ly4k / Certipy

Tool for Active Directory Certificate Services enumeration and abuse
MIT License
2.43k stars 338 forks source link

ESC 4 - Separate the -save-old functionality with the write vulnerable properties functionality. #181

Open NocteDefensor opened 1 year ago

NocteDefensor commented 1 year ago

Currently, when exploiting ESC 4, this tool will attempt to save the original template as a json file and then rewrite the template to make it vulnerable to various ESC techniques. It may be possible that the original template is either corrupted during the save process or not saved, i.e running this tool from within a directory the user does not have write access. In this situation, the original template may be changed to a vulnerable state without a valid json file to revert from. The tool user does not have an ability to inspect the json file to determine validity prior to making changes to the original template. It would be nice to separate the functionality required to save the old template with the functionality to write the vulnerable properties to the original template. Perhaps something like "-save-old" to save the template and "-write-template" to write any changes to the template such as reverting to the -configuration file or writing esc1 vulnerabilities etc.