# ESC7

## Description

"ESC7 addresses vulnerabilities arising from an attacker obtaining highly privileged permissions directly on a CA object within AD CS or on the CA service itself. These permissions grant significant control over the CA's operations and security. The two primary permissions of concern are:

* **`Manage CA` (CA Administrator/ManageCa):** This permission grants extensive control over the CA, including the ability to modify its configuration (e.g., which certificate templates are published), assign CA roles (including Certificate Manager/Officer, if needed), start/stop the CA service, and manage CA security. **This is the core permission that ESC7 often revolves around.**
* **`Manage Certificates` (Certificate Manager/Officer):** This permission allows a user to approve or deny pending certificate requests and to revoke issued certificates.

While `Manage Certificates` alone might have limited direct paths to privilege escalation without a pre-existing pending request for a privileged certificate, obtaining `Manage CA` rights is extremely dangerous. An attacker with `Manage CA` can often grant themselves other necessary CA roles or directly manipulate the CA configuration to facilitate the issuance of unauthorized certificates, leading to full domain compromise. For instance, having `Manage CA` might enable an attacker to also perform actions typically associated with a Certificate Officer, such as approving a request, especially if they can assign that role to themselves. The exploitation method detailed below demonstrates how `Manage CA` rights are leveraged to enable a specific template and then ensure a certificate request is processed, effectively leading to arbitrary certificate issuance using the built-in `SubCA` template." — [*Oliver Lyak*](https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation#esc7-dangerous-permissions-on-ca)

## Configuration

Really easy to set up. Open "Certification Authority" and grant (in this case, `gMSA_ADCS_prod$` ) the `ManageCA` privilege.

<figure><img src="/files/w3WHnEcgzQ5ABsOX6UaB" alt=""><figcaption></figcaption></figure>

That's all it takes to make it vulnerable to ESC7.

<figure><img src="/files/nhDa3YoO2ZGiriYEYnZ7" alt=""><figcaption></figcaption></figure>

Written by [ruycr4ft](https://app.hackthebox.com/profile/1253217)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ruycr4fts-notes.gitbook.io/the-machine-creators-wiki/adcs/esc7.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.