From b71698c4954277f826f3fbabb5976d3477116880 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 3 Mar 2024 14:35:07 +0100 Subject: [PATCH] ESC5 Vulnerable PKI Object Access Control --- .../ad-adcs-certificate-services.md | 28 ++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/docs/active-directory/ad-adcs-certificate-services.md b/docs/active-directory/ad-adcs-certificate-services.md index b47600a..7e54c45 100644 --- a/docs/active-directory/ad-adcs-certificate-services.md +++ b/docs/active-directory/ad-adcs-certificate-services.md @@ -119,6 +119,30 @@ certipy template 'corp.local/johnpc$@ca.corp.local' -hashes :fc525c9683e8fe06709 ``` +## ESC5 - Vulnerable PKI Object Access Control + +> Escalate the privileges from **Domain Administrator** in the child domain into **Enterprise Administrator** at the forest root. + +**Requirements**: + +* Add new templates to the "Certificate" Templates container +* "WRITE" access to the `pKIEnrollmentService` object + +**Exploitation**: + +* Use `PsExec` to launch `mmc` as SYSTEM on the child DC: `psexec.exe /accepteula -i -s mmc` +* Connect to "Configuration naming context" > "Certificate Template" container +* Open `certsrv.msc` as SYSTEM and duplicate an existing template +* Edit the properties of the template to: + * Granting enroll rights to a principal we control in the child domain. + * Including Client Authentication in the Application Policies. + * Allowing SANs in certificate requests. + * Not enabling manager approval or authorized signatures. +* Publish the certificate template to the CA + * Publish by adding the template to the list in `certificateTemplate` property of `CN=Services`>`CN=Public Key Services`>`CN=Enrollment Services`>`pkiEnrollmentService` +* Finally use the ESC1 vulnerability introduced in the duplicated template to issue a certificate impersonating an Enterprise Administrator. + + ## ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2 > If this flag is set on the CA, any request (including when the subject is built from Active Directory) can have user defined values in the subject alternative name. @@ -483,4 +507,6 @@ Using the **UnPAC The Hash** method, you can retrieve the NT Hash for an User vi * [CA configuration - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/ca-configuration) * [Access controls - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/access-controls) * [Web endpoints - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/web-endpoints) -* [ADCS ESC13 Abuse Technique - Jonas Bülow Knudsen - 02/15/2024](https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53) \ No newline at end of file +* [ADCS ESC13 Abuse Technique - Jonas Bülow Knudsen - 02/15/2024](https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53) +* [From DA to EA with ESC5 - Andy Robbins - May 16, 2023](https://posts.specterops.io/from-da-to-ea-with-esc5-f9f045aa105c) +* [ADCS ESC14 Abuse Technique - Jonas Bülow Knudsen - 02/01/2024](https://posts.specterops.io/adcs-esc14-abuse-technique-333a004dc2b9) \ No newline at end of file