Looking Back: Hacking and Defending Windows Public Key Infrastructure (ADCS)

I live at the fringes of the cybersecurity community. I have never attended infosec conferences. There will be a talk on PKI hacking at Blackhat 2021 soon: Top AD offensive security gurus are presenting comprehensive research on abusing ADCS (Active Directory Certificate Services). I only know about that, because I noticed backlinks from their article … Continue reading Looking Back: Hacking and Defending Windows Public Key Infrastructure (ADCS)

Parse Certificates Stored in the Windows Registry

You can parse the binary blobs that represent certificates stored in the Windows registry with certutil correctly, even when the Windows Explorer / GUI tells you that this is not a certificate. certutilĀ seems to be able to handle / ignore meta data better. Once upon a time I played with the machine Ethereal provided by … Continue reading Parse Certificates Stored in the Windows Registry

The RSA Algorithm

You want this: Encrypt a message to somebody else - using information that is publicly available. Somebody else should then be able to decrypt the message, using only information they have; nobody else should be able to read this information. The public key cryptography algorithm RSA does achieve this. This article is my way of … Continue reading The RSA Algorithm

Impersonating a Windows Enterprise Admin with a Certificate: Kerberos PKINIT from Linux

This is about a serious misconfiguration of a Windows Public Key Infrastructure integrated with Active Directory: If you can edit certificate templates, you can impersonate the Active Directory Forests's Enterprise Administrator by logging on with a client certificate. You have a persistent credential that will also survive the reset of this admin's password. In the … Continue reading Impersonating a Windows Enterprise Admin with a Certificate: Kerberos PKINIT from Linux

Locating Domain Controllers and Spoofing Active Directory DNS Servers

Last year, hackthebox let me test something I have always found fascinating - and scary: You can impersonate any user in a Windows Active Directory Forest if you have control over the certificate templates of an AD-integrated Windows Public Key Infrastructure: Add extended key usages for smartcard logon to the template, enroll for the certificate, … Continue reading Locating Domain Controllers and Spoofing Active Directory DNS Servers

Helpline @ hackthebox: Injecting an EFS Recovery Agent to Read Encrypted Files

Another great machine has been retired on hackthebox.eu - Helpline by @egre55! Here is my 'silly' unintended way to root the box: You can get both the encrypted user and root flag via the cumbersome web RCE alone - if you wait for a legit user to just look at the file. This is unlikely … Continue reading Helpline @ hackthebox: Injecting an EFS Recovery Agent to Read Encrypted Files

Sizzle @ hackthebox – Unintended: Getting a Logon Smartcard for the Domain Admin!

My writeup - how to pwn my favorite box on hackthebox.eu, using a (supposedly) unintended path. Sizzle - created by @mrb3n813 and @lkys37en - was the first box on HTB that had my favorite Windows Server Role - the Windows Public Key Infrastructure / Certification Authority. This CA allows a low-privileged user - amanda - … Continue reading Sizzle @ hackthebox – Unintended: Getting a Logon Smartcard for the Domain Admin!

Simple Ping Sweep, Port Scan, and Getting Output from Blind Remote Command Execution

Just dumping some quick and dirty one-liners! These are commands I had used to explore locked-down Windows and Linux machines, using bash or powershell when no other binaries were available or could be transferred to the boxes easily. Trying to ping all hosts in a subnet Linux for i in $(seq 1 254); do host=192.168.0.$i; … Continue reading Simple Ping Sweep, Port Scan, and Getting Output from Blind Remote Command Execution

Echo Unreadable Hex Characters in Windows: forfiles

How to transfer small files to a locked-down Windows machine? When there is no option to copy, ftp, or http GET a file. When powershell is blocked so that you can only use Windows cmd commands? My first choice would be to use certutil: certutil is a built-in tool for certificate and PKI management. It … Continue reading Echo Unreadable Hex Characters in Windows: forfiles

Ethereal @ hackthebox: Certificate-Related Rabbit Holes

This post is related to the 'insanely' difficult hackthebox machine Ethereal (created by egre55 and MinatoTW) that was recently retired. Beware - It is not at all a full comprehensive write-up! I zoom in on openssl, X.509 certificates, signing stuff, and related unnecessary rabbit holes that were particularly interesting to me - as somebody who … Continue reading Ethereal @ hackthebox: Certificate-Related Rabbit Holes