Certify icon indicating copy to clipboard operation
Certify copied to clipboard
verified publisher icon GhostPack

`certify request` not working with ptt/pth

Open NickYan7 opened this issue 3 years ago • 4 comments

Awesome project! Hope following issue can be fixed:

Similar with https://github.com/GhostPack/Certify/issues/13 , it seems that the user context cannot be changed which always be current user (no relevant parameters supplied), lead that we can't request certificate by obtained ntlm hash or tgt.

Tested on a domain-joined machine, I've tried pth by mimikatz & createnetonly by rubeus , neither did they working.

However runas /netonly /user:domain\user cmd can do certify request successfully (assuming I've obtained the plain text passwd of victim).

Please check this, thanks a lot.

NickYan7 avatar Jan 31 '23 10:01 NickYan7

Looks to me that this is a problem in the way the the API CertEnroll::CX509CertificateRequestPkcs10::InitializeFromPrivateKey synthesizes the X509 request, it seems fundamentally incompatible with user impersonation of any kind.

The only way that I can see around this issue would be to manually construct the certificate request and associated private key using openssl or similar and then pass it into the application. Although that functionality is currently not present in Certify and would need to be added.

xchg-rax-rax avatar Feb 17 '23 00:02 xchg-rax-rax

Looks to me that this is a problem in the way the the API CertEnroll::CX509CertificateRequestPkcs10::InitializeFromPrivateKey synthesizes the X509 request, it seems fundamentally incompatible with user impersonation of any kind.

The only way that I can see around this issue would be to manually construct the certificate request and associated private key using openssl or similar and then pass it into the application. Although that functionality is currently not present in Certify and would need to be added.

Do you happen to have the openSSL commands for this? It's an evasion tactic too. I've been trying to get this working with certreq/certutil, and have gotten certain commands working within a domain user context, but not too familiar with openSSL.

From my understanding it would be:

-Create a new request and build a .req -Submit a .cer from the .req to the Certificate Authority. -Import the .cert into the machine with certreq -accept "file.cer" -Note the Thumbprint of the installed cert. -Run certutil -user -p "123456" -exportpfx My $THUMBPRINT C:\temp\cert.pfx "nochain"

b4cktr4ck2 avatar Feb 22 '23 00:02 b4cktr4ck2

Dunno if it helps but I wrote up a way to get the PFX using only Windows binaries here: https://gist.github.com/b4cktr4ck2/95a9b908e57460d9958e8238f85ef8ee

b4cktr4ck2 avatar Feb 22 '23 21:02 b4cktr4ck2

Dunno if it helps but I wrote up a way to get the PFX using only Windows binaries here: https://gist.github.com/b4cktr4ck2/95a9b908e57460d9958e8238f85ef8ee

I tried your script, but received an error to use "common name" and not "friendly name". There is only one name in certify output... "template name". Can u explain?

GonZ0s avatar Apr 14 '23 03:04 GonZ0s