ADCS
Active Directory Certificate Services (AD CS) is a Windows Server role for issuing and managing public key infrastructure (PKI) certificates used in secure communication and authentication protocols.
ad cs provides the following important features:
- certification authorities: Root and subordinate Certificate Authorities (CAs) are used to issue certificates to users, computers, and services, and to manage certificate validity.
- web enrollment: Web enrollment allows users to connect to a CA with a Web browser in order to request certificates and retrieve certificate revocation lists (CRLs).
- online responder: The Online Responder service decodes revocation status requests for specific certificates, evaluates the status of these certificates, and sends back a signed response containing the requested certificate status information.
- network device enrollment service: The Network Device Enrollment Service allows routers and other network devices that don’t have domain accounts to obtain certificates.
- tpm key attestation: Lets the certification authority verify the private key is protected by a hardware-based TPM and that the TPM is one that the CA trusts. TPM key attestation prevents the certificate from being exported to an unauthorized device and can bind the user identity to the device.
- certificate enrollment policy web service: The Certificate Enrollment Policy Web Service enables users and computers to obtain certificate enrollment policy information.
- certificate enrollment web service: Certificate Enrollment Web Service enables users and computers to perform certificate enrollment through a web service. Together with the Certificate Enrollment Policy Web Service, this enables policy-based certificate enrollment when the client computer isn’t a member of a domain or when a domain member isn’t connected to the domain.
The initial suspicion was made as certsrv.exe was listed in the MSRPC service
It was also later confirmed
*evil-winrm* ps c:\Users\sql_svc\Documents> Get-Service certsvc
Status Name DisplayName
------ ---- -----------
Running certsvc Active Directory Certificate ServicesADCS itself runs on service, NOT PROCESS
CertSvc is the service directly responsible for ADCS, running in the background
While there are many ways to enumerate the ADCS to look for vulnerability, the following 2 tools dominates;
- certify.exe: A C# tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS).
- certipy: A Python implementation of Certify.exe with support to a custom BloodHound
As sql_svc
*Evil-WinRM* PS C:\tmp> upload Certify.exe C:\tmp\Certify.exe
Info: Uploading /home/kali/archive/htb/labs/escape/Certify.exe to C:\tmp\Certify.exe
Data: 137216 bytes of 137216 bytes copied
Info: Upload successful!I will start with Certify.exe
*Evil-WinRM* PS C:\tmp> ./Certify.exe find /vulnerable /quiet
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=sequel,DC=htb'
[*] Listing info about the Enterprise CA 'sequel-DC-CA'
Enterprise CA Name : sequel-DC-CA
DNS Hostname : dc.sequel.htb
FullName : dc.sequel.htb\sequel-DC-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=sequel-DC-CA, DC=sequel, DC=htb
Cert Thumbprint : A263EA89CAFE503BB33513E359747FD262F91A56
Cert Serial : 1EF2FA9A7E6EADAD4F5382F4CE283101
Cert Start Date : 11/18/2022 12:58:46 PM
Cert End Date : 11/18/2121 1:08:46 PM
Cert Chain : CN=sequel-DC-CA,DC=sequel,DC=htb
UserSpecifiedSAN : Disabled
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
Allow ManageCA, ManageCertificates sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Enrollment Agent Restrictions : None
[+] No Vulnerable Certificates Templates found!
Certify completed in 00:00:10.1986944No Vulnerable Certificates Templates found
Or it might be the case that the sql_svc user doesn’t have enough privileges to even read certificate templates
┌──(kali㉿kali)-[~/archive/htb/labs/escape]
└─$ KRB5CCNAME=sql_svc.ccache certipy find -vulnerable -target dc.sequel.htb -k -no-pass -dns-tcp -ns $IP -dc-ip $IP -stdout
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Trying to get CA configuration for 'sequel-DC-CA' via CSRA
[!] Got error while trying to get CA configuration for 'sequel-DC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'sequel-DC-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'sequel-DC-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : sequel-DC-CA
DNS Name : dc.sequel.htb
Certificate Subject : CN=sequel-DC-CA, DC=sequel, DC=htb
Certificate Serial Number : 1EF2FA9A7E6EADAD4F5382F4CE283101
Certificate Validity Start : 2022-11-18 20:58:46+00:00
Certificate Validity End : 2121-11-18 21:08:46+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : SEQUEL.HTB\Administrators
Access Rights
ManageCa : SEQUEL.HTB\Administrators
SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
ManageCertificates : SEQUEL.HTB\Administrators
SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Enroll : SEQUEL.HTB\Authenticated Users
Certificate Templates : [!] Could not find any certificate templatesSame result with certipy
As Ryan.Cooper
I found it strange that the sql_svc user was unable to enumerate the certificate templates.
