Exploiting Certificates

Now that we have access to THMSERVER2, we have furthered our journey of exploiting AD by exploiting all Tier 1 assets (servers). However, we are again stuck without the simple means to move to the next tier. So again, we will need to look for more creative paths.

---

AD Certificate Services

Active Directory Certificate Services (AD CS) is a Windows Server role that provides public key infrastructure (PKI) for issuing and managing digital certificates in an Active Directory (AD) environment. AD CS is used for several things, such as encrypting file systems, creating and verifying digital signatures, and even user authentication.

Since AD CS is a privileged function, it usually runs on selected domain controllers. Meaning normal users can't really interact with the service directly.

Before we dive deeper into certificate abuse, some terminology:

Certificates Terminology

• PKI - Public Key Infrastructure is a system that manages certificates and public key encryption

• AD CS - Active Directory Certificate Services is Microsoft's PKI implementation which usually runs on domain controllers

• CA - Certificate Authority is a PKI that issues certificates

• Certificate Template - a collection of settings and policies that defines how and when a certificate may be issued by a CA

• CSR - Certificate Signing Request is a message sent to a CA to request a signed certificate

• EKU - Extended/Enhanced Key Usage are object identifiers that define how a generated certificate may be used

---

Finding Vulnerable Certificate Templates

Logon to the THMSERVER2 machine and enumerate certificates using certutil

certutil -Template -v > templates.txt

The indicator that a Certificate is abusable to perform privilege escalation is a poisonous combination of parameters such as:

• Client Authentication - The certificate can be used for Client Authentication.

• CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT - The certificate template allows us to specify the Subject Alternative Name (SAN).

• CTPRIVATEKEY_FLAG_EXPORTABLE_KEY - The certificate will be exportable with the private key.

• Certificate Permissions - We have the required permissions to use the certificate template.

Since the aim of this room is to gain more broad knowledge of AD exploitation attacks, we will be pointing out that Template[32] is the vulnerable template. I explained how to enumerate vulnerable certificates over here:

AD Certificate Templates | Stuffmfkrypt.gitbook.io

In this template, we can see that the machine account of THMSERVER2 can issue a CSR for a template that allows us to specify the Subject Alternative Name (SAN) and can be used for client authentication.

---

---

Exploiting a Certificate Template

RDP into THMSERVER2

1. Click Start->run

2. Type mmc and hit enter

3. Click File->Add/Remove Snap-in..

4. Add the Certificates snap-in and make sure to select Computer Account and Local computer on the prompts.

5. Click OK

We will request a personal certificate:

1. Right Click on Personal and select All Tasks->Request New Certificate...

2. Click Next twice to select the AD enrollment policy.

3. You will see that we have one template that we can request, but first, we need to provide additional information.

4. Click on the More Information warning.

5. Change the Subject name Type option to Common Name and provide any value, since it does not matter, and click Add.

6. Change the Alternative name Type option to User principal name.

7. Supply the UPN of the user you want to impersonate. The best would be a DA account such as Administrator@za.tryhackme.loc and click Add.

Once you are happy with it, click Apply and OK. Then, select the certificate and click Enroll. You should be able to see your certificate:

The last step is to export our certificate with the private key:

1. Right-click on the certificate and select All Tasks->Export...

2. Click Next, select Yes, export the private key, and click Next.

3. Click Next, then set a password for the certificate since the private key cannot be exported without a password.

4. Click Next and select a location to store the certificate.

5. Click Next and finally click Finish.

---

User Impersonation through a Certificate

Now we can finally impersonate a user. To perform this, two steps are required:

• Use the certificate to request a Kerberos TGT

• Load the Kerberos TGT using Mimikatz

SSH into THMSERVER2 and run Rubeus to get the TGT with these parameters:

Rubeus.exe asktgt /user:Administrator /enctype:aes256 /certificate:<path to certificate> /password:<certificate file password> /outfile:<name of file to write TGT to> /domain:za.tryhackme.loc /dc:<IP of domain controller>

We successfully generated the TGT. Now we can use Mimikatz to load the TGT and authenticate to THMDC

mimikatz.exe
mimikatz # privilege::debug
mimikatz # kerberos::ptt Administrator.kirbi

List the directories for THMDC

dir \\THMDC.za.tryhackme.loc\c$\

Boom, we have access to Tier 0 infrastructure and have compromised the full child domain! Get the flag in Administrator's Desktop