AD Certificate Templates

I have already explained a bit about Certificates previously:

Exploiting Certificates | Stuffmfkrypt.gitbook.io

We can enumerate available Certificates Templates using certutil

certutil -v -template

We can also us certipy with the -vulnerable flag to enumerate vulnerable templates

certipy find -u <USER@DOMAIN> -p <PASSWORD> -dc-ip <IP> -vulnerable

Identifying Poisonous Combinations

For this task, there are three key parameters we should find, based on the dangerous combinations I mentioned previously. We are to find three parameters:

Allow Enroll or Allow Full Control
Client Authentication
CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT

Looking at the output of the Certipy tool above, we find 2 templates that are vulnerable. The one we are looking at is UserRequest

Great, now we have our vulnerable certificate!

PreviousLocal Password Administrator Solution (LAPS)NextHackTheBox

Last updated 11 months ago

hashtagIdentifying Poisonous Combinations

Identifying Poisonous Combinations