ESC1 and ESC2
Request certificate as another user with enrollee-supplied subject
Active Directory Certificate Services (AD CS) is a Windows Server role for issuing and managing public key infrastructure (PKI) certificates used in secure communication and authentication protocols. Certificate configurations are pre-defined in certificate templates, which includes fields such as:
The enrollment process for a client in AD CS goes as follows:
Misconfiguration of CAs and certificate templates can lead to privilege escalation and even total domain compromise.
Enumeration of AD CS can be done from Linux systems using certipy by ly4k.
# With username/password:
certipy find -u '<username>' -p '<password>' -dc-ip '<dc_ip>' [-ldap-scheme ldap]
# With Kerberos Ticket (ccache path exported in KRB5CCNAME environment variable)
certipy find -k -no-pass -target '<dc_host>' -ns '<dc_ip>'
Output in JSON and plain text will be generated, containing information regarding the configuration of the CAs and certificate templates available. Conveniently, certipy also highlights any potential vulnerabilities identified in those configurations, including ESC1-ESC16 privilege escalation vulnerabilities.
Alternatively, this can also be done on Windows systems using certify.
# Find vulnerable/abusable certificate templates using default low-privileged group
Certify.exe find /vulnerable
# Find vulnerable/abusable certificate templates using all groups the current user context is a part of:
Certify.exe find /vulnerable /currentuser
Certified Pre-Owned: Abusing Active Directory Certificate Services by Will Schroeder and Lee Christensen from SpecterOps.
Request certificate as another user with enrollee-supplied subject
Request certificate on behalf of another user with a enrollment agent certificate
Leverage vulnerable certificate access control to escalate privileges.
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.