Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

certify request not working with ptt/pth #27

Open
NickYan7 opened this issue Jan 31, 2023 · 4 comments
Open

certify request not working with ptt/pth #27

NickYan7 opened this issue Jan 31, 2023 · 4 comments

Comments

@NickYan7
Copy link

Awesome project! Hope following issue can be fixed:

Similar with #13 , it seems that the user context cannot be changed which always be current user (no relevant parameters supplied), lead that we can't request certificate by obtained ntlm hash or tgt.

Tested on a domain-joined machine, I've tried pth by mimikatz & createnetonly by rubeus , neither did they working.

However runas /netonly /user:domain\user cmd can do certify request successfully (assuming I've obtained the plain text passwd of victim).

Please check this, thanks a lot.
@NickYan7 NickYan7 mentioned this issue Jan 31, 2023
Open
@xchg-rax-rax
Copy link

Looks to me that this is a problem in the way the the API CertEnroll::CX509CertificateRequestPkcs10::InitializeFromPrivateKey synthesizes the X509 request, it seems fundamentally incompatible with user impersonation of any kind.

The only way that I can see around this issue would be to manually construct the certificate request and associated private key using openssl or similar and then pass it into the application. Although that functionality is currently not present in Certify and would need to be added.

@b4cktr4ck2
Copy link

b4cktr4ck2 commented Feb 22, 2023
edited
Loading

Looks to me that this is a problem in the way the the API CertEnroll::CX509CertificateRequestPkcs10::InitializeFromPrivateKey synthesizes the X509 request, it seems fundamentally incompatible with user impersonation of any kind.

The only way that I can see around this issue would be to manually construct the certificate request and associated private key using openssl or similar and then pass it into the application. Although that functionality is currently not present in Certify and would need to be added.

Do you happen to have the openSSL commands for this? It's an evasion tactic too. I've been trying to get this working with certreq/certutil, and have gotten certain commands working within a domain user context, but not too familiar with openSSL.

From my understanding it would be:

-Create a new request and build a .req
-Submit a .cer from the .req to the Certificate Authority.
-Import the .cert into the machine with certreq -accept "file.cer"
-Note the Thumbprint of the installed cert.
-Run certutil -user -p "123456" -exportpfx My $THUMBPRINT C:\temp\cert.pfx "nochain"

@b4cktr4ck2
Copy link

Dunno if it helps but I wrote up a way to get the PFX using only Windows binaries here: https://gist.github.com/b4cktr4ck2/95a9b908e57460d9958e8238f85ef8ee

@GonZ0s
Copy link

GonZ0s commented Apr 14, 2023

Dunno if it helps but I wrote up a way to get the PFX using only Windows binaries here: https://gist.github.com/b4cktr4ck2/95a9b908e57460d9958e8238f85ef8ee

I tried your script, but received an error to use "common name" and not "friendly name". There is only one name in certify output... "template name". Can u explain?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@b4cktr4ck2 @NickYan7 @GonZ0s @xchg-rax-rax