AD CS (Active Directory Certificate Services) Pentesting
Last modified: 2023-10-22
AD CS is Public Key Infrastructure (PKI) implementation. The misconfiguration of certificate templates can be vulnerable to privilege escalation.
Enumeration
We can retrieve certificates information on target Windows machine using certutil
.
# Dump general information
certutil -dump
# Dump information about certificate authority
certutil -ca
certutil -catemplates
# List all templates
certutil -template
# specify the template
certutil -template ExampleTemplate
Then check if Allow Full Control
or Allow Write
include the group which current user belongs to. If so, we can modify the template and might be able to escalate privilege.
Existing Certificates
Get-ChildItem cert:\
Get-ChildItem cert:\CurrentUser\
Get-ChildItem cert:\CurrentUser\My
Get-ChildItem cert:\LocalMachine\
Get-ChildItem cert:\LocalMachine\My
Extract Certificates
$cert = Get-ChildItem -Path cert:\CurrentUser\My\<thumbprint>
Export-Certificate -Cert $cert -FilePath c:\Users\<username>\Desktop\user.cer
Extract the Private Key from a Certificate
$pw = ConvertTo-SecureString "password123" -AsPlainText -Force
$certificate = Get-ChildItem -Path cert:\CurrentUser\My\<thumbprint>
Export-PfxCertificate -Cert $certificate -FilePath user.pfx -Password $pw