Pranaam to all 🙏
In this blog post we are gonna explore how to manually exploit an AD CS ESC15 vulnerable instance when a Domain User has enrollment right for the Webserver template.
Outline
During an assessment, I was talking to Dominic sir and he mentioned AD CS ESC15 vulnerability discovered by TrustedSec team.
In an internal infrastructure Pentest, me and my colleague noticed webserver template which was vulnerable to ESC15 but In ourcase, following were the challenges:
👉 Instead of "Domain Computers", "Domain Users" AD group had enrollment right on Webserver template. Due to this fact, the webserver template was not visible in Windows Certificate Enrollment wizard.
👉 The AD CS RPC endpoint was firewalled from consultant machine.
👉 The AD CS web enrollment interface was not enabled.
Manual exploitation🤘😎🤘
To exploit it, I decided to create and submit certificate request using Windows certreq binary. To do so, we need an INF file (download it from here) containing all the necessary information populated in it such as
- Subject name (Line no. 5)
- Alt Name (Line no. 27)
and
- Client Authentication attribute set under Application Policies extension (already configured)
After configuring parameters in INF file, lets proceed with exploitation steps.
Generate a Certificate Signing Request (CSR)Open command prompt/PowerShell and execute below mentioned command to create CSR file:
When we execute the above mentioned command, we will receive a popup. Click "Ok" button to accept it to complete with the CSR generation process. Upon clicking "Cancel" button, process will be aborted.
Now, we have a CSR file which we have to submit to AD Certificate Authority. 
Submitting the Generated (CSR)To find the Certificate Authority(CA) address, execute below mentioned command:
In my case, CA name is DC01.queen.indishell.lab\queen-DC01-CA
In below command, specify the CA address (value of -config argument), CSR file name (b0x8.csr) and certificate file name (administrator.cer) A successful request will return "Certificate retrieved Issued" message:
Install and Extract the Certificate:Now, extract the Thumbprint of the issued certificate from the certificate(administrator.cer) issued by the CA server. Use below mentioned command: 
Execute below mentioned command to install the issued certificate to Current user's certificate store:
Upon installation of the the issued certificate, it will be available in the certificate store of currently logged-in user:
To extract this newly installed certificate in PFX format, specify a password of your choice (in my case b0xed@33), certificate thumbprint which we extracted in previous step and output file name to store the PFX certificate (in my case administrator.pfx)The certutil command exported the certificate and its private key in PFX format successfully:To verify the details of requested certificate such as Subject Alternative Name and attribute of Application Policies extension are set correctly or not, execute below mentioned command and dump the detail from the issued certificateThe output of the command is showing that the certificate was requested using the Webserver template, Client Authentication attribute is set under Application Policies extension and Subject Alternative Name is set to administrator:
To perform further exploitation, use CertiPy tool or PasstheCert tool outlined in this blogpostSpecial Thanks to:
Dominic sir and Matt Johnson(for their guidance), Alessendro and Konsta bhai ji (for encouraging me to work on the solution of the problem)
Ashwath sir, Vivek sir, Andy sir, Soroush sir and Marcus sir (for being endless supporters 😍)
Amazing MDSec guys: Dima, Marwan, Dylan, Daniil, PWS, Juanma, Filip, Jamie, Rio
Partner in crime: Manoj, Karan, Samarth, Noman, Owais, Sina, Nish, Roshan, Anurag and Vivek bhai ji
❤️Zero cool and Code breaker ICA ❤️
With Love from ❤️ --==[[ Indishell Crew ]]==-- ❤️
0 comments