# ESC2

## Description

ESC2 works on the same core principal as ESC1, where a low privileged user or group has the ability to supply a subjectAltName (SAN) for any other user or machine in Active Directory. in ESC1 attacks the flags for  the Extended Key Usage (EKU) need to contain "Client Authentication" to be valid.\
\
ESC2 by comparison is where the EKU is set to "Any Purpose" or is void of any usage specifications

The attack method for this follows much the same as ESC1 except there is a small variation in the "pre-requisites" 

### Requirements for attack path

* `ENROLLEE_SUPPLIES_SUBJECT` flag present in the certificate template
* Enrolment rights granted to a user or group for which we have access to
* EKU is set to "Any Purpose" or nothing at all
* Manager approval not enabled
* Authorized signature are not required

{% hint style="info" %}

### If ENROLLEE\_SUPPLIES\_SUBJECT is NOT present and the following conditions are met

* Enrolment rights granted to a user or group for which we have access to
* EKU is set to "Any Purpose" or nothing at all
* Manager approval not enabled
* Authorized signature are not required

Then the template can be used as a certificate request agent in which this attack becomes ESC3. If this is the case, follow the guidance below to abuse ESC3.
{% endhint %}

{% content-ref url="esc3" %}
[esc3](https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/adcs/esc3)
{% endcontent-ref %}

## Windows

### Enumeration

```powershell
.\Certify.exe find /vulnerable /enabled
```

<figure><img src="https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Frkv24DaArDlqHOeBag5I%2Fimage.png?alt=media&#x26;token=ea91425e-240f-4860-a20c-f6e61d7e5661" alt=""><figcaption></figcaption></figure>

### Performing the attack

Depending on the certificate template configuration, we have two options as stated at the top of this document.\
\
If the intended attack path for ESC2 is viable, simply follow the attack steps for ESC1.

{% content-ref url="esc1" %}
[esc1](https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/adcs/esc1)
{% endcontent-ref %}

If the template is viable but does not have the ENROLLEE\_SUPPLIES\_SUBJECT flag set, then use it as the requesting agent in ESC3.

{% content-ref url="esc3" %}
[esc3](https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/adcs/esc3)
{% endcontent-ref %}

## Linux

### Enumeration

{% code overflow="wrap" %}

```python
certipy find -u 'Moe@Security.local' -p 'Password123' -dc-ip 10.10.10.100 -vulnerable -stdout
```

{% endcode %}

<figure><img src="https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FyzpiDq5R3tFGj7RyDdju%2Fimage.png?alt=media&#x26;token=e2d8660b-561b-450c-b6b9-42c0c6fb780d" alt=""><figcaption></figcaption></figure>

### Performing the attack

Depending on the certificate template configuration, we have two options as stated at the top of this document.\
\
If the intended attack path for ESC2 is viable, simply follow the attack steps for ESC1.

{% content-ref url="esc1" %}
[esc1](https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/adcs/esc1)
{% endcontent-ref %}

If the template is viable but does not have the ENROLLEE\_SUPPLIES\_SUBJECT flag set, then use it as the requesting agent in ESC3.

{% content-ref url="esc3" %}
[esc3](https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/adcs/esc3)
{% endcontent-ref %}

## Mitigations

* Remove the "Any Purpose" EKU from the template, EKU's should be given specific use definitions
* Remove the ENROLLEE\_SUPPLIES\_SUBJECT flag from the certificate
* Require manager aprovals on the certificate
* Require authorized signatures
* Remove weak enrollement permissions from the template