In this week’s Tuesday TOOLSday I show how to attack ADCS ESC3 when you can’t do a standard authentication with an impersonated .pfx file (I raised a Certipy issue here about this), and instead need to pass the cert with PassTheCert.
I got the details on the modified attack from 0xdf’s blog as well as this post. Essentially you end up extracting the .crt and .key from the .pfx, and then use PassTheCert to pop an LDAP shell to a DC and add yourself to the domain admins group. Absolutely delicious pentesting pwnage fun!
Like this stuff? Be sure to subscribe:
Or leave a comment:
Interested in security services such as assessments, pentesting and/or training?
Have a great week,
Brian
Share this post