search

ADCS - ESC2 & ESC3

  • in order to abuse this misconfiguration, the following conditions must be met:

    1. The Enterprise CA grants low-privileged users enrollment rights. Details are the same as in ESC1.

    2. Manager approval is disabled. Details are the same as in ESC1.

    3. No authorized signatures are required. Details are the same as in ESC1.

    4. An overly permissive certificate template security descriptor grants certificate enrollment rights to low-privileged users. Details are the same as in ESC1.

    5. The certificate template defines Any Purpose EKUs or no EKU.

hashtag
Query cert

sudo certipy req -u joaquin.Pereida@maryland.local -p 'horse' -target 192.168.56.23 -template ESC2 -ca MARYLAND-CA

  • Query cert with the Certificate Request Agent certificate we get before (-pfx)

  • Auth

hashtag
Get Shell or POWERSHELL :)

  • We also can do the same with the ESC3-CRA and ESC3 templates in the lab :

hashtag
Enrollment Agent Templates — ESC3

In order to abuse this misconfiguration, the following conditions must be met:

  1. The Enterprise CA grants low-privileged users enrollment rights. Details are the same as in ESC1.

  2. Manager approval is disabled. Details are the same as in ESC1.

  3. No authorized signatures are required. Details are the same as in ESC1.

  4. An overly permissive certificate template security descriptor grants certificate enrollment rights to low-privileged users. Details are the same as in ESC1.

  5. The certificate template defines the Certificate Request Agent EKU. The Certificate Request Agent OID (1.3.6.1.4.1.311.20.2.1) allows for requesting other certificate templates on behalf of other principals.

  6. Enrollment agent restrictions are not implemented on the CA.

PreviousADCS - ESC1NextADCS - ESC4

Last updated