Lateral Movement
Windows
ADCS
https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation
https://github.com/GhostPack/Certify
https://github.com/dirkjanm/PKINITtools
Certificate Template Exploit
Certificate templates in ADCS (Active Directory Certificate Services) are pre-configured templates that define the parameters for a particular type of certificate that can be issued by the certificate authority (CA).
We can use Certify.exe to find vulnerable certificate template.
Request a new certificate with the vulnerable template and try to impersonate.
This will produce a cert.pem
. Use openssl
to convert it into .pfx
.
Now ask the TGT using Certipy.
π‘You can find more information about this subject at links below:
Last updated