So I will try again with the credential of the Ryan.Cooper user.
*evil-winrm* ps c:\tmp> ./Certify.exe find /vulnerable /quiet
[*] action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=sequel,DC=htb'
[*] Listing info about the Enterprise CA 'sequel-DC-CA'
enterprise ca name : sequel-DC-CA
dns hostname : dc.sequel.htb
fullname : dc.sequel.htb\sequel-DC-CA
flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
cert subjectname : CN=sequel-DC-CA, DC=sequel, DC=htb
cert thumbprint : A263EA89CAFE503BB33513E359747FD262F91A56
cert serial : 1EF2FA9A7E6EADAD4F5382F4CE283101
cert start date : 11/18/2022 12:58:46 PM
cert end date : 11/18/2121 1:08:46 PM
cert chain : CN=sequel-DC-CA,DC=sequel,DC=htb
userspecifiedsan : Disabled
ca permissions :
owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
Allow ManageCA, ManageCertificates sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
enrollment agent restrictions : None
[!] vulnerable certificates templates :
ca name : dc.sequel.htb\sequel-DC-CA
template name : UserAuthentication
schema version : 2
validity period : 10 years
renewal period : 6 weeks
mspki-certificate-name-flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
authorized signatures required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email
Permissions
Enrollment Permissions
enrollment rights : sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Domain Users S-1-5-21-4078382237-1492182817-2568127209-513
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Object Control Permissions
owner : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
writeowner principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
writedacl principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
writeproperty principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
certify completed in 00:00:09.5486986I got a different result as the Ryan.Cooper user.
Certify.exe found a vulnerable template UserAuthentication by the dc.sequel.htb\sequel-DC-CA CA
┌──(kali㉿kali)-[~/archive/htb/labs/escape]
└─$ KRB5CCNAME=Ryan.Cooper.ccache certipy find -vulnerable -target dc.sequel.htb -k -no-pass -dns-tcp -ns $IP -dc-ip $IP -stdout
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'sequel-DC-CA' via CSRA
[!] got error while trying to get ca configuration for 'sequel-dc-ca' via csra: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'sequel-DC-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'sequel-DC-CA'
[*] enumeration output:
Certificate Authorities
0
ca name : sequel-DC-CA
dns name : dc.sequel.htb
certificate subject : CN=sequel-DC-CA, DC=sequel, DC=htb
certificate serial number : 1EF2FA9A7E6EADAD4F5382F4CE283101
certificate validity start : 2022-11-18 20:58:46+00:00
certificate validity end : 2121-11-18 21:08:46+00:00
web enrollment : Disabled
user specified san : Disabled
request disposition : Issue
enforce encryption for requests : Enabled
Permissions
owner : SEQUEL.HTB\Administrators
Access Rights
manageca : SEQUEL.HTB\Administrators
SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
managecertificates : SEQUEL.HTB\Administrators
SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
enroll : SEQUEL.HTB\Authenticated Users
Certificate Templates
0
template name : UserAuthentication
display name : UserAuthentication
certificate authorities : sequel-DC-CA
enabled : True
client authentication : True
enrollment agent : False
any purpose : False
enrollee supplies subject : True
certificate name flag : EnrolleeSuppliesSubject
enrollment flag : IncludeSymmetricAlgorithms
PublishToDs
private key flag : ExportableKey
extended key usage : Client Authentication
Secure Email
Encrypting File System
requires manager approval : False
requires key archival : False
authorized signatures required : 0
validity period : 10 years
renewal period : 6 weeks
minimum rsa key length : 2048
Permissions
Enrollment Permissions
enrollment rights : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Domain Users
SEQUEL.HTB\Enterprise Admins
Object Control Permissions
owner : SEQUEL.HTB\Administrator
write owner principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
write dacl principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
write property principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
[!] Vulnerabilities
esc1 : 'SEQUEL.HTB\\Domain Users' can enroll, enrollee supplies subject and template allows client authenticationIt was indeed due to the privilege-related issue.
certipy also flagged UserAuthentication as a vulnerable template for the very same reason
it also specified the type of vulnerability; esc1
The vulnerability is present due to
- The
Enrollment Rightsattribute with one of its values beingAUTHORITY.HTB\Domain Users - The
msPKI-Certificate-Name-Flagattribute set toENROLLEE_SUPPLIES_SUBJECT- Meaning that the enrollee (anyone in the
Domain Usersgroup in this case) is able to set who to assign this certificate to
- Meaning that the enrollee (anyone in the
- The
pkiextendedkeyusageattribute hasClient Authenticationset- It indicates that the certificate that will be generated based on this vulnerable certificate template can be used to authenticate to computers in Active Directory.
Moving on to the Privilege Escalation phase