Escape Characters on CA Name?

[Kryp7os]

Having trouble escaping spaces in the CA name. i.e

Example command: certify.exe request /ca:ca.local.org\Long CA Authority Name /template:VulnerableTemplate1

So far I've tried:

'Long CA Authority Name'

Long\ CA\ Authority\ Name

Long\ CA\ Authority\ Name

'Long\ CA\ Authority\ Name'

Any recommendations appreciated!

[galoryber]

I'm having the same issue unfortunately. I tried on two different C2's in case the C2 was failing to parse the arguments properly. Both work in a testlab CA, but not against the CA endpoint with spaces in the name.

The screenshot is the test lab of course. In this case minas-morgul.mordor.local\mordor-CA is parsed just fine, but if the CA name were actually "minas-morgul.mordor.local\mordor CA" with a space between mordor and CA, then the utility no longer works.

Instead it would show... (note the missing CA at the end, like it stopped parsing at the space char)

[*] Certificate Authority   : minas-morgul.mordor.local\mordor 
[X] Error sending the certificate request: System.Runtime.InteropServices.COMException (0x800706BA): CCertRequest::Submit: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
   at CERTCLILib.ICertRequest3.Submit(Int32 Flags, String strRequest, String strAttributes, String strConfig)
   at Certify.Cert.SendCertificateRequest(String CA, String message)
   at Certify.Cert.RequestCert(String CA, Boolean machineContext, String templateName, String subject, String altName, String url, String sidExtension, Boolean install)

[galoryber]

I think this MAY resolve it, but unfortunately my environment is restricted other ways, so I can't fully test it. If somebody ends up in this situation, replace ArgumentParser.cs with the following code, and then compile.

In my case, it was able to properly parse the arguments and Certify continued to work in the test lab. If somebody is willing / able to try this and can verify that it fixed their issue, then I'll issue a pull request. I just don't want to do that yet if I don't know for sure that it corrects this.

ArgumentParser.txt

Before the change, printing each argument within the foreach loop.

After the change, printing each argument within the foreach loop.

To use, the syntax would be:

certify.exe request /ca:"myexample.example.com\This annoying name" /template:esc1 /altname:admin

[0xE1C9]

string pattern = @"(?<key>[^\s:]+):(""(?<value>[^""]*)""|(?<value>.*))";

this regex is fixing the spaces issue and getting the full CA name , but the could not connect to HKLM error still the same

[galoryber]

string pattern = @"(?<key>[^\s:]+):(""(?<value>[^""]*)""|(?<value>.*))";

this regex is fixing the spaces issue and getting the full CA name , but the could not connect to HKLM error still the same

Can you communicate with port 135/445 on that CA, and is Remote Registry running on that CA? The only reason I ask is because I don't think the CA name is parsed multiple times, just that once, so I'm not sure it would work in one spot but then be broken somewhere else.

I only did a brief glance of the source code, so I could be wrong. I just want to clarify the basics first. Do you have a screenshot of the error message you received?

[0xE1C9]

[X] Could not connect to the HKLM hive - The network path was not found. ```

it's possible to enumerate the available templates but for CA Permissions I got the HKLM error