search
githubEdit

ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2

hashtag
Enumeration

  • certutil -config "CA_HOST\CA_NAME" -getreg "policy\EditFlags"

  • certipy / certify.exe (only the flag ATTRIBUTESUBJECTALTNAME2)

hashtag
Exploitation

hashtag
Abuse ATTRIBUTESUBJECTALTNAME2 flag set on CA. You can choose any certificate template that permits client authentication.

hashtag
Then proceed to ESC1 technique

PreviousESC4 - Access Control VulnerabilitiesNextESC1 - Misconfigured Certificate Templates

Last updated