Certificate Services

These are some notes describing how to build a deliberately vulnerable Active Directory test lab to test some well-known misconfigurations or exploits. I might expand on this later…​ ℹ️ This is nothing new, most of this stuff can be easily found on the Internet. This is just for my own reference. Please excuse my brevity. This article assumes a Windows Server 2022 system (VM), and a non domain joined Linux system (VM) with pentesting tools such as impacket and certipy. ...

These are some scribbles if I ever need to look up how to exploit AD CS misconfigurations, such as ESC1. I might expand on this later…​ ℹ️ This is nothing new, most of this stuff can be easily found on the Internet. This is just for my own reference. Please excuse my brevity. Environment For this article, we’re assuming the following environment (change accordingly): user $ echo $SHELL /usr/bin/fish user $ which certipy # https://github.com/ly4k/Certipy /usr/bin/certipy user $ which ldapsearch /usr/bin/ldapsearch user $ which smbclient.py # https://github.com/fortra/impacket /usr/bin/smbclient.py user $ which ewp # https://github.com/adityatelange/evil-winrm-py /usr/bin/ewp user $ which nxc # https://github.com/Pennyw0rth/NetExec /usr/bin/nxc user $ set win_domain corp.local user $ set dc_fqdn dc01.{$win_domain} user $ set dc_ip (dig +short dc01.corp.local) user $ set ca_fqdn ca01.{$win_domain} user $ set ca_ip (dig +short ca01.corp.local) user $ set ca_name CORPROOTCA user $ set esc1_template_name CorpAuth user $ set regular_user_account gijsbert user $ set privileged_user_account wilbert...