🦦
Otter's Notes
  • Introduction
  • Articles
    • Dumping data from the Microsoft Recall folder
    • Gaining persistence on Windows with Time Providers
    • Reverse engineering LSASS to decrypt DPAPI keys
    • Intro to Hypervisor Implants
    • In-depth Windows Telemetry
  • Notes
    • Active Directory
      • Active Directory Structure
      • Active Directory Terminology
      • Active Directory Objects
      • Active Directory Groups
      • Active Directory Functionality
      • Active Directory Protocols
      • Active Directory Rights and Privileges
      • Security in Active Directory
      • Users and Machine Accounts
      • NTLM
      • LDAP
      • Making a Target User List
      • Enumerating & Retrieving Password Policies
      • Enumerating Security Controls
      • Examining Group Policy
      • GPOs
      • LAPS
      • LLMNR & NBT-NS Poisoning
      • LOLBIN Enumeration
    • AAD
      • Useful Links
      • Overview of Azure & M365
      • Enumerate Users and Domains
      • Post-exploitation Reconnaissance
      • OAuth 2.0 Abuse
      • Abusing Device Code Authentication
      • Abusing Cloud Administrator Role
      • Abusing User Administrator Role
      • AAD Federated Backdoor
      • Service Principal Abuse
      • Compromising Azure Blobs and Storage Accounts
      • Malicious Device Join
      • Disabling Auditing (Unified Audit Logs)
      • Spoofing Azure Sign-In Logs
      • Registering Fake Agents for Log Spoofing
      • Pass the PRT
      • Pass the Cookie
      • Abusing Managed Identities
      • Virtual Machine Abuse
      • Attacking Key Vaults
    • Forest Trust Abuse
      • Parent-Child Trust Abuse
      • One-Way Inbound Trust Abuse
      • Foreign Group Membership
      • Foreign ACL Principals
      • SID History
      • SID Filter Bypass
      • Intra-Forest Attacks
        • Configuration Naming Context Replication
        • ADCS NC Replication Attack
        • GPO On-Site Attack
        • GoldenGMSA Attack
        • DNS Trust Attack
      • Cross-Forest Attacks
        • Trust Account Attack
        • Abusing SQL Linked Servers
        • Abusing PAM Trusts
    • Kerberos
      • Overview of Kerberos Authentication
      • Silver Tickets
      • Golden Tickets
      • Diamond Tickets
      • Kerberoasting
      • AS-REPRoasting
      • Resource-Based Constrained Delegation
      • Constrained Delegation
      • Unconstrained Delegation
      • S4U2Self & S4U2Proxy
      • Golden Certificates
    • DACL Abuse
      • DACL Overview
      • DACLs Enumeration
      • AddMembers
      • GPO Attacks
      • Granting Rights and Ownership
      • Logon Scripts
      • NoPAC
      • Password Abuse
      • SPN Jacking
      • Shadow Credentials
      • Targeted Kerberoasting
    • ADCS
      • Introduction to ADCS
      • ESC1
      • ESC2
      • ESC3
      • ESC4
      • ESC5
      • ESC6
      • ESC7
      • ESC8
      • ESC9
      • ESC10
      • ESC11
      • Certificate Mapping
    • PowerShell
      • PowerShell Basics
      • PowerShell Remoting
      • Alternate PowerShell Hosts
      • PowerShell Pipeline Runners
      • PowerShell Code Signing
      • Scriptblock Logging
      • PowerShell CLM
      • AMSI
      • PowerShell Reflection
      • WMI - Windows Management Instrumentation
      • Interfacing with AD
      • PowerShell Snippets
        • Bypass application whitelisting and CLM with runscripthelper and WMI
        • Create fake PowerShell logs
        • Enumerate AD ACLs
        • Enumerate WMI events
        • Enumerate Domain Trusts
        • Enumerate change metadata
        • Enumerate non-signed service binaries
        • Enumerate with GPOs
        • Find signed alternate PowerShell hosts
        • Get AMSI module
        • Group processes by user with WMI
        • Hide processes from Get-Process
        • Malware re-purposing with PowerShell reflection
        • Monitor PowerShell hosts with WMI
        • PowerShell reflection offensive use-case
        • Query PowerShell alternative hosts with WMI
        • Retrieve file certificate
        • Search LDAP for misconfigurations
        • Sign custom code with PowerShell
        • WMI service creation
        • Weak folder permission enumeration
    • AWS
      • AWS Organizations
      • AWS Principals
    • Binary Exploitation
      • Environment setup for Browser Exploitation
      • Browser Overview and Components
    • Kernel Development
      • Windows
        • Configuring a VM for driver development
Powered by GitBook
On this page
  1. Notes
  2. Forest Trust Abuse
  3. Intra-Forest Attacks

