Back to Details

competition-ad-certificate-abuse

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Competition AD Certificate Abuse

竞赛AD证书滥用

Use this skill only as a downstream specialization after 
$ctf-sandbox-orchestrator
is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to 
$ctf-sandbox-orchestrator
first.
Use this skill when the decisive identity edge is certificate-based and the hard part is proving how a template or CA policy turns into accepted privilege.
Reply in Simplified Chinese unless the user explicitly requests English.
此技能仅可作为下游专项技能,在
$ctf-sandbox-orchestrator
已处于激活状态、且已建立沙箱假设、节点归属和证据优先级时使用。如果尚未满足上述条件,请先返回
$ctf-sandbox-orchestrator
当核心身份边界基于证书,且难点在于证明模板或CA策略如何转换为可被接受的权限时,使用此技能。
除非用户明确要求英文,否则请使用简体中文回复。

Quick Start

快速开始

  1. Identify the CA, template, enrolling principal, and accepting service before diving into every certificate detail.
  2. Separate template enrollability from cert-based authentication or privilege acceptance.
  3. Record EKUs, subject or SAN controls, issuance requirements, enrollment rights, and mapping behavior in compact blocks.
  4. Tie the issued cert to one accepted path: PKINIT, Schannel, LDAPS, WinRM, or another mapped service.
  5. Reproduce the smallest certificate issuance-to-acceptance chain that yields the decisive privilege.
  1. 在深入研究每个证书细节之前,先确定CA、模板、申请主体和接受服务。
  2. 将模板可注册性与基于证书的身份验证或权限接受分离开。
  3. 以紧凑块的形式记录EKUs、主体或SAN控制、颁发要求、注册权限和映射行为。
  4. 将已颁发的证书与一条可被接受的路径关联:PKINIT、Schannel、LDAPS、WinRM或其他映射服务。
  5. 复现可产生核心权限的最短证书颁发-接受链。

Workflow

工作流

1. Map CA And Template Trust

1. 映射CA与模板信任

  • Record CA configuration, template name, enrollment permissions, manager approval, authorized signatures, EKUs, subject requirements, and SAN behavior.
  • Note whether the path depends on alternate subject names, 
    UPN
    , DNS names, enrollment agent behavior, or template supersedence.
  • Keep principal, template, and issuance policy tied together.
  • 记录CA配置、模板名称、注册权限、管理员审批、授权签名、EKUs、主体要求和SAN行为。
  • 注意路径是否依赖于可选主体名称、
    UPN
    、DNS名称、注册代理行为或模板取代关系。
  • 保持主体、模板和颁发策略相互关联。

2. Prove Cert-To-Privilege Acceptance

2. 证明证书到权限的接受逻辑

  • Show how the issued certificate is mapped or accepted: PKINIT, smartcard logon, Schannel auth, service mapping, or explicit certificate mapping.
  • Record serial, subject, SAN, EKU, validity, and the exact service or domain edge that accepts it.
  • Distinguish certificate issuance from the separate step where privilege is actually granted.
  • 说明已颁发证书的映射或接受方式:PKINIT、智能卡登录、Schannel认证、服务映射或显式证书映射。
  • 记录序列号、主体、SAN、EKU、有效期,以及接受该证书的具体服务或域边界。
  • 区分证书颁发和实际授予权限的独立步骤。

3. Reduce To The Decisive Abuse Chain

3. 精简为核心利用链

  • Compress the path to the smallest sequence: enrollment right or misconfig -> issued cert -> accepted mapping -> resulting privilege.
  • State clearly whether the weakness lives in template config, CA policy, mapping logic, relay path, or enrollment rights.
  • If the task is really about delegation or ticket transformation after PKINIT, switch back to the tighter Kerberos skill.
  • 将路径压缩为最短序列:注册权限或配置错误 -> 证书颁发 -> 映射被接受 -> 获得对应权限。
  • 明确说明漏洞存在于模板配置、CA策略、映射逻辑、中继路径还是注册权限中。
  • 如果任务实际上涉及PKINIT后的委派或票据转换,请切换到更针对性的Kerberos技能。

Read This Reference

参考资料

  • Load 
    references/ad-certificate-abuse.md
    for the AD CS checklist, template checklist, and evidence packaging.
  • 加载
    references/ad-certificate-abuse.md
    获取AD CS检查清单、模板检查清单和证据封装规范。

What To Preserve

需要留存的内容

  • CA names, template names, rights, EKUs, issuance flags, SAN controls, and mapping details
  • Issued certificate fields, serials, subjects, SANs, and the accepting service or logon path
  • The smallest reproducible enrollment-to-privilege chain
  • CA名称、模板名称、权限、EKUs、颁发标志、SAN控制和映射详情
  • 已颁发证书字段、序列号、主体、SAN,以及接受服务或登录路径
  • 最短可复现的注册到权限利用链