ID01 | ESC8
ESC stands for Escalation and is a misconfiguration on Active Directory Certificate Services (ADCS). It allows an individual in an AD setup to escalate their privilege.
ESC8 is well documented by Will Schroeder and Lee Christensen in their paper Certified Pre-Owned. It focuses on the web enrollment HTTP/S endpoint allowing users to retrieve certificates (for example to authenticate in AD).
References:
The Hacker Recipes (Web endpoints)
HTTP418 INFOSEC (ESC8 - NTLM Relay & HTTP Enrollment)
Table of availables actions, states, and targets
Vulnerability ID |
Trigger available |
Default state |
Default target |
|---|---|---|---|
01 | ESC8 |
No |
Absent |
dc01 |
Launch
Enable
# Current directory: ansible
ansible-playbook -i inventory.yml playbooks/vulnerabilities/01.yml --extra-vars "action=enable"
Disable
# Current directory: ansible
ansible-playbook -i inventory.yml playbooks/vulnerabilities/01.yml --extra-vars "action=disable"
Implementation
Enable
The web enrollment is installed using Install-AdcsWebEnrollment.
Tip
By default, HTTP is used for the website.
Reference:
Disable
The web enrollment is uninstalled using Uninstall-AdcsWebEnrollment.
Reference: