AD CS (Active Directory Certificate Services) Pentesting

AD CS is Public Key Infrastructure (PKI) implementation. The misconfiguration of certificate templates can be vulnerable to privilege escalation.

- [kerberos-abuse](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-misconfigured-certificate-template-to-domain-admin)
- [adcs-privesc-certificate-templates](https://0xalwayslucky.gitbook.io/cybersecstack/active-directory/adcs-privesc-certificate-templates)

Enumeration

We can retrieve certificates information on target Windows machine using certutil.

# Dump general information
certutil -dump

# Dump information about certificate authority
certutil -ca
certutil -catemplates

# List all templates
certutil -template
# specify the template
certutil -template ExampleTemplate

Then check if Allow Full Control or Allow Write include the group which current user belongs to. If so, we can modify the template and might be able to escalate privilege.

Existing Certificates

Get-ChildItem cert:\
Get-ChildItem cert:\CurrentUser\
Get-ChildItem cert:\CurrentUser\My
Get-ChildItem cert:\LocalMachine\
Get-ChildItem cert:\LocalMachine\My

Extract Certificates

$cert = Get-ChildItem -Path cert:\CurrentUser\My\<thumbprint>
Export-Certificate -Cert $cert -FilePath c:\Users\<username>\Desktop\user.cer

Extract the Private Key from a Certificate

$pw = ConvertTo-SecureString "password123" -AsPlainText -Force
$certificate = Get-ChildItem -Path cert:\CurrentUser\My\<thumbprint>
Export-PfxCertificate -Cert $certificate -FilePath user.pfx -Password $pw