# AD CS (Active Directory Certificate Services) Pentesting

AD CS is Public Key Infrastructure (PKI) implementation. The misconfiguration of certificate templates can be vulnerable to privilege escalation.

### Enumeration <a href="#enumeration" id="enumeration"></a>

We can retrieve certificates information on target Windows machine using **`certutil`**.

```shellscript
# Dump general information
certutil -dump

# Dump information about certificate authority
certutil -ca
certutil -catemplates

# List all templates
certutil -template
# specify the template
certutil -template ExampleTemplate
```

Then check if **`Allow Full Control`** or **`Allow Write`** include the group which current user belongs to. If so, we can modify the template and might be able to escalate privilege.

#### Existing Certificates <a href="#existing-certificates" id="existing-certificates"></a>

```shellscript
Get-ChildItem cert:\
Get-ChildItem cert:\CurrentUser\
Get-ChildItem cert:\CurrentUser\My
Get-ChildItem cert:\LocalMachine\
Get-ChildItem cert:\LocalMachine\My
```

#### Extract Certificates <a href="#extract-certificates" id="extract-certificates"></a>

```shellscript
$cert = Get-ChildItem -Path cert:\CurrentUser\My\<thumbprint>
Export-Certificate -Cert $cert -FilePath c:\Users\<username>\Desktop\user.cer
```

#### Extract the Private Key from a Certificate <a href="#extract-the-private-key-from-a-certificate" id="extract-the-private-key-from-a-certificate"></a>

```shellscript
$pw = ConvertTo-SecureString "password123" -AsPlainText -Force
$certificate = Get-ChildItem -Path cert:\CurrentUser\My\<thumbprint>
Export-PfxCertificate -Cert $certificate -FilePath user.pfx -Password $pw
```

### References <a href="#references" id="references"></a>

* [Red Team Notes](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-misconfigured-certificate-template-to-domain-admin)
* [alwayslucky](https://0xalwayslucky.gitbook.io/cybersecstack/active-directory/adcs-privesc-certificate-templates)