ADCS
While enumerating the target MSRPC server, it was identified that certsrv.exe was running.
Enumerating the ADCS using the TGT of the compromised info account
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido]
└─$ KRB5CCNAME=info@dc.hokkaido-aerospace.com.ccache certipy-ad find -vulnerable -target dc.hokkaido-aerospace.com -k -no-pass -dns-tcp -ns $IP -dc-ip $IP -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Trying to get CA configuration for 'hokkaido-aerospace-DC-CA' via CSRA
[!] Got error while trying to get CA configuration for 'hokkaido-aerospace-DC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'hokkaido-aerospace-DC-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'hokkaido-aerospace-DC-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : hokkaido-aerospace-DC-CA
DNS Name : dc.hokkaido-aerospace.com
Certificate Subject : CN=hokkaido-aerospace-DC-CA, DC=hokkaido-aerospace, DC=com
Certificate Serial Number : 45CD537E2C3559964F5BB3E2D9E6542F
Certificate Validity Start : 2023-12-06 15:44:05+00:00
Certificate Validity End : 2123-12-06 15:54:05+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : HOKKAIDO-AEROSPACE.COM\Administrators
Access Rights
ManageCertificates : HOKKAIDO-AEROSPACE.COM\Administrators
HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
ManageCa : HOKKAIDO-AEROSPACE.COM\Administrators
HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Enroll : HOKKAIDO-AEROSPACE.COM\Authenticated Users
Certificate Templates : [!] Could not find any certificate templatesN/A
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido]
└─$ KRB5CCNAME=info@dc.hokkaido-aerospace.com.ccache certipy-ad find -enabled -target dc.hokkaido-aerospace.com -k -no-pass -dns-tcp -ns $IP -dc-ip $IP -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Trying to get CA configuration for 'hokkaido-aerospace-DC-CA' via CSRA
[!] Got error while trying to get CA configuration for 'hokkaido-aerospace-DC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'hokkaido-aerospace-DC-CA' via RRP
[*] Got CA configuration for 'hokkaido-aerospace-DC-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : hokkaido-aerospace-DC-CA
DNS Name : dc.hokkaido-aerospace.com
Certificate Subject : CN=hokkaido-aerospace-DC-CA, DC=hokkaido-aerospace, DC=com
Certificate Serial Number : 45CD537E2C3559964F5BB3E2D9E6542F
Certificate Validity Start : 2023-12-06 15:44:05+00:00
Certificate Validity End : 2123-12-06 15:54:05+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : HOKKAIDO-AEROSPACE.COM\Administrators
Access Rights
ManageCertificates : HOKKAIDO-AEROSPACE.COM\Administrators
HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
ManageCa : HOKKAIDO-AEROSPACE.COM\Administrators
HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Enroll : HOKKAIDO-AEROSPACE.COM\Authenticated Users
Certificate Templates
0
Template Name : KerberosAuthentication
Display Name : Kerberos Authentication
Certificate Authorities : hokkaido-aerospace-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectAltRequireDns
SubjectAltRequireDomainDns
Enrollment Flag : AutoEnrollment
Private Key Flag : AttestNone
Extended Key Usage : Client Authentication
Server Authentication
Smart Card Logon
KDC Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : HOKKAIDO-AEROSPACE.COM\Enterprise Read-only Domain Controllers
HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Domain Controllers
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Domain Controllers
Object Control Permissions
Owner : HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Write Owner Principals : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Write Dacl Principals : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Write Property Principals : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
1
Template Name : DirectoryEmailReplication
Display Name : Directory Email Replication
Certificate Authorities : hokkaido-aerospace-DC-CA
Enabled : True
Client Authentication : False
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectAltRequireDns
SubjectAltRequireDirectoryGuid
Enrollment Flag : AutoEnrollment
PublishToDs
IncludeSymmetricAlgorithms
Private Key Flag : AttestNone
Extended Key Usage : Directory Service Email Replication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : HOKKAIDO-AEROSPACE.COM\Enterprise Read-only Domain Controllers
HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Domain Controllers
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Domain Controllers
Object Control Permissions
Owner : HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Write Owner Principals : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Write Dacl Principals : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Write Property Principals : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
2
Template Name : DomainControllerAuthentication
Display Name : Domain Controller Authentication
Certificate Authorities : hokkaido-aerospace-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectAltRequireDns
Enrollment Flag : AutoEnrollment
Private Key Flag : AttestNone
Extended Key Usage : Client Authentication
Server Authentication
Smart Card Logon
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : HOKKAIDO-AEROSPACE.COM\Enterprise Read-only Domain Controllers
HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Domain Controllers
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Domain Controllers
Object Control Permissions
Owner : HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Write Owner Principals : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Write Dacl Principals : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Write Property Principals : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
3
Template Name : SubCA
Display Name : Subordinate Certification Authority
Certificate Authorities : hokkaido-aerospace-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : True
Any Purpose : True
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : None
Private Key Flag : ExportableKey
