GOAD Writeup – Part 14 – ADCS: Escalation Techniques (ESC 5/7/9/10/11/13/14/15)

By /

Listen to this Post

In this article, we dive into the intricacies of Active Directory Certificate Services (ADCS) and its associated escalation techniques as part of the GOAD (Game of Active Directory) series. The focus is on understanding and exploiting vulnerabilities in ADCS to gain elevated privileges in a Windows environment.

You Should Know:

  1. ADCS Overview: Active Directory Certificate Services (ADCS) is a Windows Server role that allows organizations to issue and manage digital certificates. Misconfigurations in ADCS can lead to privilege escalation.

  2. ESC 5/7/9/10/11/13/14/15: These are specific escalation techniques related to ADCS. Each technique exploits different misconfigurations or vulnerabilities in the certificate services.

3. Exploitation Steps:

  • ESC 5: Exploiting weak certificate template permissions.
  • ESC 7: Exploiting the “Enroll” permission on a certificate template.
  • ESC 9: Exploiting the “ManageCA” permission.
  • ESC 10: Exploiting the “ManageCertificates” permission.
  • ESC 11: Exploiting the “WriteOwner” permission on a certificate template.
  • ESC 13: Exploiting the “WriteDacl” permission on a certificate template.
  • ESC 14: Exploiting the “WriteProperty” permission on a certificate template.
  • ESC 15: Exploiting the “Write” permission on a certificate template.

4. Commands and Tools:

  • Certify: A tool used to enumerate and exploit ADCS vulnerabilities. 
    Certify.exe find /vulnerable
  • Certutil: A built-in Windows command-line tool for managing certificates. 
    certutil -view -restrict "Disposition=20"
  • Mimikatz: A post-exploitation tool that can be used to extract certificates and private keys. 
    mimikatz.exe "crypto::certificates /export"
  • PowerShell: Useful for querying and manipulating ADCS configurations. 
    Get-ChildItem -Path Cert:\LocalMachine\My

5. Mitigation Steps:

  • Regularly audit certificate templates and permissions.
  • Restrict enrollment permissions to only necessary users and groups.
  • Implement strong access controls and monitor for unusual certificate issuance.

What Undercode Say:

ADCS is a powerful tool in the Windows ecosystem, but it can also be a significant security risk if not properly configured. The escalation techniques outlined in this article highlight the importance of understanding and securing ADCS to prevent privilege escalation attacks. By using tools like Certify, Certutil, and Mimikatz, security professionals can identify and mitigate these vulnerabilities. Regular audits and strict access controls are essential to maintaining a secure ADCS environment.

For more detailed information, visit the original article: GOAD Writeup – Part 14 – ADCS.

References:

Reported By: Cyril Servieres – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: