the "Manage CA" or "Manage Certificates" access rights on the Certificate Authority (CA) itself. These permissions can be exploited to escalate privileges and compromise the domain.

Key Permissions in ESC7

1. Manage CA

  • Grants the ability to manipulate configurations on the CA remotely.

  • Allows the modification of the EDITF_ATTRIBUTESUBJECTALTNAME2 bit to enable Subject Alternative Name (SAN) specification in any template.

  • SAN manipulation can be particularly dangerous when abused, as it enables adding arbitrary identifiers (e.g., UPN) to certificates. (Refer to ESC6 for SAN-related abuse.)

2. Manage Certificates

  • Grants the ability to remotely approve pending certificate requests, bypassing the default protection of CA certificate manager approval.

  • This effectively allows a user to issue certificates even if they are not authorized to enroll for certain templates.

Once we run the command, we get the error: Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.; the reason of this error is that we are not a member of Domain Admins or Enterprise Admins which are the only two groups with enrollments rights for this template, so our request was denied, but it can be later issued by the Manager CA.

SubCA This allows an attacker to issue certificates with elevated privileges..

UPN (User Principal Name)

Attack from Linux - ManageCA rights

Attack from Linux - ManageCertificates rights

Abuse on Windows

ESC13

Empty

ESC16

The ESC16 vulnerability, in particular, relates to the omission of the szOID_NTDS_CA_SECURITY_EXT security extension (OID: 1.3.6.1.4.1.311.25.2) in the certificate authority (CA). This extension is essential for binding certificates to specific Active Directory accounts, and disabling it breaks this link, allowing certificates to be issued without proper identity verification.

Look for a CA with a note like:

  • Disabled extensions: 1.3.6.1.4.1.311.25.2

  • [!] Vulnerabilities: ESC16: Security Extension is disabled.

NTLM Relay

LogoGitHub - topotam/PetitPotam: PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw or other functions.GitHub
Logokrbrelayx/printerbug.py at master · dirkjanm/krbrelayxGitHub
LogoGitHub - p0dalirius/Coercer: A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 12 methods.GitHub

ESC8

Requirements:

  • A vulnerable web enrollment endpoint.

  • At least one certificate template enabled allows domain computer enrollment and client authentication (like the default Machine/Computer template).

  • Request Disposition : Issue

Three different scenarios and Methods

Scenario
Technique
Tools
Key Point
Machine

1. DNS Modification Available

DNS Spoofing + DFSCoerce + Kerberos Relay

dnstool.py, DFSCoerce, krbrelayx

Modify DNS to redirect authentication traffic

2. No DNS Mod but SMB Traffic Available

Direct Coercion + Certipy Relay

Certipy, Coercer

Receive SMB traffic directly, relay to AD CS

3. No DNS Mod or SMB Direct

Port Bending + StreamDivert + PetitPotam + NTLM Relay

StreamDivert, PetitPotam, ntlmrelayx

Redirect SMB traffic using port bending

ESC8 SMB traffic available

ESC11

Miscellaneous ADCS Attacks

Certifried (CVE-2022-26923)

PKINIT

PKINT is an extension of the Kerberos protocol that enables certificate-based authentication.

keep in mind that there could be situations where authentication with Kerberos using certificates may not be an option. In such cases, we can resort to using Schannel, an alternative method, for authenticating with certificates when PKINIT is not supported.

Error

Description

Possible causes

KDC_ERR_PADATA_TYPE_NOSUPP

KDC has no support for PADATA type (pre-authentication data)

Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller. It can also happen when a domain controller doesn't have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates).

This means the KDC Certificate is missing the Smart Card Logon EKU. Without this EKU, the KDC cannot use the certificate for PKINIT, which causes authentication to fail.

How to autheticate LDAPS Authentication with PassTheCert

If kerberos is not available we switch to Schannel.

  • Schannel LDAPS authentication allows certificates to be used for authenticating to Active Directory over a secure channel.

Extract key and cert from the pfx

Available Attacks

#1 Grant DCSync rights to user

#2 Resource Based Constrain Delegation

The second attack is known as Resource Based Constrain Delegation that involves modifying certain attributes of the target computer to impersonate a user on that system. By using an Administrator's certificate, it is possible to change the attributes of the domain controller and create a computer that can delegate rights over the Domain Controller to perform the attack.

#3 Password Reset

PreviousDefense EnumerationNextPrivilege Escalation

Last updated