ESC5

Vulnerable PKI Object Access Control

"ESC5 refers to privilege escalation vulnerabilities stemming from improperly configured ACLs on various PKI-related objects within Active Directory. This category is distinct from ESC4 (which focuses on ACLs of individual certificate template objects) and ESC7 (which focuses on permissions directly on the CA object or its services). The critical PKI objects involved in ESC5 are typically located in the Configuration Naming Context of Active Directory (e.g., under CN=Public Key Services,CN=Services,CN=Configuration,DC=...) and play crucial roles in the PKI's overall operation and trust model.

If an attacker gains Write permissions (such as WriteDACL, WriteOwner, WriteProperty on sensitive attributes, or FullControl) over these critical AD objects, they could potentially:

  • Modify the NTAuthCertificates store (CN=NTAuthCertificates,CN=Public Key Services,...): This object publishes certificates of CAs that are trusted for domain authentication (e.g., for Kerberos PKINIT). Adding an attacker-controlled CA certificate here could allow the attacker's "rogue" CA to issue certificates trusted for domain authentication.

  • Alter Authority Information Access (AIA) or CRL Distribution Point (CDP) paths published in AD: These are often stored as objects under CN=AIA,CN=Public Key Services,... or CN=CDP,CN=Public Key Services,... linked to specific CA objects. Modifying these could redirect certificate validation processes, potentially leading to denial of service or facilitating other attacks if validation can be influenced.

  • Manipulate other PKI configuration objects: For instance, objects defining OID policies or enrollment agent restrictions might be targeted if their ACLs are weak.

Exploiting ESC5 often involves an attacker modifying these AD objects to either issue unauthorized certificates (e.g., by trusting a rogue CA), escalate privileges (a notable example being the path from Domain Admin to Enterprise Admin by controlling forest-wide PKI trust objects, as detailed by SpecterOps), or create persistent backdoors within the PKI infrastructure. The SpecterOps blog post "From DA to EA with ESC5" provides a detailed example of such an escalation by gaining control over objects that define PKI trust at a forest level." — Olver Lyak

Configuration

ESC5 involves a lot of creativity and not an specific config that can be applied globally, i.e: there's no specific configuration for ESC5. Be creative and get this on HTB! I've teached you how to use ADSI Edit, this isn't very different.

NOTE: Certipy does not detect ESC5.

Written by ruycr4ft

PreviousESC4NextESC6

Last updated