This is a comprehensive attack playbook for exploiting misconfigured Active Directory Certificate Services, covering ESC1 through ESC13 vulnerabilities. You'd load this when you need to understand privilege escalation paths through certificate template abuse, NTLM relay to enrollment endpoints, or CA permission misconfigurations. The skill walks through each exploitation scenario with actual certipy and Certify commands, from the classic ESC1 (enrollee supplies SAN) to newer techniques like ESC9's weak certificate mapping and ESC13's OID group linking. It includes practical enumeration steps, certificate-based persistence methods, and references related skills for ACL abuse and Kerberos attacks. The ESC matrix reference file promises quick lookup tables with one-liner commands per variant, which would be handy during actual engagements.
npx skills add https://github.com/yaklang/hack-skills --skill active-directory-certificate-services