ADCS
ADCS
Info
Search CA
ESC1 - template-allows-san
ESC1 is when a certificate template permits Client Authentication and allows the enrollee to supply an arbitrary Subject Alternative Name (SAN). Request a certificate based on the vulnerable certificate template and specify an arbitrary UPN
ESC2
ESC3
ESC4 - certificate-templates
ESC4 is when a user has write privileges over a certificate template. This can for instance be abused to overwrite the configuration of the certificate template to make the template vulnerable to ESC1. We need to know the DNS name and the Template Name
ESC5
ESC6
ESC7
ESC8
ESC9 - no-security-extension
To understand this privilege escalation, it is recommended to know how certificate mapping is performed. It is presented in this section.
If the certificate attribute msPKI-Enrollment-Flag
contains the flag CT_FLAG_NO_SECURITY_EXTENSION
, the szOID_NTDS_CA_SECURITY_EXT
extension will not be embedded, meaning that even with StrongCertificateBindingEnforcement
set to 1
, the mapping will be performed similarly as a value of 0
in the registry key.
Here are the requirements to perform ESC9:
StrongCertificateBindingEnforcement
not set to2
(default:1
) orCertificateMappingMethods
containsUPN
flag (0x4
)The template contains the
CT_FLAG_NO_SECURITY_EXTENSION
flag in themsPKI-Enrollment-Flag
valueThe template specifies client authentication
GenericWrite
right against any account A/1 to compromise any account B/2Update upn user2
Get
pfx
Extracting NTHASH
ESC10
ESC11
ESC12
ESC13
ESC14
ESC15
Risorse
https://posts.specterops.io/adcs-attack-paths-in-bloodhound-part-1-799f3d3b03cf
https://posts.specterops.io/adcs-attack-paths-in-bloodhound-part-2-ac7f925d1547
https://posts.specterops.io/adcs-attack-paths-in-bloodhound-part-3-33efb00856ac
https://www.thehacker.recipes/ad/movement/adcs/
https://posts.specterops.io/certified-pre-owned-d95910965cd2
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-misconfigured-certificate-template-to-domain-admin
https://www.blackhillsinfosec.com/abusing-active-directory-certificate-services-part-one/
Last updated