Case Study - ADCS Vulnerable Template
intro
The Red Team Notes has a great article on From Misconfigured Certificate Template to Domain Admin: https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-misconfigured-certificate-template-to-domain-admin. However, sometime the ADCS doesn’t have a vulnerable template for use to use. So, this article provides some brief explaination on how to create one.
Key attributes for a vulnerable template
msPKI-Certificate-Name-Flag: 65537 (i.e 0x00010000 + 0x00000001)
# This flag instructs the client to supply subject information in the certificate request.
0x00000001 CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
# This flag instructs the client to supply subject alternate name information in the certificate request.
0x00010000 CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT_ALT_NAME
pKIExtendedKeyUsage, https://oidref.com/1.3.6.1.5.5.7.3.2
clientAuthentication 1.3.6.1.5.5.7.3.2
msPKI-Enrollment-Flag, 0x29 (0x20 + 0x08 + 0x01)
# This flag instructs the client and server to include a Secure/Multipurpose Internet Mail Extensions (S/MIME) certificate extension, as specified in [RFC4262], in the request and in the issued certificate.
0x00000001 CT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS
# This flag instructs CA servers to append the issued certificate to the userCertificate attribute, as specified in [RFC4523], on the user object in Active Directory. The server processing rules for this flag are specified in [MS-WCCE] section 3.2.2.6.2.1.4.5.6.
0x00000008 CT_FLAG_PUBLISH_TO_DS
# This flag instructs clients to perform autoenrollment for the specified template.
0x00000020 CT_FLAG_AUTO_ENROLLMENT
Tools to simplify operations
https://github.com/GoateePFE/ADCSTemplate is a powershell module that can help with the ADCS operations
It if possible to export a template and modify it accordingly, then re-import the modified template.
Import-Module .\ADCSTemplate.psm1
Export-ADCSTemplate -displayname "<template-name>" > .\<template-name>.json
# re-import
New-ADCSTemplate -DisplayName <modified-template> -JSON (Get-Content .\<modified-template>.json -Raw) -Identity <id> -AutoEnroll -Publish