Sizzle writup – Unintended: Getting a Logon Smartcard for the Domain Admin

My writeup on owning Sizzle - it required a physical crypto token, joining a Windows box to Sizzle’s domain, and faking DNS service records for the domain.

This attack is possible as the low-priv user amanda can modify certificate templates, so you can edit one of the templates available on the website to turn it into a smartcard logon template:

You add the Administrator’s User Principal Name to the Certificate Signing Request, submit the request, and then import certificate and key to the crypto token / smartcard. On the box you joined to the domain you can then run net use /smartcard to grab the flag from the C$ share or you can run runas /smartcard to start a shell as the Administrator.

You really showed me that I knew squat about PKI :open_mouth:. Really cool write up :+1:

Really nice stuff mate. Keep up the good work!

Thanks a lot @UnfairAttaccs and @MinatoTW - glad you liked it!