modifyCertTemplate: modifying ADCS certificate templates and enumerating ACL

modifyCertTemplate

This tool is designed to aid an operator in modifying ADCS certificate templates so that a created vulnerable state can be leveraged for privilege escalation (and then reset the template to its previous state afterward). This is specifically designed for a scenario where WriteProperty rights over a template have been compromised, but the operator is unsure which properties the right applies to. In this scenario, the template’s ACL can be queried and the applicable ACE information can be cross-referenced with property GUIDs to determine the modifiable properties.

Associated blog post on the tool and topic.

Download

git clone https://github.com/fortalice/modifyCertTemplate.git

Use

Examples

Querying a Template or Property Value

Query a certificate template (all attributes)

Query a single attribute from a certificate template

Query the raw values of all template attributes

Querying ACL Info

Query the ACL for a certificate template

Although unrelated to certificate templates, any object’s ACL can be queried by providing the object’s distinguished name

Modifying a Template

Add the ENROLLEE_SUPPLIES_SUBJECT  flag to the template’s msPKI-Certificate-Name-Flag property

Update the value of a certificate template attribute (non-list properties)

Add an EKU to the pKIExtendedKeyUsage property

Update the value of a list-formatted attribute (i.e. explicitly set the value ofpKIExtendedKeyUsage)

python3 modifyCertTemplate.py -template KerberosAuthentication -value “‘1.3.6.1.5.5.7.3.4’, ‘1.3.6.1.5.5.7.3.2’” -property pKIExtendedKeyUsage ez.lab/administrator:pass

Source: https://github.com/fortalice/