Open brettgus opened 1 year ago
Temporary workaround I just tested on "find", it at least outputs to txt and json and as far as I see no issue on enumeration:
certipy/lib/ldap.py (lines 363 - 383)
#sids.add(user.get("objectSid"))
# Everyone, Authenticated Users, Users
sids |= set(["S-1-1-0", "S-1-5-11", "S-1-5-32-545"])
# Domain Users, Domain Computers, etc.
#primary_group_id = user.get("primaryGroupID")
primary_group_id = None
if primary_group_id is not None:
sids.add("%s-%d" % (self.domain_sid, primary_group_id))
# Add Domain Computers group
logging.debug(
"Adding Domain Computers to list of current user's SIDs"
)
sids.add("%s-515" % self.domain_sid)
#dns = [user.get("distinguishedName")]
dns = []
for sid in sids:
object = self.lookup_sid(sid)
if "dn" in object:
dns.append(object["dn"])
Update: FWIW, I exploited ESC4 and ESC1 of a trusted domain with these changes to ldap.py and didn't have an issue
I'm working in a multi-domain environment. I'm trying to enumerate ADCS in a foreign domain that has trusts. In my situation, it seems that certipy is able to enumerate the CA in the foreign domain, but then it tries to look up if the templates are vulnerable in the context of my user, and that is when it fails. It would be nice to be able to specify the user you'd like to check against instead (so you could specify a user in that domain.