Skip to content

Added features to abuse ManageCA and ManageCertificates permissions (ESC7) #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Kudaes wants to merge 6 commits into from
Closed

Added features to abuse ManageCA and ManageCertificates permissions (ESC7) #12

Kudaes wants to merge 6 commits into from

Conversation

@Kudaes
Copy link

@Kudaes Kudaes commented Jan 26, 2022

Two new commands have been added in order to replicate PSPKI functionalities to perform the ESC7 attack:

  • setconfig: It allows to abuse ManageCA permission to both enable EDITF_ATTRIBUTESUBJECTALTNAME2 and to disable REQDISP_PENDINGFIRST. This command has an optional flag "/restart" to remotely restart the service CertSvc in order to apply the setting changes.

  • issue: It allows to abuse ManageCertificates to issue an approval pending certificate.

Kudaes added 4 commits January 24, 2022 14:49
@Kudaes
ESC7
a90b651 
Added the required functionality to abuse ManageCA and ManageCertificate rights.
@Kudaes
Update README.md
d5b9d89
@Kudaes
New use cases to abuse ManageCA permission
6038980 
Two new commands have been added:

- coerceauth: It will abuse the CDP extension to coerce the CA server to perform an authentication attempt to a remote server.
- writefile: It will abuse the CDP extension to write an arbitrary file to a local or remote path. The CA server must have write permission over the remote share.  The most useful use case for this functionality is to obtain a web shell, but it could also been used to perform arbitrary file overwrite/others-.
@Kudaes
Update WriteFile.cs
7fdc2e4
@leechristensen
Copy link
Member

leechristensen commented Feb 7, 2022

Hi @Kudaes ! First of all, awesome work on this and thanks for the PR!

One question: does this work without the RSAT tools being installed (specifically the Active Directory Certificate Services Tools)? One of our goals was for this to run from a base Win10 OS which typically does not have the RSAT tools installed.

Kudaes added 2 commits February 9, 2022 13:19
@Kudaes
Readonly mode added to writefile module
0dba464 
Now It is possible to get the current CDP list without performing any change in the CA's configuration. Useful to retrieve remote writable shares before uploading a shell.
@Kudaes
Update Readme
0f71716
@Kudaes
Copy link
Author

Kudaes commented Feb 11, 2022

Hi @leechristensen, thanks for the kind words !

First of all, just let you know that we have added two new commands to abuse ManageCA permission:

  • coerceauth: It will abuse the CDP extension to coerce the CA server to perform an authentication attempt to a remote server.
  • writefile: It will abuse the CDP extension to write an arbitrary file to a local or remote path. The CA server must have write permission over the remote share. The most useful use case for this functionality is to obtain a webshell, but it could also been used to perform arbitrary file overwrite/others.

Answering your question, all of this features require some DCOM methods that are not installed by default, therefore ADCS RSAT tools are mandatory. We understand what you say about the tool main goals, but we didn't find any other way of developing these features. Thus, we understand that this could be enough reason to reject the PR ^^.

Let me know if there is any other information that I can provide you with.

@CaledoniaProject
Copy link

CaledoniaProject commented May 15, 2022
edited
Loading

@Kudaes Which part of the code references the RSAT library?

@Kudaes
Copy link
Author

Kudaes commented May 16, 2022

@CaledoniaProject Mostly the functions added in the file ModifyConfigEntry.cs. Anywhere you see the use of the interface ICertAdmin2 means that we are using the DCOM functionality contained in the library certadm.dll. You could try to register manually this dll using regsvr32, but the only way that I've gotten it to work is by installing RSAT.

@Kudaes
Copy link
Author

Kudaes commented May 16, 2022

Hi @leechristensen, any updates regarding this PR?

@leechristensen
Copy link
Member

leechristensen commented Oct 12, 2022

Hey @Kudaes , sorry for the delayed response on this. For now, we're not going to include this due to the dependency on the RSAT tools. If you can think of a way to support Certify running while not having them installed on the machine, we'd be happy to include it.

Awesome research nonetheless and thanks for taking the time to make these contributions!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Kudaes @leechristensen @CaledoniaProject