Last updated at Thu, 25 Jan 2024 00:39:08 GMT

AD CS certificate templates

Our very own Spencer McIntyre has developed a new module that allows for creating, reading, updating and deleting certificate template objects from Active Directory.

ESC4 Exploitation

These changes notably enables the exploitation of the technique identified as ESC4 whereby an attacker that has access to modify the certificate template object in LDAP can change it to set the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag in the mspki-certificate-name-flag field to enable exploitation of ESC1. Exploiting this scenario would be a three step process:

  1. Use this module update a certificate template that you have rights to modify
  2. Use the icpr_cert module to exploit ESC1 by specifying a privileged user in the ALT_UPN field
  3. Restore the certificate template that was replaced in step 1 with the backup that was automatically created


When the user updates the certificate template, the nTSecurityDescriptor field is overwritten with one that provides all access to all authenticated users. This means it's critical that the template be restored when the operator is finished. A backup is created every time the template is read, but it's not restored automatically because the actions taken once the module has completed will likely involve another module such as icpr_cert.

The existing MsDtypSecurityDescriptor class has a new .from_sddl_text method to create a new instance from Microsoft's (relatively) human-readable Security Descriptor Definition Language. This means the SID in the ACEs can be specified by copying the included template file and changing it to whatever the user would like. They could for example set it to the SID of the current user, or the domain admins group, etc.

New module content (2)

AD CS Certificate Template Management

Authors: Lee Christensen, Oliver Lyak, Spencer McIntyre, and Will Schroeder
Type: Auxiliary
Pull request: #17965 contributed by zeroSteiner

Description: This adds an auxiliary module that can create, read, update, and delete certificate template objects from Active Directory.

Sudoedit Extra Arguments Priv Esc

Authors: Matthieu Barjole, Victor Cutillas, and h00die
Type: Exploit
Pull request: #17929 contributed by h00die
AttackerKB reference: CVE-2023-22809

Description: This adds an exploit for CVE-2023-22809, an LPE within sudoedit. The exploit currently only supports Ubuntu 22.04 and 22.10.

Enhancements and features (1)

  • #17989 from cgranleese-r7 - The auxiliary/admin/kerberos/inspect_ticket and auxiliary/admin/kerberos/forge_ticket modules have been updated to visually represent the decoded binary values of the Kerberos ticket fields

Bugs fixed (4)

  • #18009 from cgranleese-r7 - This PR updates the msfdb commands to no longer enable the web services as default. The web service will now be enabled with the web service flag: --msf-data-service <NAME>.
  • #18010 from adfoster-r7 - Fix edgecase crash when running smb_login with Kerberos auth activated
  • #18015 from distortedsignal - Deletes a dead link from the Using Metasploit page
  • #18024 from zgoldman-r7 - This PR fixes an issue with credentials being normalized to lowercase inconsistently, causing collisions with uppercase data. Relevant credentials are now automatically normalized to lowercase on insert and lookup.


You can find the latest Metasploit documentation on our docsite at

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).