ESC5 Vulnerable PKI Object Access Control
parent
d4876c58ac
commit
b71698c495
|
@ -119,6 +119,30 @@ certipy template 'corp.local/johnpc$@ca.corp.local' -hashes :fc525c9683e8fe06709
|
|||
```
|
||||
|
||||
|
||||
## ESC5 - Vulnerable PKI Object Access Control
|
||||
|
||||
> Escalate the privileges from **Domain Administrator** in the child domain into **Enterprise Administrator** at the forest root.
|
||||
|
||||
**Requirements**:
|
||||
|
||||
* Add new templates to the "Certificate" Templates container
|
||||
* "WRITE" access to the `pKIEnrollmentService` object
|
||||
|
||||
**Exploitation**:
|
||||
|
||||
* Use `PsExec` to launch `mmc` as SYSTEM on the child DC: `psexec.exe /accepteula -i -s mmc`
|
||||
* Connect to "Configuration naming context" > "Certificate Template" container
|
||||
* Open `certsrv.msc` as SYSTEM and duplicate an existing template
|
||||
* Edit the properties of the template to:
|
||||
* Granting enroll rights to a principal we control in the child domain.
|
||||
* Including Client Authentication in the Application Policies.
|
||||
* Allowing SANs in certificate requests.
|
||||
* Not enabling manager approval or authorized signatures.
|
||||
* Publish the certificate template to the CA
|
||||
* Publish by adding the template to the list in `certificateTemplate` property of `CN=Services`>`CN=Public Key Services`>`CN=Enrollment Services`>`pkiEnrollmentService`
|
||||
* Finally use the ESC1 vulnerability introduced in the duplicated template to issue a certificate impersonating an Enterprise Administrator.
|
||||
|
||||
|
||||
## ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2
|
||||
|
||||
> If this flag is set on the CA, any request (including when the subject is built from Active Directory) can have user defined values in the subject alternative name.
|
||||
|
@ -484,3 +508,5 @@ Using the **UnPAC The Hash** method, you can retrieve the NT Hash for an User vi
|
|||
* [Access controls - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/access-controls)
|
||||
* [Web endpoints - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/ad-cs/web-endpoints)
|
||||
* [ADCS ESC13 Abuse Technique - Jonas Bülow Knudsen - 02/15/2024](https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53)
|
||||
* [From DA to EA with ESC5 - Andy Robbins - May 16, 2023](https://posts.specterops.io/from-da-to-ea-with-esc5-f9f045aa105c)
|
||||
* [ADCS ESC14 Abuse Technique - Jonas Bülow Knudsen - 02/01/2024](https://posts.specterops.io/adcs-esc14-abuse-technique-333a004dc2b9)
|
Loading…
Reference in New Issue