GhostPack · fbogner · Jun 6, 2024
diff --git a/README.md b/README.md
@@ -100,7 +100,7 @@ Rubeus is licensed under the BSD 3-Clause license.
         Retrieve a TGT using a PCKS12 certificate, start a /netonly process, and to apply the ticket to the new process/logon session:
             Rubeus.exe asktgt /user:USER /certificate:C:\temp\leaked.pfx </password:STOREPASSWORD> /createnetonly:C:\Windows\System32\cmd.exe [/getcredentials] [/servicekey:KRBTGTKEY] [/show] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/nowrap] [/proxyurl:https://KDC_PROXY/kdcproxy] [/suppenctype:DES|RC4|AES128|AES256]
 
-        Retrieve a TGT using a certificate from the users keystore (Smartcard) specifying certificate thumbprint or subject, start a /netonly process, and to apply the ticket to the new process/logon session:
+        Retrieve a TGT using a certificate from the users or (if readable) computers keystore (Smartcard) specifying certificate thumbprint or subject, start a /netonly process, and to apply the ticket to the new process/logon session:
             Rubeus.exe asktgt /user:USER /certificate:f063e6f4798af085946be6cd9d82ba3999c7ebac /createnetonly:C:\Windows\System32\cmd.exe [/show] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/suppenctype:DES|RC4|AES128|AES256] [/nowrap]
 
         Retrieve a TGT suitable for changing an account with an expired password using the changepw command

diff --git a/Rubeus/lib/Ask.cs b/Rubeus/lib/Ask.cs
@@ -165,18 +165,12 @@ public static X509Certificate2 FindCertificate(string certificate, string storeP
                 return new X509Certificate2(certificate, storePassword);
             } else {
 
-                X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
-                store.Open(OpenFlags.ReadOnly);
-                X509Certificate2 result = null;
-
-                foreach (var cert in store.Certificates) {
-                    if (string.Equals(certificate, cert.Subject, StringComparison.InvariantCultureIgnoreCase)) {
-                        result = cert;
-                        break;
-                    } else if (string.Equals(certificate, cert.Thumbprint, StringComparison.InvariantCultureIgnoreCase)) {
-                        result = cert;
-                        break;
-                    }
+                // first try to find certificate in user's store
+                X509Certificate2 result = FindCertificateInStore(certificate, StoreLocation.CurrentUser);
+
+                // also search for certificate in computer's store. May be readable if missconfigured.
+                if (result == null ) { 
+                    result = FindCertificateInStore(certificate, StoreLocation.LocalMachine);
                 }
 
                 if (result != null && !String.IsNullOrEmpty(storePassword)) {
@@ -187,6 +181,29 @@ public static X509Certificate2 FindCertificate(string certificate, string storeP
             }
         }
 
+        private static X509Certificate2 FindCertificateInStore(string certificate, StoreLocation location)
+        {
+            X509Store store = new X509Store(StoreName.My, location);
+            store.Open(OpenFlags.ReadOnly);
+            X509Certificate2 result = null;
+
+            foreach (var cert in store.Certificates)
+            {
+                if (string.Equals(certificate, cert.Subject, StringComparison.InvariantCultureIgnoreCase))
+                {
+                    result = cert;
+                    break;
+                }
+                else if (string.Equals(certificate, cert.Thumbprint, StringComparison.InvariantCultureIgnoreCase))
+                {
+                    result = cert;
+                    break;
+                }
+            }
+
+            return result;
+        }
+
         public static byte[] TGT(string userName, string domain, string certFile, string certPass, Interop.KERB_ETYPE etype, string outfile, bool ptt, string domainController = "", LUID luid = new LUID(), bool describe = false, bool verifyCerts = false, string servicekey = "", bool getCredentials = false, string proxyUrl = null, string service = null, bool changepw = false, string principalType="principal") {
             try {
                 X509Certificate2 cert = FindCertificate(certFile, certPass);