Active Directory - Certificate ESC9
ESC9 - No Security Extension
Requirements
StrongCertificateBindingEnforcementset to1(default) or0- Certificate contains the
CT_FLAG_NO_SECURITY_EXTENSIONflag in themsPKI-Enrollment-Flagvalue - Certificate specifies
Any Clientauthentication EKU GenericWriteover any account A to compromise any account B
Scenario
John@corp.local has GenericWrite over Jane@corp.local, and we want to compromise Administrator@corp.local. Jane@corp.local is allowed to enroll in the certificate template ESC9 that specifies the CT_FLAG_NO_SECURITY_EXTENSION flag in the msPKI-Enrollment-Flag value.
-
Obtain the hash of Jane with Shadow Credentials (using our GenericWrite)
-
Change the userPrincipalName of Jane to be Administrator.
leave the
@corp.localpart -
Request the vulnerable certificate template ESC9 from Jane's account.
-
Restore userPrincipalName of Jane to Jane@corp.local.
-
Authenticate with the certificate and receive the NT hash of the Administrator@corp.local user.