AD CS (Active Directory Certificate Services) Pentesting

AD CS is Public Key Infrastructure (PKI) implementation. The misconfiguration of certificate templates can be vulnerable to privilege escalation.

Enumeration

We can retrieve certificates information on target Windows machine using certutil.

# Dump general information
certutil -dump

# Dump information about certificate authority
certutil -ca
certutil -catemplates

# List all templates
certutil -template
# specify the template
certutil -template ExampleTemplate

Then check if Allow Full Control or Allow Write include the group which current user belongs to. If so, we can modify the template and might be able to escalate privilege.

Existing Certificates

Get-ChildItem cert:\
Get-ChildItem cert:\CurrentUser\
Get-ChildItem cert:\CurrentUser\My
Get-ChildItem cert:\LocalMachine\
Get-ChildItem cert:\LocalMachine\My

Extract Certificates

$cert = Get-ChildItem -Path cert:\CurrentUser\My\<thumbprint>
Export-Certificate -Cert $cert -FilePath c:\Users\<username>\Desktop\user.cer

Extract the Private Key from a Certificate

$pw = ConvertTo-SecureString "password123" -AsPlainText -Force
$certificate = Get-ChildItem -Path cert:\CurrentUser\My\<thumbprint>
Export-PfxCertificate -Cert $certificate -FilePath user.pfx -Password $pw

References

PreviousActive Directory Pentesting NextCloud Info Gathering

Last updated 24 days ago

hashtagEnumeration

hashtagExisting Certificates

hashtagExtract Certificates

hashtagExtract the Private Key from a Certificate

hashtagReferences

Enumeration

Existing Certificates

Extract Certificates

Extract the Private Key from a Certificate

References