Merge remote-tracking branch 'upstream/master'

CERTCC · Feb 6, 2025 · 393f6fb · 393f6fb
2 parents d45b7b5 + cddfb49
commit 393f6fb
Show file tree

Hide file tree

Showing 5 changed files with 56 additions and 7 deletions.
diff --git a/.github/workflows/weekly-data-and-external-tool-updater.yml b/.github/workflows/weekly-data-and-external-tool-updater.yml
@@ -26,6 +26,8 @@ jobs:
   update-data-files:
     runs-on: ubuntu-latest
 
+    if: github.repository_owner == 'rapid7'
+
     env:
       BUNDLE_WITHOUT: "coverage development pcap"
 
@@ -93,4 +95,4 @@ jobs:
             - [ ] `run`
             - [ ] **Verify** it runs w/o erroring
             - [ ] `set method disk`
-            - [ ] **Verify** it runs w/o erroring
+            - [ ] **Verify** it runs w/o erroring
diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json
@@ -6802,7 +6802,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2025-01-28 17:20:10 +0000",
+    "mod_time": "2025-01-30 17:27:49 +0000",
     "path": "/modules/auxiliary/admin/ldap/ad_cs_cert_template.rb",
     "is_install_path": true,
     "ref_name": "admin/ldap/ad_cs_cert_template",

diff --git a/lib/msf/base/sessions/command_shell.rb b/lib/msf/base/sessions/command_shell.rb
@@ -202,6 +202,8 @@ def cmd_help(*args)
       tbl << [key, value]
     end
 
+    tbl << ['.<command>', "Prefix any built-in command on this list with a '.' to execute in the underlying shell (ex: .help)"]
+
     print(tbl.to_s)
     print("For more info on a specific command, use %grn<command> -h%clr or %grnhelp <command>%clr.\n\n")
   end
@@ -607,8 +609,13 @@ def run_single(cmd)
     end
 
     # Built-in command
-    if commands.key?(method)
-      return run_builtin_cmd(method, arguments)
+    if commands.key?(method) or ( not method.nil? and method[0] == '.' and commands.key?(method[1..-1]))
+      # Handle overlapping built-ins with actual shell commands by prepending '.'
+      if method[0] == '.' and commands.key?(method[1..-1])
+        return shell_write(cmd[1..-1] + command_termination)
+      else
+        return run_builtin_cmd(method, arguments)
+      end
     end
 
     # User input is not a built-in command, write to socket directly

diff --git a/lib/rex/proto/ms_crtd.rb b/lib/rex/proto/ms_crtd.rb
@@ -5,13 +5,26 @@ module Rex::Proto
   module MsCrtd
     # see: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-crtd/4c6950e4-1dc2-4ae3-98c3-b8919bb73822
 
+    # [2.4 flags Attribute](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-crtd/6cc7eb79-3e84-477a-b398-b0ff2b68a6c0)
+    CT_FLAG_AUTO_ENROLLMENT = 0x00000020
+    CT_FLAG_MACHINE_TYPE = 0x00000040
+    CT_FLAG_IS_CA = 0x00000080
+    CT_FLAG_ADD_TEMPLATE_NAME = 0x00000200
+    CT_FLAG_IS_CROSS_CA = 0x00000800
+    CT_FLAG_IS_DEFAULT = 0x00010000
+    CT_FLAG_IS_MODIFIED = 0x00020000
+    CT_FLAG_DONOTPERSISTINDB = 0x00001000
+    CT_FLAG_ADD_EMAIL = 0x00000002
+    CT_FLAG_PUBLISH_TO_DS = 0x00000008
+    CT_FLAG_EXPORTABLE_KEY = 0x00000010
+
     # [2.26 msPKI-Enrollment-Flag Attribute](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-crtd/ec71fd43-61c2-407b-83c9-b52272dec8a1)
     CT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS = 0x00000001
     CT_FLAG_PEND_ALL_REQUESTS = 0x00000002
     CT_FLAG_PUBLISH_TO_KRA_CONTAINER = 0x00000004
-    CT_FLAG_PUBLISH_TO_DS = 0x00000008
+    #CT_FLAG_PUBLISH_TO_DS = 0x00000008
     CT_FLAG_AUTO_ENROLLMENT_CHECK_USER_DS_CERTIFICATE = 0x00000010
-    CT_FLAG_AUTO_ENROLLMENT = 0x00000020
+    #CT_FLAG_AUTO_ENROLLMENT = 0x00000020
     CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT = 0x00000040
     CT_FLAG_USER_INTERACTION_REQUIRED = 0x00000100
     CT_FLAG_REMOVE_INVALID_CERTIFICATE_FROM_PERSONAL_STORE = 0x00000400
@@ -26,7 +39,7 @@ module MsCrtd
 
     # [2.27 msPKI-Private-Key-Flag Attribute](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-crtd/f6122d87-b999-4b92-bff8-f465e8949667)
     CT_FLAG_REQUIRE_PRIVATE_KEY_ARCHIVAL = 0x00000001
-    CT_FLAG_EXPORTABLE_KEY = 0x00000010
+    #CT_FLAG_EXPORTABLE_KEY = 0x00000010
     CT_FLAG_STRONG_KEY_PROTECTION_REQUIRED = 0x00000020
     CT_FLAG_REQUIRE_ALTERNATE_SIGNATURE_ALGORITHM = 0x00000040
     CT_FLAG_REQUIRE_SAME_KEY_RENEWAL = 0x00000080

diff --git a/modules/auxiliary/admin/ldap/ad_cs_cert_template.rb b/modules/auxiliary/admin/ldap/ad_cs_cert_template.rb
@@ -346,6 +346,29 @@ def action_read
       print_status("  objectGUID:        #{object_guid}")
     end
 
+    pki_flag = obj['flags']&.first
+    if pki_flag.present?
+      pki_flag = [obj['flags'].first.to_i].pack('l').unpack1('L')
+      print_status("  flags: 0x#{pki_flag.to_s(16).rjust(8, '0')}")
+      %w[
+        CT_FLAG_AUTO_ENROLLMENT
+        CT_FLAG_MACHINE_TYPE
+        CT_FLAG_IS_CA
+        CT_FLAG_ADD_TEMPLATE_NAME
+        CT_FLAG_IS_CROSS_CA
+        CT_FLAG_IS_DEFAULT
+        CT_FLAG_IS_MODIFIED
+        CT_FLAG_DONOTPERSISTINDB
+        CT_FLAG_ADD_EMAIL
+        CT_FLAG_PUBLISH_TO_DS
+        CT_FLAG_EXPORTABLE_KEY
+      ].each do |flag_name|
+        if pki_flag & Rex::Proto::MsCrtd.const_get(flag_name) != 0
+          print_status("     * #{flag_name}")
+        end
+      end
+    end
+
     pki_flag = obj['mspki-certificate-name-flag']&.first
     if pki_flag.present?
       pki_flag = [obj['mspki-certificate-name-flag'].first.to_i].pack('l').unpack1('L')
@@ -481,6 +504,10 @@ def action_read
       print_status("  pKIMaxIssuingDepth: #{obj['pkimaxissuingdepth'].first.to_i}")
     end
 
+    if obj['showinadvancedviewonly'].present?
+      print_status("  showInAdvancedViewOnly: #{obj['showinadvancedviewonly'].first}")
+    end
+
     { object: obj, file: stored }
   end