In May 2022 Microsoft has fixed a vulnerability related to certificate logon to Active Directory. As a non-privileged user you could escalate privileges by impersonating a Domain Controller, as you can join machines to the domain and thus control the dnsHostName attribute. Microsoft fixed this in an indirect way: Since last May, Windows Certification Authority…
Tag: Digital Certificates
Defused That SAN Flag!
In May, Microsoft has fixed a bug that allowed normal users to impersonate Domain Controllers. This bug allowed non-privileged users to obtain a logon certificate issued to a domain controller, because users can write to the Active Directory attribute dnsHostNameof a computer they have joined to the domain. If a machine can enroll for a…
How to Add a Subject Alternative Name Safely
I am writing about that PKI stuff again. I am running out of ideas for catchy introductions. So, here is a new post with old code! In Active Directory a UPN is mapped to a user automatically if it matches a user’s LDAP attribute userPrincipalName (and a DNS SAN is mapped to dnsHostName). A Windows…
Rogue Certificate Challenge: No Hardware Tokens, No Linux, Just a Web Server with Certificate Mapping.
I am back to my favorite security research: How to abuse certificates in a Windows / Active Directory environment! If an Active Directory integrated certification authority sign a certificate with a custom Subject Alternative Name of your choosing, you can impersonate any administrator in an AD forest. I’ve published two blog posts about how to…
Parse Certificates Stored in the Windows Registry
You can parse the binary blobs that represent certificates stored in the Windows registry with certutil correctly, even when the Windows Explorer / GUI tells you that this is not a certificate. certutil seems to be able to handle / ignore meta data better. Once upon a time I played with the machine Ethereal provided by…
Helpline @ hackthebox: Injecting an EFS Recovery Agent to Read Encrypted Files
Another great machine has been retired on hackthebox.eu – Helpline by @egre55! Here is my ‘silly’ unintended way to root the box: You can get both the encrypted user and root flag via the cumbersome web RCE alone – if you wait for a legit user to just look at the file. This is unlikely…
Sizzle @ hackthebox – Unintended: Getting a Logon Smartcard for the Domain Admin!
My writeup – how to pwn my favorite box on hackthebox.eu, using a (supposedly) unintended path. Sizzle – created by @mrb3n813 and @lkys37en – was the first box on HTB that had my favorite Windows Server Role – the Windows Public Key Infrastructure / Certification Authority. This CA allows a low-privileged user – amanda –…
Ethereal @ hackthebox: Certificate-Related Rabbit Holes
This post is related to the ‘insanely’ difficult hackthebox machine Ethereal (created by egre55 and MinatoTW) that was recently retired. Beware – It is not at all a full comprehensive write-up! I zoom in on openssl, X.509 certificates, signing stuff, and related unnecessary rabbit holes that were particularly interesting to me – as somebody who…
Certificates and PKI. The Prequel.
Some public key infrastructures run quietly in the background since years. They are half forgotten until the life of a signed file has come to an end – but then everything is on fire. In contrast to other seemingly important deadlines (Management needs this until XY or the world will come to an end!) this…
Bots, Like This! I am an Ardent Fan of HTTPS and Certificates!
This is an experiment in Machine Learning, Big Data, Artificial Intelligence, whatever. But I need proper digression first. Last autumn, I turned my back on social media and went offline for a few days. There, in that magical place, the real world was offline as well. A history of physics museum had to be opened,…
Other People Have Lives – I Have Domains
These are just some boring update notifications from the elkemental Webiverse. The elkement blog has recently celebrated its fifth anniversary, and the punktwissen blog will turn five in December. Time to celebrate this – with new domain names that says exactly what these sites are – the ‘elkement.blog‘ and the ‘punktwissen.blog‘ (Edit: which now –…
What Learning about Feynman’s Path Integrals Was Good for
I have gone to great lengths on this blog in order to explain how and why a degree in physics prepares you for seemingly different careers, or at least does not hurt. But it would have been so simple. I will now illustrate this – using just two incomprehensible images. Actually, I have a hidden…
Automatic Mapping of Logon Certificates to Users in Active Directory
This post has originally been published to my other / ‘archive’ website in 2014, first as a PDF, later converted to a HTML article. I am publishing it here on my WordPress blog in April 2022, using its original publication date – as it predates most of the other articles in my PKI UPN AD…
Diffusion of iTechnology in Corporations (or: Certificates for iPhones)
[Jump to technical stuff] Some clichés are true. One I found confirmed often is about how technologies are adopted within organizations: One manager meets another manager at a conference / business meeting / CIO event. Manager X show off the latest gadget and/or brags about presents a case-study of successful implementation of Y. Another manager…
The Strange World of Public Key Infrastructure and Certificates
An e-mail discussion related to my recent post on IT security has motivated me to ponder about issues with Public Key Infrastructure once more. So I attempt – most likely in vain – to merge a pop-sci introduction to certificates with sort of an attachment to said e-mail discussion. So this post might be opaque…
elkemental Force 