BuyMeACoffee

Basics

ADCS | PrivEsc to Domain Admin

LogoADCS + PetitPotam NTLM Relay: Obtaining krbtgt Hash with Domain Controller Machine CertificateRed Teaming Experiments
LogoFrom Stranger to DA // Using PetitPotam to NTLM relay to Domain Administrato - TruesecTruesec

tools

LogoGitHub - grimlockx/ADCSKiller: An ADCS Exploitation Automation Tool Weaponizing Certipy and CoercerGitHub

Reconnaissance & Enumeration

certipy find -u [email protected] -p 'horse' -dc-ip 192.168.56.12

This will search the certificate server, and dump all the information needed in three format :

  • bloodhound : a zip ready to import in bloodhound (if you use certipy 4.0 you will have to install the bloodhound gui modified by oliver lyak, if you do not want to use the modified version, you must use the -old-bloodhound option)

  • json : information json formated

  • txt : a textual format

Find vulnerable templates :

certipy find -u [email protected] -p 'horse' -vulnerable -dc-ip 192.168.56.12 -stdout
PreviousAD CSNextExploits

Last updated

Was this helpful?