ADCS
adPEAS was able to briefly enumerate the ADCS in the DC host
while doing so, it discovered that webserver and subca templates are configured with the mspki-certificate-name-flag attribute set to enrollee_supplies_subject, potentially leading to the type esc1 vulnerability
I will enumerate further into those templates
┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ KRB5CCNAME=oorend@dc01.rebound.htb.ccache certipy find -enabled -target dc01.rebound.htb -k -no-pass -dns-tcp -ns $IP -dc-ip $IP -stdout
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Trying to get CA configuration for 'rebound-DC01-CA' via CSRA
[!] got error while trying to get ca configuration for 'rebound-dc01-ca' via csra: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'rebound-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'rebound-DC01-CA'
[*] enumeration output:
Certificate Authorities
0
ca name : rebound-DC01-CA
dns name : dc01.rebound.htb
certificate subject : CN=rebound-DC01-CA, DC=rebound, DC=htb
certificate serial number : 42467DADE6281F8846DC3B6CEE24740D
certificate validity start : 2023-04-08 13:55:49+00:00
certificate validity end : 2122-04-08 14:05:49+00:00
web enrollment : Disabled
user specified san : Disabled
request disposition : Issue
enforce encryption for requests : Enabled
Permissions
owner : REBOUND.HTB\Administrators
Access Rights
manageca : REBOUND.HTB\Administrators
REBOUND.HTB\Domain Admins
REBOUND.HTB\Enterprise Admins
managecertificates : REBOUND.HTB\Administrators
REBOUND.HTB\Domain Admins
REBOUND.HTB\Enterprise Admins
enroll : REBOUND.HTB\Authenticated Users
Certificate Templates
[...REDACTED...]
3
template name : SubCA
display name : Subordinate Certification Authority
certificate authorities : rebound-DC01-CA
enabled : True
client authentication : True
enrollment agent : True
any purpose : True
enrollee supplies subject : True
certificate name flag : EnrolleeSuppliesSubject
private key flag : ExportableKey
requires manager approval : False
requires key archival : False
authorized signatures required : 0
validity period : 5 years
renewal period : 6 weeks
minimum rsa key length : 2048
Permissions
Enrollment Permissions
enrollment rights : REBOUND.HTB\Domain Admins
REBOUND.HTB\Enterprise Admins
Object Control Permissions
owner : REBOUND.HTB\Enterprise Admins
write owner principals : REBOUND.HTB\Domain Admins
REBOUND.HTB\Enterprise Admins
write dacl principals : REBOUND.HTB\Domain Admins
REBOUND.HTB\Enterprise Admins
write property principals : REBOUND.HTB\Domain Admins
REBOUND.HTB\Enterprise Admins
4
template name : WebServer
display name : Web Server
certificate authorities : rebound-DC01-CA
enabled : True
client authentication : False
enrollment agent : False
any purpose : False
enrollee supplies subject : True
certificate name flag : EnrolleeSuppliesSubject
extended key usage : Server Authentication
requires manager approval : False
requires key archival : False
authorized signatures required : 0
validity period : 2 years
renewal period : 6 weeks
minimum rsa key length : 2048
Permissions
Enrollment Permissions
enrollment rights : REBOUND.HTB\Domain Admins
REBOUND.HTB\Enterprise Admins
Object Control Permissions
owner : REBOUND.HTB\Enterprise Admins
write owner principals : REBOUND.HTB\Domain Admins
REBOUND.HTB\Enterprise Admins
write dacl principals : REBOUND.HTB\Domain Admins
REBOUND.HTB\Enterprise Admins
write property principals : REBOUND.HTB\Domain Admins
REBOUND.HTB\Enterprise Admins
[...REDACTED...]According to the returned data, the Enrollment Rights are set to the Domain Admins and Enterprise Admins groups for both templates
Therefore, I won’t be able to abuse them.
This appears to be deadend for ADCS