search

ly4k / Certipy

Tool for Active Directory Certificate Services enumeration and abuse
MIT License
2.38k stars 328 forks source link

Got error while trying to request certificate: code: 0x8009310b - CRYPT_E_ASN1_BADTAG - ASN1 bad tag value met. #106

Open vikerup opened 1 year ago

vikerup commented 1 year ago

Hello,

I am building an environment to test ESC2 and ESC3. I have an AD CS template with EKU "Any purpose" setup as well as the default "User" template published.

First off i'll fetch the "Any purpose" EKU (ESC2/3) template:

/usr/local/bin/certipy req  -u test@domain.local -p ******** -ca test-CA01-CA -template esc2 -target-ip x.x.x.x -dc-ip x.x.x.x

Then i'll use that pfx to sign a new CSR and apply for a client authentication certificate via the default template User on behalt of the Administrator.

/usr/local/bin/certipy req  -u test@domain.local -p ******** -ca test-corp-CA01-CA -template User -on-behalf-of 'DOMAIN\Administrator' -target-ip x.x.x.x -dc-ip x.x.x.x. -pfx test.pfx
Certipy v4.0.0 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x8009310b - CRYPT_E_ASN1_BADTAG - ASN1 bad tag value met.
[*] Request ID is 114
Would you like to save the private key? (y/N)

I get the same error when i try to renew the initial test.pfx certificate.

/usr/local/bin/certipy req -renew  -u test@domain.local -p ******** -ca test-corp-CA01-CA -template esc2 -target-ip x.x.x.x -dc-ip x.x.x.x -pfx test.pfx
Certipy v4.0.0 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x8009310b - CRYPT_E_ASN1_BADTAG - ASN1 bad tag value met.
[*] Request ID is 115
Would you like to save the private key? (y/N)

The ESC2/3 privesc works fine from certify.exe from a domain joined windows box.

I have tried to figure out which ASN.1 tag in https://github.com/ly4k/Certipy/blob/main/certipy/lib/certificate.py#L525 that might be wrong however i'm not successful.

I'm on the latest 92592c59acf50e5db3ace2947680614c110aff82 commit.

ly4k commented 1 year ago

Hello, can you try again with the latest release?

vikerup commented 1 year ago

Hi again @ly4k, thanks for helping out.

I updated to latest Certipy and impacket but unfortunately still get the same error message