Let’s Find if the environment running ADCS
.\\Certify_Old.exe cas
Notice that we found out that the environment is using CAs
First check is the Normal Users is allowed to enroll in the Template
Now let’s Enumerate the Templates
.\\Certify_Old.exe find
Notice that the dcorp RDP Users are allowed to enroll in this Template
The ESC 1 Abuse allow the normal users to ask for Certificates as Any Users including Domain Admins and Enterprise Admins users
Let’s Review the Vulnerability
Let’s Enumerate the ESC 1 vulnerability
.\\Certify_Old.exe find /enrolleeSuppliesSubject
