Blind SSTI Jinja

Methodology and Resources/Active Directory Attack.md

@@ -2225,7 +2225,7 @@ secretsdump.py -k -no-pass target.lab.local
 * Find ADCS Server
   * `crackmapexec ldap domain.lab -u username -p password -M adcs`
   * `ldapsearch -H ldap://dc_IP -x -LLL -D 'CN=<user>,OU=Users,DC=domain,DC=local' -w '<password>' -b "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=CONFIGURATION,DC=domain,DC=local" dNSHostName`
-* Enumerate AD Enterprise CAs with certutil: `certutil.exe -config - -ping`
+* Enumerate AD Enterprise CAs with certutil: `certutil.exe -config - -ping`, `certutil -dump`
 
 #### ESC1 - Misconfigured Certificate Templates