ADCS NC Replication Attack

PreviousConfiguration Naming Context ReplicationNextGPO On-Site Attack

Last updated 1 year ago

After connecting to the NC with ADSI we see that the Configuration Naming Context holds information about the PKI infrastructure as well under Configuration > Services > Public Key Services.

The Certificate Templates container stores templates as pKICertificateTemplate objects that can be published to an ADCS CA. The Certificate Templates container is stored in Active Directory under the following location: CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=INLANEFREIGHT,DC=AD, where DC=INLANEFREIGHT, DC=AD is the DN of the forest root domain.

The Enrollment Services container contains one pKIEnrollmentService object per CA. These objects enumerate the templates that have been published to the CA through their certificateTemplates property. The Enrollment Services container is stored in Active Directory under the following location: CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=INLANEFREIGHT,DC=AD, where DC=INLANEFREIGHT, DC=AD is the DN of the forest root domain.

Abusing permissions over the Configuration Naming Context we can add a new vulnerable certificate template to the Certificate Templates container, then we give the Domain Administrator user of the child domain Full Control over said certificate, publish it and wait for the changes to propagate.

After the NC is replicated back to the parent domain we can request the certificate for root\Administrator for the child domain.

The easiest vulnerable template to set up is ESC1:

  1. Right-click on the User template

  2. Select Duplicate Template. This action will open a prompt with the properties of the new template

  3. Set the Subject Name option to Supply in the request. This configuration allows for dynamic specification of the subject name during the certificate request process, potentially introducing the ESC1 vulnerability

The first step involves adding a Certificate Template vulnerable to ESC1 inside the Certificate Templates container. To do this we can open Microsoft Management Console (MMC) as a SYSTEM user.

To access Certificate Templates within the MMC, follow these steps:

  1. Open mmc as SYSTEM using PowerShell and Click on File in the menu bar

  2. Select Add/Remove Snap-in

  3. Click Add to add the Certificate Templates snap-in

  4. Click OK to confirm and open Certificate Templates

At this point we can duplicate an existing certificate template and set the following options:

  • Subject Name: Supply in the request

  • Security: Full Control to the DOMAIN\Administrator user

At this point we're ready to publish the certificate: open adsiedit.msc as SYSTEM and fix the permissions the SYSTEM user has over the pKIEnrollmentService object:

  1. Right-click on Public Key Services

  2. Properties > Security > Advanced

  3. Set the following options for the SYSTEM user

This should be the result

Now we have to edit the pKIEnrollmentService object of the CA: inside the object we'll add the duplicated template to the certificateTemplates attribute enabling the CA to issue certificates based on the vulnerable template.

Now we can exploit ESC1 as we normally would by requesting the vulnerable template

.\Certify.exe request /ca:domain.com\DOMAIN-DC01-CA /domain:domain.com /template:"Copy of User" /altname:DOMAIN\Administrator

The resulting certificate can then be formatted and converted to PFX

sed -i 's/\s\s\+/\n/g' cert.pem
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

and used to request a TGT for the Administrator account

.\Rubeus.exe asktgt /domain:domain.com /user:Administrator /certificate:cert.pfx /ptt