Basics

ADCS | PrivEsc to Domain Admin

certipy find -u khal.drogo@essos.local -p 'horse' -dc-ip 192.168.56.12

This will search the certificate server, and dump all the information needed in three format :

bloodhound : a zip ready to import in bloodhound (if you use certipy 4.0 you will have to install the bloodhound gui modified by oliver lyak, if you do not want to use the modified version, you must use the -old-bloodhound option)
json : information json formated
txt : a textual format

Find vulnerable templates :

certipy find -u khal.drogo@essos.local -p 'horse' -vulnerable -dc-ip 192.168.56.12 -stdout

Last updated 1 year ago