ESC7 - Error when attempting to add an officer

[jsdhasfedssad]

When attemting to exploit ESC7 and the account I use for authentication does not have the right Manage Certificates, I must add that account as a new officer in order to grant the account that right. This fails for me using Certipy 2.0.6.

Once this works, can I delete/remove the officer and possibly other remaining changes after the attack?

[ly4k]

Yes, you can remove the CA officer afterwards with -remove-officer. The request fails because you're trying to connect to the DC. You should connect to the CA

[jsdhasfedssad]

I actually tried connecting to the ADCS server when I tested this but that failed as well :)

[ly4k]

The second image makes more sense to me. It's a mistake in my implementation. I accidentally assumed the CA and the DC was on the same server, which results in Certipy trying to connect to LDAP on the CA, or connecting to the CA DCOM on the DC. Thanks for reporting this. I'll look into a fix soon

[ly4k]

Should be fixed in 2.0.8. Can you please verify?

[jsdhasfedssad]

Using 2.0.8 I can now add the officer. Good!

The next step in my case is to enable the certificate template SubCA but that fails for me.

[ly4k]

Should be fixed in 2.0.9. The new LDAP DNS resolution was not applied for the -enable-template. Can you verify that it is working now? I really appreciate that you report these issues. Thanks!

[jsdhasfedssad]

Great! This works now. I actually managed to execute the complete ESC7 attack this time. Don't worry about asking me to verify fixes, I will have so much fun owning my client's infrastructure using your tool :D No more hassle having to own a domain-joined machine, bypass AV, AMSI, Applocker, execution policies, language constrained mode and what not then having to upload and import powershell scripts! All I need now is essentially Responder, Hashcat, Bloodhound, BloodyAD, Impacket and Certipy :D

[ly4k]

Great. Haha yes, Active Directory itself is full of attack vectors