Walkthrough of PenTesting Active Directory Certificate Services (AD CS) ESC1 attack. This is a quick and easy way to escalate privileges from a low-level domain user to domain admin. I will also discuss and verify remediations for this misconfiguration.
Links:
PenTesting ESC8 Walkthrough:
• NTLM relay to AD CS ES...
Ceritpy Github:
github.com/ly4k/Certipy
Abusing AD CS Whitepaper:
specterops.io/wp-content/uplo...
DFSCoerce Github:
github.com/Wh04m1001/DFSCoerce
00:00 Intro
01:30 ESC1 Walkthrough
10:06 Remediation
14:31 Verify Remediation