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 5 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Object Control Permissions
Owner : HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Write Owner Principals : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Write Dacl Principals : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Write Property Principals : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
4
Template Name : WebServer
Display Name : Web Server
Certificate Authorities : hokkaido-aerospace-DC-CA
Enabled : True
Client Authentication : False
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : None
Private Key Flag : AttestNone
Extended Key Usage : Server Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 2 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Object Control Permissions
Owner : HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Write Owner Principals : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Write Dacl Principals : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Write Property Principals : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
5
Template Name : DomainController
Display Name : Domain Controller
Certificate Authorities : hokkaido-aerospace-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectRequireDnsAsCn
SubjectAltRequireDns
SubjectAltRequireDirectoryGuid
Enrollment Flag : AutoEnrollment
PublishToDs
IncludeSymmetricAlgorithms
Private Key Flag : AttestNone
Extended Key Usage : Client Authentication
Server Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : HOKKAIDO-AEROSPACE.COM\Enterprise Read-only Domain Controllers
HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Domain Controllers
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Domain Controllers
Object Control Permissions
Owner : HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Write Owner Principals : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Write Dacl Principals : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Write Property Principals : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
6
Template Name : Machine
Display Name : Computer
Certificate Authorities : hokkaido-aerospace-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectRequireDnsAsCn
SubjectAltRequireDns
Enrollment Flag : AutoEnrollment
Private Key Flag : AttestNone
Extended Key Usage : Client Authentication
Server Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Domain Computers
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Object Control Permissions
Owner : HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Write Owner Principals : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Write Dacl Principals : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Write Property Principals : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
7
Template Name : EFSRecovery
Display Name : EFS Recovery Agent
Certificate Authorities : hokkaido-aerospace-DC-CA
Enabled : True
Client Authentication : False
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectRequireDirectoryPath
SubjectAltRequireUpn
Enrollment Flag : AutoEnrollment
IncludeSymmetricAlgorithms
Private Key Flag : ExportableKey
Extended Key Usage : File Recovery
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 5 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Object Control Permissions
Owner : HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Write Owner Principals : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Write Dacl Principals : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Write Property Principals : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
8
Template Name : Administrator
Display Name : Administrator
Certificate Authorities : hokkaido-aerospace-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectRequireDirectoryPath
SubjectRequireEmail
SubjectAltRequireEmail
SubjectAltRequireUpn
Enrollment Flag : AutoEnrollment
PublishToDs
IncludeSymmetricAlgorithms
Private Key Flag : ExportableKey
Extended Key Usage : Microsoft Trust List Signing
Encrypting File System
Secure Email
Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Object Control Permissions
Owner : HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Write Owner Principals : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Write Dacl Principals : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Write Property Principals : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
9
Template Name : EFS
Display Name : Basic EFS
Certificate Authorities : hokkaido-aerospace-DC-CA
Enabled : True
Client Authentication : False
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectRequireDirectoryPath
SubjectAltRequireUpn
Enrollment Flag : AutoEnrollment
PublishToDs
IncludeSymmetricAlgorithms
Private Key Flag : ExportableKey
Extended Key Usage : Encrypting File System
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Domain Users
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Object Control Permissions
Owner : HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Write Owner Principals : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Write Dacl Principals : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Write Property Principals : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
10
Template Name : User
Display Name : User
Certificate Authorities : hokkaido-aerospace-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectRequireDirectoryPath
SubjectRequireEmail
SubjectAltRequireEmail
SubjectAltRequireUpn
Enrollment Flag : AutoEnrollment
PublishToDs
IncludeSymmetricAlgorithms
Private Key Flag : ExportableKey
Extended Key Usage : Encrypting File System
Secure Email
Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Domain Users
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Object Control Permissions
Owner : HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Write Owner Principals : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Write Dacl Principals : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise Admins
Write Property Principals : HOKKAIDO-AEROSPACE.COM\Domain Admins
HOKKAIDO-AEROSPACE.COM\Enterprise AdminsN/A