Tech Talk: Abusing ESC13 from Linux

Keiran Mather Headshot
Keiran Mather
Red Team Specialist

This is a Bulletproof Tech Talk article: research from our penetration testing team covering issues, news, and tech that interests them. It’s more technical and in-depth that our usual blog content, but no less interesting.

In the complex landscape of Active Directory, ensuring secure and appropriate access is a constant challenge. Recently another "ESC" technique has been released which is known as ESC13. Most discussions of ESC13 show how to abuse this in Windows, but in this blog I’m going to show how to abuse ESC13 in Linux.

Whilst abusing ESC13 in itself is not really a exploit or even misconfiguration, it can still be used to escalate privileges within a domain. At its core, ESC13 revolves around a certificate template that is configured with a specific issuance policy that is linked through an Object Identifier (OID), to an Active Directory group. This setup creates a unique situation where users, upon authenticating with a certificate derived from this template, are treated as if they are members of the linked group – even if they are not apart of it. Now again, this functionality is working as intended, however as you can most likely see already, this could be problematic if for example, Domain/Authenticated Users can enroll into this template and request a certificate that has a linked group to a privileged group within the domain. This will essentially allow that unprivileged user to have membership in that group and perform any actions that that group is allowed.

So, it should be noted again that this mechanism is totally intended and in essence, no exploitation is really done, the only thing here that’s being done is leveraging an intended feature of ADCS to meet organisational needs for dynamic access control. However, as with other ESC based exploits it is possible to potentially detect unusual activity by monitoring certificate enrollment and authentication events.

For this demonstration, Ludus was used to quickly spin up an ADCS lab that already has a pre-configured ESC13 template setup.

Figure 1: NetExec smb authentication to domain controller

To begin, there is currently a Pull Request for the popular tool Certipy which adds support for finding templates which are misconfigured to allow ESC13. Pulling this fork from GitHub and installing it will allow us to enumerate ADCS and potentially find any templates where we can abuse this technique. Using Certipy as normal to find templates, we can see that there is one that is ESC13:

Figure 2: Certipy enumerating certificate templates, certificate authorities and other configurations

As the output above shows, we can see it found 1 OID linked to a template, this is what was mentioned briefly earlier and is a sign of ESC13!

Figure 3: Certificate Template misconfigured for ESC13

Now there are a few pre-requisites for this to work, our principal must have enrolment rights on the certificate template, the certificate must have an issuance policy extension, also the issuance policy has to have an OID group link to a group within AD, also it has to be a universal group and the group must be empty (no members apart of the group). This is because OID mapped groups cannot have members, so in essence, it will always be empty since AD will not allow people to be added to this group once the msDS-OIDToGroupLink attribute has been set. Finally, the certificate template must define EKUs that enable client authentication.

Now, after clearly seeing from the above figure that we meet all the pre-requisites, we know that it is possible for us to enrol a certificate that allows us to obtain access as a member of the group specified in the OID group link. So, after checking this linked "esc13group" group in Bloodhound, we can also see it is a member of Enterprise Admins:

Figure 4: Bloodhound showing ESC13GROUP information

This is just an example of how this could be misconfigured. For this demonstration, the esc13group was added as a member of the Enterprise Admins group but in reality, it could be anything whether that is a privileged group or not.

So, now what we can do here is we can enrol into this template and request a certificate. We can pass this certificate to request a valid TGT, we are now essentially placed into the ESC13 group. Since it is a part of the Enterprise Admins group, we now have full control over the domain.

Figure 5: Certipy requesting certificate for the misconfigured ESC13 template

With this pfx now obtained, we can use to authenticate with the pfx and obtain ourselves a valid TGT.

Figure 6: Using PKINITOOLS to request a TGT with a pfx

Now we have a valid TGT, we can use this to request kerberos service tickets and abuse any permissions that the ESC13Group has been granted in the domain, whilst not actually being a member of this group. Since we know the ESC13Group is a member of Enterprise Admins, we can simply authenticate to the domain controller with this ticket and execute a command:

Figure 7: Using NetExec to authenticate and execute a command

As seen above, it shows us (admin) but it also executes our command to list our groups, which show Enterprise Admins as well as the esc13group.

So, where is this actually used in real environments you may be thinking? Well, good question, as it states in the blog post from Jonas Bülow Knudsen who discovered this attack vector, this ADCS feature is used under the Microsoft's Authentication Mechanism Assurance (AMA) concept, to improve security via certificate-based authentication. This approach is aimed at protecting resources by granting access permissions exclusively to empty groups on the resources. Users are then required to authenticate using specific certificates linked to these groups to gain access, ensuring that only authorised individuals with the appropriate certificates can access designated resources or execute certain actions.

Summing up

In summary, it's important to examine and adjust your access control settings. Only the appropriate individuals that an organisation plans to recognise as members of specific groups should be given enrollment rights. For a deeper dive into this technique, the blog post above is a great resource to fully understand this technique.

Keiran Mather Headshot

Meet the author

Keiran Mather Red Team Specialist

Keiran’s role as a one of Bulletproof’s Red Team members, sees him analysing and investigating all kinds of technology. You can find him writing about novel hacking techniques, exploits, and other security testing matters.

Uncover your security weaknesses

Penetration helps keep hackers out of your business. Get a fast quote for penetration testing services today.

Find your security vulnerabilities

Related resources

Trusted cyber security & compliance services from a certified provider

Get a quote today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

(1,500 characters limit)

For more information about how we collect, process and retain your personal data, please see our privacy policy.