ESC5

ESC5 abuses overly-permissive access controls over Active Directory objects connected (directly or indirectly) to Active Directory Certificate Services. Other than the templates or Certificate Authority service, these objects can allow privilege escalation via ADCS.

Some possibilities of compromise include:

• The CA server’s AD computer object using a technique such as RBCD / Shadow Credentials / S4U2Self / S4U2Proxy to gain admin access

• The CA server’s RPC/DCOM server to configure AD CS misconfigurations for later abuse

• Any descendant AD object or container in the container CN=Public Key Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=COM (e.g., the Certificate Templates container, Certification Authorities container, the NTAuthCertificates object, the Enrollment Services Container, ...)

Despite being a known misconfiguration, ESC5 will likely not be highlighted by Certipy as the tool won't be able to know whether the user we're authenticating with is part of the Local Administrators group on the CA so we'll have to verify our privileges manually by trying to authenticate with NetExec or other tools.

certipy find -u otter -p 'SomethingSecure123!' -dc-ip 10.10.10.10 -vulnerable -stdout

With administrative access to the CA we can abuse other misconfigurations such as ESC4, ESC7 or any other vulnerability that takes advantage of elevated privileges to modify components of the ADCS server.