New World Samurai Exploits

Threat Informed

MisConfigured Active Directory Certificate Subject Alternative Name Permissions Lead to Complete Domain Takeover.

Misconfigured ADCS template allows any low privileged user to enroll a new certificate in the doamin using the Template ‘SCOMCertTempelate’ and specify a arbitrary Subject Alternative Name. The resulting certificate can be used to request a krbtgt for a impersonated user such as a memeber of the Domain Admins.

PoC Video

Lab Setup

Active Directory lab contains two machines:

ADDC.hqdomain.local Domain Contoller ADCS
ADWS.hqdomain.local Workstation

Note: The build scripts are under Resources at the bottem of this page if you wish to recreate this lab.

Walkthrough

From ADWS.hqdomain.local issuing the certutil.exe command identifies ADDC.hqdomain.local as a ADCS

Here we use Certify to find certicficates with misconfigurations that our current user ‘reed’ can exploit. We find that ‘SCOMCertTemplate’ has the ‘ENROLLEE_SUPPLIES_SUBJECT’ flag and enrollment priviledges for NT AUTHORITY\Authenticated Users.

Lets check who is in the Domain Admins Group to specify the user in the Subject Alternative Names.

Use Certify to request a certificate from the CA with the Subject Alternative Name ‘asmith’

Copy the entire output of the RSA Private Key and Certifcate over to the attackbox and save it to a .pem file. Use openssl to convert it to pfx like so. Note: Just leave the password blank hitting enter twice

Back over to the ADWS.hqdomain.local machine, we transfer the converted certificate pfx file over to use in Rubeus to request a TGT with the /ptt flag set for pass-the-ticket function.

We now have a krbtgt for user asmith and can confrim with the klist command. With this we will use mimikatz on adws.hqdomain.local to issue a DCSync and pull the NTLM hash for the hqdomain\krbtgt user giving us the last ingredient to make a Golden Ticket.

We now have everything needed to create a Golden Ticket

domain name
domain SID
krbtgt NTLM hash

Anything can be used as the user however its best if its not a real domain user. Here we use pwnadmin and set the id to 500 as 500 is the id for Administrator accounts

Use PSexec to remotely execute processes on the domain controller and promote our current user reed to a Domain Admin.

Resources

If you would like to setup and complete this lab the .OVA files can be obtained from my DropBox Share. Just Import the two OVA files into virtualbox.

ADDC.
ADWS.

Remediation

Audit AD CA certificate templates for misconfigurations. If the ENROLLEE_SUPPLIES_SUBJECT flag must be set for the enviroment then remove Authenticated Users from Enrollment Rights.

author: Jeff Griggs